Cybersecurity compliance behavior: Exploring the influences of individual decision style and other antecedents

Exploring the Frontiers of Cybersecurity Behavior: A Systematic Review of Studies and Theories

Cybersecurity procedures and policies are prevalent countermeasures for protecting organizations from cybercrimes and security incidents. Without considering human behaviors, implementing these countermeasures will remain useless. Cybersecurity behavior has gained much attention in recent years. However, a systematic review that provides extensive insights into cybersecurity behavior through different technologies and services and covers various directions in large-scale research remains lacking. Therefore, this study retrieved and analyzed 2210 articles published on cybersecurity behavior. The retrieved articles were then thoroughly examined to meet the inclusion and exclusion criteria, in which 39 studies published between 2012 and 2021 were ultimately picked for further in-depth analysis. The main findings showed that the protection motivation theory (PMT) dominated the list of theories and models examining cybersecurity behavior. Cybersecurity behavior and intention behavior counted for the highest purpose for most studies, with fewer studies focusing on cybersecurity awareness and compliance behavior. Most examined studies were conducted in individualistic contexts with limited exposure to collectivistic societies. A total of 56% of the analyzed studies focused on the organizational level, indicating that the individual level is still in its infancy stage. To address the research gaps in cybersecurity behavior at the individual level, this review proposes a number of research agendas that can be considered in future research. This review is believed to improve our understanding by revealing the full potential of cybersecurity behavior and opening the door for further research opportunities.

The Intersection of Persuasive System Design and Personalization in Mobile Health: Statistical Evaluation

Background

Persuasive technology is an umbrella term that encompasses software (eg, mobile apps) or hardware (eg, smartwatches) designed to influence users to perform preferable behavior once or on a long-term basis. Considering the ubiquitous nature of mobile devices across all socioeconomic groups, user behavior modification thrives under the personalized care that persuasive technology can offer. However, there is no guidance for developing personalized persuasive technologies based on the psychological characteristics of users.

Objective

This study examined the role that psychological characteristics play in interpreted mobile health (mHealth) screen perceived persuasiveness. In addition, this study aims to explore how users’ psychological characteristics drive the perceived persuasiveness of digital health technologies in an effort to assist developers and researchers of digital health technologies by creating more engaging solutions.

Methods

An experiment was designed to evaluate how psychological characteristics (self-efficacy, health consciousness, health motivation, and the Big Five personality traits) affect the perceived persuasiveness of digital health technologies, using the persuasive system design framework. Participants (n=262) were recruited by Qualtrics International, Inc, using the web-based survey system of the XM Research Service. This experiment involved a survey-based design with a series of 25 mHealth app screens that featured the use of persuasive principles, with a focus on physical activity. Exploratory factor analysis and linear regression were used to evaluate the multifaceted needs of digital health users based on their psychological characteristics.

Results

The results imply that an individual user’s psychological characteristics (self-efficacy, health consciousness, health motivation, and extraversion) affect interpreted mHealth screen perceived persuasiveness, and combinations of persuasive principles and psychological characteristics lead to greater perceived persuasiveness. The F test (ie, ANOVA) for model 1 was significant (F9,6540=191.806; P<.001), with an adjusted R2 of 0.208, indicating that the demographic variables explained 20.8% of the variance in perceived persuasiveness. Gender was a significant predictor, with women having higher perceived persuasiveness (P=.008) relative to men. Age was a significant predictor of perceived persuasiveness with individuals aged 40 to 59 years (P<.001) and ≥60 years (P<.001). Model 2 was significant (F13,6536=341.035; P<.001), with an adjusted R2 of 0.403, indicating that the demographic variables self-efficacy, health consciousness, health motivation, and extraversion together explained 40.3% of the variance in perceived persuasiveness.

Conclusions

This study evaluates the role that psychological characteristics play in interpreted mHealth screen perceived persuasiveness. Findings indicate that self-efficacy, health consciousness, health motivation, extraversion, gender, age, and education significantly influence the perceived persuasiveness of digital health technologies. Moreover, this study showed that varying combinations of psychological characteristics and demographic variables affected the perceived persuasiveness of the primary persuasive technology category.

Cybersecurity Awareness Enhancement: A Study of the Effects of Age and Gender of Thai Employees Associated with Phishing Attacks

Cybersecurity is crucial at present because cyber threats (e.g., phishing) have become a very common occurrence in everyday life. A literature review showed that there are no studies based on cybersecurity awareness which involved a large number of Thai users. Thus, this research focused on the cybersecurity awareness of approximately 20,000 nationwide employees in a large financial institution in Thailand. The study consisted of three phases, a first phishing attack, knowledge transfer through a mixed-approach and a second phishing attack with different content. After data validation and analysis of the results, it was found that the level of cybersecurity awareness of employees improved significantly. The number of employees who opened the phishing email decreased by 71.5%. Therefore, this approach could be applied to cybersecurity enhancement in other organizations and other sectors/industries. Also, it was found that gender played a significant role in cybersecurity awareness within the Thai cybersecurity ecosystem since Thai female employees were found to have a higher level of cybersecurity awareness than male employees. Furthermore, it was found that the different generations of Thai employees (Generations Y and X and Baby Boomers) did not affect cybersecurity awareness.

