Why Employees (Still) Click on Phishing Links: An Investigation in Hospitals-Reference-Cited by-同舟云学术

Why Employees (Still) Click on Phishing Links: An Investigation in Hospitals

Published:2020-01-24 Issue:1 Volume:22 Page:e16775
ISSN:1438-8871
Container-title:Journal of Medical Internet Research
language:en
Short-container-title:J Med Internet Res

Author:

Jalali Mohammad S^ORCID,Bruckes Maike^ORCID,Westmattelmann Daniel^ORCID,Schewe Gerhard^ORCID

Abstract

Background Hospitals have been one of the major targets for phishing attacks. Despite efforts to improve information security compliance, hospitals still significantly suffer from such attacks, impacting the quality of care and the safety of patients. Objective This study aimed to investigate why hospital employees decide to click on phishing emails by analyzing actual clicking data. Methods We first gauged the factors that influence clicking behavior using the theory of planned behavior (TPB) and integrating trust theories. We then conducted a survey in hospitals and used structural equation modeling to investigate the components of compliance intention. We matched employees’ survey results with their actual clicking data from phishing campaigns. Results Our analysis (N=397) reveals that TPB factors (attitude, subjective norms, and perceived behavioral control), as well as collective felt trust and trust in information security technology, are positively related to compliance intention. However, compliance intention is not significantly related to compliance behavior. Only the level of employees’ workload is positively associated with the likelihood of employees clicking on a phishing link. Conclusions This is one of the few studies in information security and decision making that observed compliance behavior by analyzing clicking data rather than using self-reported data. We show that, in the context of phishing emails, intention and compliance might not be as strongly linked as previously assumed; hence, hospitals must remain vigilant with vulnerabilities that cannot be easily managed. Importantly, given the significant association between workload and noncompliance behavior (ie, clicking on phishing links), hospitals should better manage employees’ workload to increase information security. Our findings can help health care organizations augment employees’ compliance with their cybersecurity policies and reduce the likelihood of clicking on phishing links.

Publisher

JMIR Publications Inc.

Subject

Health Informatics

Reference77 articles.

1. Cybersecurity in healthcare: A narrative review of trends, threats and ways forward

2. Cybersecurity in Hospitals: A Systematic, Organizational Perspective

3. Health Care and Cybersecurity: Bibliometric Analysis of the Literature

4. EARS to cyber incidents in health care

5. Assessment of Employee Susceptibility to Phishing Attacks at US Health Care Institutions

Cited by 60 articles. 订阅此论文施引文献订阅此论文施引文献，注册后可以免费订阅5篇论文的施引文献，订阅后可以查看论文全部施引文献

1. Hey “CSIRI”, should I report this? Investigating the factors that influence employees to report cyber security incidents in the workplace;Information & Computer Security;2024-08-16

2. The (Relative) Impact of Email Cues on the Perceived Threat of Phishing Attacks: A User Perspective on Phishing Deceptiveness;2024 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW);2024-07-08

3. The influence of work overload on cybersecurity behavior: A moderated mediation model of psychological contract breach, burnout, and self-efficacy in AI learning such as ChatGPT;Technology in Society;2024-06

4. Comparative Study on Online Security Awareness and Behavior Among Healthcare Professionals in Croatia;2024 47th MIPRO ICT and Electronics Convention (MIPRO);2024-05-20

5. What goes around comes around: an in-depth analysis of how respondents interpret ISP non-/compliance questionnaire items;Information & Computer Security;2024-04-26