Jalali Mohammad S, Bruckes Maike, Westmattelmann Daniel, Schewe Gerhard
Massachusetts General Hospital Institute for Technology Assessment, Harvard Medical School, Boston, MA, United States.
Massachusetts Institute of Technology Sloan School of Management, Cambridge, MA, United States.
J Med Internet Res. 2020 Jan 23;22(1):e16775. doi: 10.2196/16775.
Hospitals have been one of the major targets for phishing attacks. Despite efforts to improve information security compliance, hospitals still significantly suffer from such attacks, impacting the quality of care and the safety of patients.
This study aimed to investigate why hospital employees decide to click on phishing emails by analyzing actual clicking data.
We first gauged the factors that influence clicking behavior using the theory of planned behavior (TPB) and integrating trust theories. We then conducted a survey in hospitals and used structural equation modeling to investigate the components of compliance intention. We matched employees' survey results with their actual clicking data from phishing campaigns.
Our analysis (N=397) reveals that TPB factors (attitude, subjective norms, and perceived behavioral control), as well as collective felt trust and trust in information security technology, are positively related to compliance intention. However, compliance intention is not significantly related to compliance behavior. Only the level of employees' workload is positively associated with the likelihood of employees clicking on a phishing link.
This is one of the few studies in information security and decision making that observed compliance behavior by analyzing clicking data rather than using self-reported data. We show that, in the context of phishing emails, intention and compliance might not be as strongly linked as previously assumed; hence, hospitals must remain vigilant with vulnerabilities that cannot be easily managed. Importantly, given the significant association between workload and noncompliance behavior (ie, clicking on phishing links), hospitals should better manage employees' workload to increase information security. Our findings can help health care organizations augment employees' compliance with their cybersecurity policies and reduce the likelihood of clicking on phishing links.
医院一直是网络钓鱼攻击的主要目标之一。尽管医院努力提高信息安全合规性,但仍深受此类攻击的严重影响,进而影响医疗质量和患者安全。
本研究旨在通过分析实际点击数据,调查医院员工决定点击网络钓鱼邮件的原因。
我们首先运用计划行为理论(TPB)并整合信任理论,来衡量影响点击行为的因素。然后在医院开展了一项调查,并使用结构方程模型来研究合规意图的组成部分。我们将员工的调查结果与他们在网络钓鱼活动中的实际点击数据进行了匹配。
我们的分析(N = 397)表明,TPB因素(态度、主观规范和感知行为控制)以及集体感知信任和对信息安全技术的信任与合规意图呈正相关。然而,合规意图与合规行为并无显著关联。只有员工的工作量水平与员工点击网络钓鱼链接的可能性呈正相关。
这是信息安全与决策领域中少数几项通过分析点击数据而非使用自我报告数据来观察合规行为的研究之一。我们表明,在网络钓鱼邮件的背景下,意图与合规之间的联系可能不像之前假设的那么紧密;因此,医院必须对难以管理的漏洞保持警惕。重要的是,鉴于工作量与违规行为(即点击网络钓鱼链接)之间存在显著关联,医院应更好地管理员工的工作量以提高信息安全。我们的研究结果可帮助医疗保健组织增强员工对其网络安全政策的合规性,并降低点击网络钓鱼链接的可能性。
