为何员工（仍然）会点击网络钓鱼链接：医院调查

Why Employees (Still) Click on Phishing Links: Investigation in Hospitals.

作者信息

Jalali Mohammad S, Bruckes Maike, Westmattelmann Daniel, Schewe Gerhard

机构信息

Massachusetts General Hospital Institute for Technology Assessment, Harvard Medical School, Boston, MA, United States.

Massachusetts Institute of Technology Sloan School of Management, Cambridge, MA, United States.

出版信息

J Med Internet Res. 2020 Jan 23;22(1):e16775. doi: 10.2196/16775.

DOI:10.2196/16775

PMID:32012071

原文链接:https://pmc.ncbi.nlm.nih.gov/articles/PMC7005690/

Abstract

BACKGROUND

Hospitals have been one of the major targets for phishing attacks. Despite efforts to improve information security compliance, hospitals still significantly suffer from such attacks, impacting the quality of care and the safety of patients.

OBJECTIVE

This study aimed to investigate why hospital employees decide to click on phishing emails by analyzing actual clicking data.

METHODS

We first gauged the factors that influence clicking behavior using the theory of planned behavior (TPB) and integrating trust theories. We then conducted a survey in hospitals and used structural equation modeling to investigate the components of compliance intention. We matched employees' survey results with their actual clicking data from phishing campaigns.

RESULTS

Our analysis (N=397) reveals that TPB factors (attitude, subjective norms, and perceived behavioral control), as well as collective felt trust and trust in information security technology, are positively related to compliance intention. However, compliance intention is not significantly related to compliance behavior. Only the level of employees' workload is positively associated with the likelihood of employees clicking on a phishing link.

CONCLUSIONS

This is one of the few studies in information security and decision making that observed compliance behavior by analyzing clicking data rather than using self-reported data. We show that, in the context of phishing emails, intention and compliance might not be as strongly linked as previously assumed; hence, hospitals must remain vigilant with vulnerabilities that cannot be easily managed. Importantly, given the significant association between workload and noncompliance behavior (ie, clicking on phishing links), hospitals should better manage employees' workload to increase information security. Our findings can help health care organizations augment employees' compliance with their cybersecurity policies and reduce the likelihood of clicking on phishing links.

摘要

背景

医院一直是网络钓鱼攻击的主要目标之一。尽管医院努力提高信息安全合规性，但仍深受此类攻击的严重影响，进而影响医疗质量和患者安全。

目的

本研究旨在通过分析实际点击数据，调查医院员工决定点击网络钓鱼邮件的原因。

方法

我们首先运用计划行为理论（TPB）并整合信任理论，来衡量影响点击行为的因素。然后在医院开展了一项调查，并使用结构方程模型来研究合规意图的组成部分。我们将员工的调查结果与他们在网络钓鱼活动中的实际点击数据进行了匹配。

结果

我们的分析（N = 397）表明，TPB因素（态度、主观规范和感知行为控制）以及集体感知信任和对信息安全技术的信任与合规意图呈正相关。然而，合规意图与合规行为并无显著关联。只有员工的工作量水平与员工点击网络钓鱼链接的可能性呈正相关。

结论

这是信息安全与决策领域中少数几项通过分析点击数据而非使用自我报告数据来观察合规行为的研究之一。我们表明，在网络钓鱼邮件的背景下，意图与合规之间的联系可能不像之前假设的那么紧密；因此，医院必须对难以管理的漏洞保持警惕。重要的是，鉴于工作量与违规行为（即点击网络钓鱼链接）之间存在显著关联，医院应更好地管理员工的工作量以提高信息安全。我们的研究结果可帮助医疗保健组织增强员工对其网络安全政策的合规性，并降低点击网络钓鱼链接的可能性。

https://cdn.ncbi.nlm.nih.gov/pmc/blobs/6d69/7005690/edbc143ceea9/jmir_v22i1e16775_fig1.jpg

相似文献

Why Employees (Still) Click on Phishing Links: Investigation in Hospitals.

J Med Internet Res. 2020 Jan 23;22(1):e16775. doi: 10.2196/16775.

Assessment of Employee Susceptibility to Phishing Attacks at US Health Care Institutions.

JAMA Netw Open. 2019 Mar 1;2(3):e190393. doi: 10.1001/jamanetworkopen.2019.0393.

Evaluation of a mandatory phishing training program for high-risk employees at a US healthcare system.

J Am Med Inform Assoc. 2019 Jun 1;26(6):547-552. doi: 10.1093/jamia/ocz005.

The Role of Health Concerns in Phishing Susceptibility: Survey Design Study.

J Med Internet Res. 2020 May 4;22(5):e18394. doi: 10.2196/18394.

Phishing in healthcare organisations: threats, mitigation and approaches.

BMJ Health Care Inform. 2019 Sep;26(1). doi: 10.1136/bmjhci-2019-100031.

Informing, simulating experience, or both: A field experiment on phishing risks.

PLoS One. 2019 Dec 18;14(12):e0224216. doi: 10.1371/journal.pone.0224216. eCollection 2019.

An Investigation of Employees' Intention to Comply with Information Security System-A Mixed Approach Based on Regression Analysis and fsQCA.

Int J Environ Res Public Health. 2022 Nov 30;19(23):16038. doi: 10.3390/ijerph192316038.

Signal Detection Theory (SDT) Is Effective for Modeling User Behavior Toward Phishing and Spear-Phishing Attacks.

