Background Hospitals have been one of the major targets for phishing attacks. Despite efforts to improve information security compliance, hospitals still significantly suffer from such attacks, impacting the quality of care and the safety of patients. Objective This study aimed to investigate why hospital employees decide to click on phishing emails by analyzing actual clicking data. Methods We first gauged the factors that influence clicking behavior using the theory of planned behavior (TPB) and integrating trust theories. We then conducted a survey in hospitals and used structural equation modeling to investigate the components of compliance intention. We matched employees’ survey results with their actual clicking data from phishing campaigns. Results Our analysis (N=397) reveals that TPB factors (attitude, subjective norms, and perceived behavioral control), as well as collective felt trust and trust in information security technology, are positively related to compliance intention. However, compliance intention is not significantly related to compliance behavior. Only the level of employees’ workload is positively associated with the likelihood of employees clicking on a phishing link. Conclusions This is one of the few studies in information security and decision making that observed compliance behavior by analyzing clicking data rather than using self-reported data. We show that, in the context of phishing emails, intention and compliance might not be as strongly linked as previously assumed; hence, hospitals must remain vigilant with vulnerabilities that cannot be easily managed. Importantly, given the significant association between workload and noncompliance behavior (ie, clicking on phishing links), hospitals should better manage employees’ workload to increase information security. Our findings can help health care organizations augment employees’ compliance with their cybersecurity policies and reduce the likelihood of clicking on phishing links.
Background: Hospitals have been one of the major targets for phishing attacks. Despite efforts to improve information security compliance, hospitals still significantly suffer from such attacks, impacting the quality of care and the safety of patients. Objective: This study aimed to investigate why hospital employees decide to click on phishing emails by analyzing actual clicking data. Methods: We first gauged the factors that influence clicking behavior using the theory of planned behavior (TPB) and integrating trust theories. We then conducted a survey in hospitals and used structural equation modeling to investigate the components of compliance intention. We matched employees' survey results with their actual clicking data from phishing campaigns. Results: Our analysis (N=397) reveals that TPB factors (attitude, subjective norms, and perceived behavioral control), as well as collective felt trust and trust in information security technology, are positively related to compliance intention. However, compliance intention is not significantly related to compliance behavior. Only the level of employees' workload is positively associated with the likelihood of employees clicking on a phishing link. Conclusions: This is one of the few studies in information security and decision making that observed compliance behavior by analyzing clicking data rather than using self-reported data. We show that, in the context of phishing emails, intention and compliance might not be as strongly linked as previously assumed; hence, hospitals must remain vigilant with vulnerabilities that cannot be easily managed. Importantly, given the significant association between workload and noncompliance behavior (ie, clicking on phishing links), hospitals should better manage employees' workload to increase information security. Our findings can help health care organizations augment employees' compliance with their cybersecurity policies and reduce the likelihood of clicking on phishing links.
An understanding of the overall relationship between the work-related use of information and communication technology (ICT) and employees’ well-being is lacking as the rising number of studies has produced mixed results. We meta-analytically synthesize and integrate existing literature on the consequences of ICT use based on the job demands-resources model. By using meta-analytical structural equation modeling based on 63 independent studies ( N = 26,295), we shed light on the relationship between ICT use and employees’ well-being (operationalized as burnout and engagement) in a model that incorporates the mediating role of ICT-related resources and demands. Results show that ICT use is opposingly related to burnout and engagement through autonomy, availability, and work-life conflict. Our study brings clarity into the contradictory results and highlights the importance of a simultaneous consideration of both positive and negative effects for a comprehensive understanding of the relationship. We further show that the time of use and managerial position, and methodological moderators can clarify heterogeneity in previous results.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
hi@scite.ai
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.