|
1
|
Hore K, Hoi Tan M, Kehoe A, Beegan A, Mason S, Al Mane N, Hughes D, Kelly C, Wells J, Magner C. Cybersecurity and critical care staff: A mixed methods study. Int J Med Inform 2024; 185:105412. [PMID: 38492407 DOI: 10.1016/j.ijmedinf.2024.105412] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Abstract] [MESH Headings] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Received: 12/04/2023] [Revised: 02/19/2024] [Accepted: 03/11/2024] [Indexed: 03/18/2024]
Abstract
INTRODUCTION Cyberattacks on healthcare organisations are becoming increasingly common and represent a growing threat to patient safety. The majority of breaches in cybersecurity have been attributed to human error. Intensive care departments are particularly vulnerable to cyberattacks. The aim of this study was to investigate cybersecurity awareness, knowledge and behaviours among critical care staff. METHODS This was a multi-site cross-sectional survey study administered to critical care staff. Cybersecurity awareness was evaluated using the validated HAIS-Q instrument. Knowledge and behaviours were evaluated by direct questioning and scenario-based multiple-choice questions. Free text options were also offered to respondents. Thematic analysis was performed on free text sections. RESULTS Median scores of 12-15 in each of the HAIS-Q focus areas were achieved, indicating high levels of cybersecurity awareness among critical care staff. However, self-reported confidence in cybersecurity practices, especially identifying signs of cybersecurity breaches and reporting cybersecurity incidents, were relatively low. Participants responses to the scenarios demonstrated a lack of knowledge and awareness of some of the mechanisms of cyberattacks. Barriers to safe cybersecurity practices among staff that emerged from the qualitative analysis included: a lack of training and education; heavy workloads and staff fatigue; perceived lack of IT support and poor IT infrastructure. CONCLUSION Critical care staff appear to have a high-level cybersecurity awareness. However, in practice safe cybersecurity practices are not always followed. ICU departments and hospitals must invest in the human aspect of cybersecurity to strength their cyber-defences and to protect patients.
Collapse
Affiliation(s)
- Kevin Hore
- Paediatric Intensive Care Unit, Children's Health Ireland at Crumlin, Dublin, Ireland
| | - Mong Hoi Tan
- Paediatric Intensive Care Unit, Children's Health Ireland at Crumlin, Dublin, Ireland
| | - Anne Kehoe
- Department of Psychology, Children's Health Ireland at Crumlin, Dublin Ireland
| | - Aidan Beegan
- Department of Research & Innovation, Children's Health Ireland, Dublin, Ireland
| | - Sabina Mason
- Intensive Care Unit, Tallaght University Hospital, Dublin, Ireland
| | - Nader Al Mane
- Intensive Care Unit, Naas General Hospital, Naas, Ireland
| | - Deirdre Hughes
- Paediatric Intensive Care Unit, Children's Health Ireland at Temple Street, Dublin, Ireland
| | - Caroline Kelly
- Department of Nursing, Children's Health Ireland at Crumlin, Dublin, Ireland
| | - John Wells
- Department of Nursing, School of Health Sciences, South East Technological University, Waterford, Ireland
| | - Claire Magner
- School of Nursing, Midwifery & Health Systems, University College Dublin, Ireland.
| |
Collapse
|
|
2
|
Stewart H. Digital Transformation Security Challenges. JOURNAL OF COMPUTER INFORMATION SYSTEMS 2022. [DOI: 10.1080/08874417.2022.2115953] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Track Full Text] [Subscribe] [Scholar Register] [Indexed: 10/14/2022]
|
|
3
|
Investigation into Phishing Risk Behaviour among Healthcare Staff. INFORMATION 2022. [DOI: 10.3390/info13080392] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Abstract] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 11/17/2022] Open
Abstract
A phishing attack is one of the less complicated ways to circumvent sophisticated technical security measures. It is often used to exploit psychological (as as well as other) factors of human users to succeed in social engineering attacks including ransomware. Guided by the state-of-the-arts in a phishing simulation study in healthcare and after deeply assessing the ethical dilemmas, an SMSbased phishing simulation was conducted among healthcare workers in Ghana. The study adopted an in-the-wild study approach alongside quantitative and qualitative surveys. From the state-of-the art studies, the in-the-wild study approach was the most commonly used method as compared to laboratory-based experiments and statistical surveys because its findings are generally reliable and effective. The attack results also showed that 61% of the targeted healthcare staff were susceptible, and some of the healthcare staff were not victims of the attack because they prioritized patient care and were not susceptible to the simulated phishing attack. Through structural equation modelling, the workload was estimated to have a significant effect on self-efficacy risk (r = 0.5, p-value = 0.05) and work emergency predicted a perceived barrier in the reverse direction at a substantial level of r = −0.46, p-value = 0.00. Additionally, Pearson’s correlation showed that the perceived barrier was a predictor of self-reported security behaviour in phishing attacks among healthcare staff. As a result, various suggestions including an extra workload balancing layer of security controls in emergency departments and better security training were suggested to enhance staff’s conscious care behaviour.