Hum Factors. 2018 Dec;60(8):1179-1191. doi: 10.1177/0018720818789818. Epub 2018 Jul 31.

So Many Phish, So Little Time: Exploring Email Task Factors and Phishing Susceptibility.

Hum Factors. 2022 Dec;64(8):1379-1403. doi: 10.1177/0018720821999174. Epub 2021 Apr 9.

The Phishing Email Suspicion Test (PEST) a lab-based task for evaluating the cognitive mechanisms of phishing detection.

Behav Res Methods. 2021 Jun;53(3):1342-1352. doi: 10.3758/s13428-020-01495-0. Epub 2020 Oct 19.

引用本文的文献

Prompt injection attacks on vision language models in oncology.

Nat Commun. 2025 Feb 1;16(1):1239. doi: 10.1038/s41467-024-55631-x.

Factors Influencing Telemedicine Adoption Among Health Care Professionals: Qualitative Interview Study.

JMIR Form Res. 2025 Jan 27;9:e54777. doi: 10.2196/54777.

Legal implications for clinicians in cybersecurity incidents: A review.

Medicine (Baltimore). 2024 Sep 27;103(39):e39887. doi: 10.1097/MD.0000000000039887.

Cyber Hygiene Methodology for Raising Cybersecurity and Data Privacy Awareness in Health Care Organizations: Concept Study.

J Med Internet Res. 2023 Jul 27;25:e41294. doi: 10.2196/41294.

The impact of lecture playback speeds on concentration and memory.

BMC Med Educ. 2023 Jul 18;23(1):515. doi: 10.1186/s12909-023-04491-y.

State-of-the-art session key generation on priority-based adaptive neural machine (PANM) in telemedicine.

Neural Comput Appl. 2023;35(13):9517-9533. doi: 10.1007/s00521-022-08169-2. Epub 2023 Mar 22.

Information Security Behavior in Health Information Systems: A Review of Research Trends and Antecedent Factors.

Healthcare (Basel). 2022 Dec 14;10(12):2531. doi: 10.3390/healthcare10122531.

Hospital cybersecurity risks and gaps: Review (for the non-cyber professional).

Front Digit Health. 2022 Aug 11;4:862221. doi: 10.3389/fdgth.2022.862221. eCollection 2022.

The COVID-19 scamdemic: A survey of phishing attacks and their countermeasures during COVID-19.

IET Inf Secur. 2022 Sep;16(5):324-345. doi: 10.1049/ise2.12073. Epub 2022 Jul 4.

Phishing simulation exercise in a large hospital: A case study.

Digit Health. 2022 Mar 16;8:20552076221081716. doi: 10.1177/20552076221081716. eCollection 2022 Jan-Dec.

本文引用的文献

European Hospitals' Transition Toward Fully Electronic-Based Systems: Do Information Technology Security and Privacy Practices Follow?

JMIR Med Inform. 2019 Mar 25;7(1):e11211. doi: 10.2196/11211.

Evaluation of a mandatory phishing training program for high-risk employees at a US healthcare system.

J Am Med Inform Assoc. 2019 Jun 1;26(6):547-552. doi: 10.1093/jamia/ocz005.

Assessment of Employee Susceptibility to Phishing Attacks at US Health Care Institutions.

JAMA Netw Open. 2019 Mar 1;2(3):e190393. doi: 10.1001/jamanetworkopen.2019.0393.

Health Care and Cybersecurity: Bibliometric Analysis of the Literature.

J Med Internet Res. 2019 Feb 15;21(2):e12644. doi: 10.2196/12644.

EARS to cyber incidents in health care.

J Am Med Inform Assoc. 2019 Jan 1;26(1):81-90. doi: 10.1093/jamia/ocy148.

Cybersecurity: Positive Changes Through Processes and Team Culture.

Front Health Serv Manage. 2018 Fall;35(1):3-12. doi: 10.1097/HAP.0000000000000038.

Cybersecurity in healthcare: A narrative review of trends, threats and ways forward.

Maturitas. 2018 Jul;113:48-52. doi: 10.1016/j.maturitas.2018.04.008. Epub 2018 Apr 22.

Cybersecurity in Hospitals: A Systematic, Organizational Perspective.

J Med Internet Res. 2018 May 28;20(5):e10059. doi: 10.2196/10059.

Creative Persuasion: A Study on Adversarial Behaviors and Strategies in Phishing Attacks.

Front Psychol. 2018 Feb 21;9:135. doi: 10.3389/fpsyg.2018.00135. eCollection 2018.

Safeguarding Confidentiality in Electronic Health Records.

Camb Q Healthc Ethics. 2017 Apr;26(2):337-341. doi: 10.1017/S0963180116000931.

文献AI研究员

20分钟写一篇综述，助力文献阅读效率提升50倍。

立即体验

用中文搜PubMed

大模型驱动的PubMed中文搜索引擎

马上搜索

文档翻译

学术文献翻译模型，支持多种主流文档格式。

立即体验

为何员工（仍然）会点击网络钓鱼链接：医院调查

Why Employees (Still) Click on Phishing Links: Investigation in Hospitals.

作者信息

机构信息

出版信息

BACKGROUND

OBJECTIVE

METHODS

RESULTS

CONCLUSIONS

背景

目的

方法

结果

结论

相似文献

引用本文的文献

本文引用的文献

文献AI研究员

用中文搜PubMed

文档翻译

Suppr 超能文献

相似文献

引用本文的文献

本文引用的文献