The paper uses a case study research approach in defining how an employee based risk management strategy such as employee information security training, employee motivation, and quality assurance can be used to reduce security incidents in a Canadian PHIPA regulated environment. During the research, information security professionals and employees were asked direct questions aimed at understanding the reasons why internal data breaches are recurrent, and what are users’ perception and understanding of existing security policies, processes, and their role in protecting information in their work environment. By using a qualitative case study research design method, data was collect from a small but targeted group of information security professionals and employees within healthcare organization in Ontario. The gathered data was analyzed to identify what are the main causes of security incidents, and what organizations,in the healthcare field can do to better involve their employees for the reduction of breaches and incidents.
The recommendations made by this research paper have the potential of influencing an organization’s
organizational culture and employee behavior. The main goal of this paper was to develop an employee based risk management strategy for enterprise level risk management focused on positively influencing employee behaviour.