Collapse
|
|
4
|
Stewart H. The hindrance of cloud computing acceptance within the financial sectors in Germany. INFORMATION AND COMPUTER SECURITY 2022. [DOI: 10.1108/ics-01-2021-0002] [Citation(s) in RCA: 3] [Impact Index Per Article: 1.0] [Reference Citation Analysis] [Abstract] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 12/17/2022]
Abstract
Purpose
The purpose of this study is to develop a model called “IaaS adoption” to identify the various challenges and precise implications that hinder the adoption of infrastructure as a service (IaaS) in Germany.
Design/methodology/approach
The model was validated by an online survey of 208 bank employees.
Findings
The study found that the nine-five-circle factors (data security, risk and trust) and other factors proved to be statistically significant challenges for IaaS acceptance among banks in Germany.
Originality/value
The adoption of cloud technology and its advantages is still a critical issue for the conventional banking sectors in Germany.
Collapse
|
|
5
|
Amankwa E, Loock M, Kritzinger E. The determinants of an information security policy compliance culture in organisations: the combined effects of organisational and behavioural factors. INFORMATION AND COMPUTER SECURITY 2022. [DOI: 10.1108/ics-10-2021-0169] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Abstract] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 11/17/2022]
Abstract
Purpose
This paper aims to examine the individual and combined effects of organisational and behavioural factors on employees’ attitudes and intentions to establish an information security policy compliance culture (ISPCC) in organisations.
Design/methodology/approach
Based on factors derived from the organisational culture theory, social bond theory and accountability theory, a testable research model was developed and evaluated in an online survey that involves the use of a questionnaire to collect quantitative data from 313 employees, from ten different organisations in Ghana. The data collected were analysed using the partial least squares-structural equation modelling approach, involving the measurement and structural model tests.
Findings
The study reveals that the individual measures of accountability – identifiability (2.4%), expectations of evaluation (38.8%), awareness of monitoring (55.7%) and social presence (−41.2%) – had weak to moderate effects on employees’ attitudes towards information security policy compliance. However, the combined effect showed a significant influence. In addition, organisational factors – supportive organisational culture (15%), security compliance leadership (2%) and user involvement (63%) – showed positive effects on employees’ attitudes. Further, employees’ attitudes had a substantial influence (65%), while behavioural intentions demonstrated a weak effect (24%) on the establishment of an ISPCC in the organisation. The combined effect also had a substantial statistical influence on the establishment of an ISPCC in the organisation.
Practical implications
Given the findings of the study, information security practitioners should implement organisational and behavioural factors that will have an impact on compliance, in tandem, with the organisational effort to build a culture of compliance for information security policies.
Originality/value
The study provides new insights on how to address the problem of non-compliance with regard to the information security policy in organisations through the combined application of organisational and behavioural factors to establish an information security policy compliance culture, which has not been considered in any past research.
Collapse
|
|
6
|
A systematic framework to explore the determinants of information security policy development and outcomes. INFORMATION AND COMPUTER SECURITY 2022. [DOI: 10.1108/ics-06-2021-0076] [Citation(s) in RCA: 1] [Impact Index Per Article: 0.3] [Reference Citation Analysis] [Abstract] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 11/17/2022]
Abstract
Purpose
This paper aims to develop an effective information security policy (ISP), which is an important mechanism to combat insider threats.
Design/methodology/approach
A general framework based on the Nine-Five-circle was proposed for developing, implementing and evaluating an organisation's ISP.
Findings
The proposed framework outlines the steps involved in developing, implementing and evaluating a successful ISP.