Influence of Human Factors on Cyber Security within Healthcare Organisations: A Systematic Review

Background: Cybersecurity is increasingly becoming a prominent concern among healthcare providers in adopting digital technologies for improving the quality of care delivered to patients. The recent reports on cyber attacks, such as ransomware and WannaCry, have brought to life the destructive nature of such attacks upon healthcare. In complement to cyberattacks, which have been targeted against the vulnerabilities of information technology (IT) infrastructures, a new form of cyber attack aims to exploit human vulnerabilities; such attacks are categorised as social engineering attacks. Following an increase in the frequency and ingenuity of attacks launched against hospitals and clinical environments with the intention of causing service disruption, there is a strong need to study the level of awareness programmes and training activities offered to the staff by healthcare organisations. Objective: The objective of this systematic review is to identify commonly encountered factors that cybersecurity postures of a healthcare organisation, resulting from the ignorance of cyber threat to healthcare. The systematic review aims to consolidate the current literature being reported upon human behaviour resulting in security gaps that mitigate the cyber defence strategy adopted by healthcare organisations. Additionally, the paper also reviews the organisational risk assessment methodology implemented and the policies being adopted to strengthen cybersecurity. Methods: The topic of cybersecurity within healthcare and the clinical environment has attracted the interest of several researchers, resulting in a broad range of literature. The inclusion criteria for the articles in the review stem from the scope of the five research questions identified. To this end, we conducted seven search queries across three repositories, namely (i) PubMed^®/MED-LINE; (ii) Cumulative Index to Nursing and Allied Health Literature (CINAHL); and (iii) Web of Science (WoS), using key words related to cybersecurity awareness, training, organisation risk assessment methodologies, policies and recommendations adopted as counter measures within health care. These were restricted to around the last 12 years. Results: A total of 70 articles were selected to be included in the review, which addresses the complexity of cybersecurity measures adopted within the healthcare and clinical environments. The articles included in the review highlight the evolving nature of cybersecurity threats stemming from exploiting IT infrastructures to more advanced attacks launched with the intent of exploiting human vulnerability. A steady increase in the literature on the threat of phishing attacks evidences the growing threat of social engineering attacks. As a countermeasure, through the review, we identified articles that provide methodologies resulting from case studies to promote cybersecurity awareness among stakeholders. The articles included highlight the need to adopt cyber hygiene practices among healthcare professionals while accessing social media platforms, which forms an ideal test bed for the attackers to gain insight into the life of healthcare professionals. Additionally, the review also includes articles that present strategies adopted by healthcare organisations in countering the impact of social engineering attacks. The evaluation of the cybersecurity risk assessment of an organisation is another key area of study reported in the literature that recommends the organisation of European and international standards in countering social engineering attacks. Lastly, the review includes articles reporting on national case studies with an overview of the economic and societal impact of service disruptions encountered due to cyberattacks. Discussion: One of the limitations of the review is the subjective ranking of the authors associated to the relevance of literature to each of the research questions identified. We also acknowledge the limited amount of literature that focuses on human factors of cybersecurity in health care in general; therefore, the search queries were formulated using well-established cybersecurity related topics categorised according to the threats, risk assessment and organisational strategies reported in the literature.

Bring Your Own Device (BYOD) as reversed IT adoption: Insights into managers' coping strategies

The adoption of Bring Your Own Device (BYOD), initiated by employees, refers to the provision and use of personal mobile devices and applications for both private and business purposes. This bottom-up phenomenon, not initiated by managers, corresponds to a reversed IT adoption logic that simultaneously entails business opportunities and threats. Managers are thus confronted with this unchosen BYOD usage by employees and consequently adopt different coping strategies. This research aims to investigate the adaptation strategies embraced by managers to cope with the BYOD phenomenon. To this end, we operationalized the coping model of user adaptation (CMUA) in the organizational decision-making context to conduct a survey addressing 337 top managers. Our main results indicate that the impact of the CMUA constructs varies according to the period (pre- or post-implementation). The coping strategies differ between those who have already implemented measures to regulate BYOD usage and those who have not. We contribute to theory by integrating the perception of BYOD-related opportunities and threats and by shedding light on the decisional processes in the adoption of coping strategies. The managerial contributions of this research correspond to the improved protection of corporate information and the maximization of BYOD-related benefits.