Management Information Systems Quarterly
Abstract
A widely accepted notion in cybersecurity practice and research posits that complexity is detrimental to cybersecurity. While this notion mainly focuses on IT, the prevalence of complexity extends beyond IT into organizational domains. Whether the assertion that complexity is detrimental to cybersecurity holds true when applied to organizational domains remains largely unexplored. Moreover, “complexity” and “complicatedness” are often used interchangeably to refer to a large number of interconnected components. We build on complexity science to distinguish the two terms: complexity arises from ad hoc, nonlinear interactions among interconnected components, whereas complicatedness arises from structured, linear interactions. The field lacks sufficient understanding of these distinctions and their implications for cybersecurity risks and mitigations. We theorize how an organization’s complicatedness and complexity in both IT and organizational domains influence cybersecurity breaches. Our context of empirical inquiry is multihospital systems (MHSs), a complex organizational form that uses IT in complex ways. Drawing on complexity science, we posit that complicatedness in medical services, health IT, and the governance arrangements of an MHS increases cybersecurity breaches. We also posit that using enterprise-wide data analytics platforms (EWDAPs) to structure and control ad hoc information sharing practices of the complicated units can reduce breaches despite adding more technology components and dependencies to enterprise IT. We tested these ideas in a sample of 445 MHSs in the U.S. spanning from 2009 to 2017. Complicatedness in medical services, health IT, and governance stands out as the primary contributor to cybersecurity breaches in MHSs. Ad hoc, nonlinear interactions contribute to complexity and exacerbate the cybersecurity breach effects of complicatedness. In contrast, structured interactions, exemplified by patient data sharing through an EWDAP, achieve simplification and mitigate the cybersecurity breaches associated with complicatedness.