Research limitations/implications
The study took place in Germany, and most of the data was collected virtually due to the different locations of the organisation.
Practical implications
In practice, this study can be a guide for managers to design a robust ISP that employees will read and follow.
Social implications
Employee compliance with the ISP is a critical aspect in any organisation and therefore a rigorous strategy based on a systematic approach is required.
Originality/value
The main contribution of the paper is the application of a comprehensive and coherent model that can be the first step in defining a “checklist” for creating and managing ISPs.
Collapse
|
|
7
|
Al-Harrasi A, Shaikh AK, Al-Badi A. Towards protecting organisations’ data by preventing data theft by malicious insiders. INTERNATIONAL JOURNAL OF ORGANIZATIONAL ANALYSIS 2021. [DOI: 10.1108/ijoa-01-2021-2598] [Citation(s) in RCA: 1] [Impact Index Per Article: 0.3] [Reference Citation Analysis] [Abstract] [Track Full Text] [Subscribe] [Scholar Register] [Indexed: 11/17/2022]
Abstract
Purpose
One of the most important Information Security (IS) concerns nowadays is data theft or data leakage. To mitigate this type of risk, organisations use a solid infrastructure and deploy multiple layers of security protection technology and protocols such as firewalls, VPNs and IPsec VPN. However, these technologies do not guarantee data protection, and especially from insiders. Insider threat is a critical risk that can cause harm to the organisation through data theft. The main purpose of this study was to investigate and identify the threats related to data theft caused by insiders in organisations and explore the efforts made by them to control data leakage.
Design/methodology/approach
The study proposed a conceptual model to protect organisations’ data by preventing data theft by malicious insiders. The researchers conducted a comprehensive literature review to achieve the objectives of this study. The collection of the data for this study is based on earlier studies conducted by several researchers from January 2011 to December 2020. All the selected literature is from journal articles, conference articles and conference proceedings using various databases.
Findings
The study revealed three main findings: first, the main risks inherent in data theft are financial fraud, intellectual property theft, and sabotage of IT infrastructure. Second, there are still some organisations that are not considering data theft by insiders as being a severe risk that should be well controlled. Lastly, the main factors motivating the insiders to perform data leakage activities are financial gain, lack of fairness and justice in the workplace, the psychology or characteristics of the insiders, new technologies, lack of education and awareness and lack of management tools for understanding insider threats.
Originality/value
The study provides a holistic view of data theft by insiders, focusing on the problem from an organisational point of view. Organisations can therefore take into consideration our recommendations to reduce the risks of data leakage by their employees.
Collapse
|
|
8
|
The impact of information security initiatives on supply chain robustness and performance: an empirical study. INFORMATION AND COMPUTER SECURITY 2021. [DOI: 10.1108/ics-07-2020-0128] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Abstract] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 11/17/2022]
Abstract
Purpose
Information security is an essential element in all business activities. The damage to businesses from information security breaches has become pervasive. The scope of information security has widened as information has become a critical supply chain asset, making it more important to protect the organization’s data. Today’s global supply chains rely upon the speedy and robust dissemination of information among supply chain partners. Hence, processing of accurate supply chain information is quintessential to ensure the robustness and performance of supply chains. An effective information security management (ISM) is deemed to ensure the robustness of supply chains. The purpose of the paper is to examine the impact of information security initiatives on supply chain robustness and performance.
Design/methodology/approach
Based on extant literature, a research model was developed and validated using a questionnaire survey instrument administered among information systems/information technology managers. Data collected were analyzed using exploratory and confirmatory factor analysis. Further, to test the hypotheses and to fit the theoretical model, Structural equation modeling techniques were used.
Findings
Results of this study indicated that information security initiatives are positively associated with supply chain robustness and performance. These initiatives are likely to enhance the robustness and performance of the supply chains.
Originality/value
With the advancements in internet technologies and capabilities as well as considering the dynamic environment of supply chains, this study is relevant in terms of the capability that an organization needs to acquire with regards to ISM. Benefiting from the resource dependency theory, information security initiatives could be considered as a critical resource having an influence on the internal and external environment of supply chains.
Collapse
|
|
9
|
An interdisciplinary view of social engineering: A call to action for research. COMPUTERS IN HUMAN BEHAVIOR REPORTS 2021. [DOI: 10.1016/j.chbr.2021.100126] [Citation(s) in RCA: 2] [Impact Index Per Article: 0.5] [Reference Citation Analysis] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 11/20/2022] Open
|
|
10
|
Khatib R, Barki H. An activity theory approach to information security non-compliance. INFORMATION AND COMPUTER SECURITY 2020. [DOI: 10.1108/ics-11-2018-0128] [Citation(s) in RCA: 3] [Impact Index Per Article: 0.6] [Reference Citation Analysis] [Abstract] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 11/17/2022]
Abstract
PurposeThe purpose of this paper is to introduce activity theory (AT) as a new theoretical lens to the field of information security non-compliance by explaining how research in that field can benefit from AT and to suggest eight propositions for future research.Design/methodology/approachBased on AT, the paper suggests that employees, IT systems, task characteristics, information security policies (ISPs), community and division of labor can be viewed to form an ensemble that is labeled activity. Their characteristics and/or the relationships that exist between them in organizational contexts are hypothesized to influence non-compliance behaviors.FindingsThe paper suggests that AT provides a broad lens that can be useful for explaining a large variety of non-compliant behaviors related to information security.Research limitations/implicationsThe paper focuses only on non-compliant behaviors that employees undertake with non-malicious intentions and offers avenues for future research based on the propositions that are developed in the paper.Originality/valueThe paper provides a useful step toward a better understanding of non-compliant ISP behaviors. In addition, it proposes and explains new research areas in the non-compliance field.
Collapse
|
|
11
|
Schinagl S, Shahim A. What do we know about information security governance? INFORMATION AND COMPUTER SECURITY 2020. [DOI: 10.1108/ics-02-2019-0033] [Citation(s) in RCA: 9] [Impact Index Per Article: 1.8] [Reference Citation Analysis] [Abstract] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 11/17/2022]
Abstract
Purpose
This paper aims to review the information security governance (ISG) literature and emphasises the tensions that exist at the intersection of the rapidly changing business climate and the current body of knowledge on ISG.
Design/methodology/approach
The intention of the authors was to conduct a systematic literature review. However, owing to limited empirical papers in ISG research, this paper is more conceptually organised.
Findings
This paper shows that security has shifted from a narrow-focused isolated issue towards a strategic business issue with “from the basement to the boardroom” implications. The key takeaway is that protecting the organisation is important, but organizations must also develop strategies to ensure resilient businesses to take advantage of the opportunities that digitalization can bring.
Research limitations/implications
The concept of DSG is a new research territory that addresses the limitations and gaps of traditional ISG approaches in a digital context. To this extent, organisational theories are suggested to help build knowledge that offers a deeper understanding than that provided by the too often used practical approaches in ISG research.
Practical implications
This paper supports practitioners and decision makers by providing a deeper understanding of how organisations and their security approaches are actually affected by digitalisation.
Social implications
This paper helps individuals to understand that they have increasing rights with regard to privacy and security and a say in what parties they assign business to.
Originality/value
This paper makes a novel contribution to ISG research. To the authors’ knowledge, this is the first attempt to review and structure the ISG literature.
Collapse
|
|
12
|
Evans MG, He Y, Yevseyeva I, Janicke H. Published incidents and their proportions of human error. INFORMATION AND COMPUTER SECURITY 2019. [DOI: 10.1108/ics-12-2018-0147] [Citation(s) in RCA: 6] [Impact Index Per Article: 1.0] [Reference Citation Analysis] [Abstract] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 11/17/2022]
Abstract
Purpose
This paper aims to provide an understanding of the proportions of incidents that relate to human error. The information security field experiences a continuous stream of information security incidents and breaches, which are publicised by the media, public bodies and regulators. Despite the need for information security practices being recognised and in existence for some time, the underlying general information security affecting tasks and causes of these incidents and breaches are not consistently understood, particularly with regard to human error.
Design/methodology/approach
This paper analyses recent published incidents and breaches to establish the proportions of human error and where possible subsequently uses the HEART (human error assessment and reduction technique) human reliability analysis technique, which is established within the safety field.
Findings
This analysis provides an understanding of the proportions of incidents and breaches that relate to human error, as well as the common types of tasks that result in these incidents and breaches through adoption of methods applied within the safety field.
Originality/value
This research provides original contribution to knowledge through the analysis of recent public sector information security incidents and breaches to understand the proportions that relate to human error.
Collapse
|