Informing, simulating experience, or both: A field experiment on phishing risks

Baillon, Aurélien; Bruin, Jeroen de; Emirmahmutoglu, Aysil; Veer, E. van de; Dijk, Bram van

doi:10.1371/journal.pone.0224216

Cited by 28 publications

(21 citation statements)

References 29 publications

(24 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In RQ1, we identified the nature of cybersecurity attacks being experienced by healthcare organisations, and the articles selected in the review received higher rankings than the papers with a lower ranking. This is due to the fact that several articles reported studies on the impact of ransomware (e.g., WannaCry) [ 20 , 32 , 42 , 43 ] and phishing attacks [ 9 , 10 , 13 , 14 , 15 , 41 , 44 , 45 , 46 , 47 ], to name a few being launched against healthcare organisations.…”

Section: Resultsmentioning

confidence: 99%

“…Following the increasing number of articles being published, addressing the role of humans in the loop for enhancing the cybersecurity since 2016 [ 8 , 9 , 10 , 11 , 12 , 13 , 14 , 15 , 16 , 17 , 18 , 19 , 20 , 21 , 22 , 23 , 24 , 25 , 26 , 27 , 28 ], there is a need to consolidate the research findings. The main objective of this systematic review is to review the literature to gather evidence from organisational case studies, author observations and scientific developments in cybersecurity to identify the role of including humans in the loop for strengthening cyber defence within the healthcare industry.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Influence of Human Factors on Cyber Security within Healthcare Organisations: A Systematic Review

Nifakos

Chandramouli

Nikolaou

et al. 2021

Sensors

102

View full text Add to dashboard Cite

Background: Cybersecurity is increasingly becoming a prominent concern among healthcare providers in adopting digital technologies for improving the quality of care delivered to patients. The recent reports on cyber attacks, such as ransomware and WannaCry, have brought to life the destructive nature of such attacks upon healthcare. In complement to cyberattacks, which have been targeted against the vulnerabilities of information technology (IT) infrastructures, a new form of cyber attack aims to exploit human vulnerabilities; such attacks are categorised as social engineering attacks. Following an increase in the frequency and ingenuity of attacks launched against hospitals and clinical environments with the intention of causing service disruption, there is a strong need to study the level of awareness programmes and training activities offered to the staff by healthcare organisations. Objective: The objective of this systematic review is to identify commonly encountered factors that cybersecurity postures of a healthcare organisation, resulting from the ignorance of cyber threat to healthcare. The systematic review aims to consolidate the current literature being reported upon human behaviour resulting in security gaps that mitigate the cyber defence strategy adopted by healthcare organisations. Additionally, the paper also reviews the organisational risk assessment methodology implemented and the policies being adopted to strengthen cybersecurity. Methods: The topic of cybersecurity within healthcare and the clinical environment has attracted the interest of several researchers, resulting in a broad range of literature. The inclusion criteria for the articles in the review stem from the scope of the five research questions identified. To this end, we conducted seven search queries across three repositories, namely (i) PubMed®/MED-LINE; (ii) Cumulative Index to Nursing and Allied Health Literature (CINAHL); and (iii) Web of Science (WoS), using key words related to cybersecurity awareness, training, organisation risk assessment methodologies, policies and recommendations adopted as counter measures within health care. These were restricted to around the last 12 years. Results: A total of 70 articles were selected to be included in the review, which addresses the complexity of cybersecurity measures adopted within the healthcare and clinical environments. The articles included in the review highlight the evolving nature of cybersecurity threats stemming from exploiting IT infrastructures to more advanced attacks launched with the intent of exploiting human vulnerability. A steady increase in the literature on the threat of phishing attacks evidences the growing threat of social engineering attacks. As a countermeasure, through the review, we identified articles that provide methodologies resulting from case studies to promote cybersecurity awareness among stakeholders. The articles included highlight the need to adopt cyber hygiene practices among healthcare professionals while accessing social media platforms, which forms an ideal test bed for the attackers to gain insight into the life of healthcare professionals. Additionally, the review also includes articles that present strategies adopted by healthcare organisations in countering the impact of social engineering attacks. The evaluation of the cybersecurity risk assessment of an organisation is another key area of study reported in the literature that recommends the organisation of European and international standards in countering social engineering attacks. Lastly, the review includes articles reporting on national case studies with an overview of the economic and societal impact of service disruptions encountered due to cyberattacks. Discussion: One of the limitations of the review is the subjective ranking of the authors associated to the relevance of literature to each of the research questions identified. We also acknowledge the limited amount of literature that focuses on human factors of cybersecurity in health care in general; therefore, the search queries were formulated using well-established cybersecurity related topics categorised according to the threats, risk assessment and organisational strategies reported in the literature.

show abstract

Section: Resultsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Influence of Human Factors on Cyber Security within Healthcare Organisations: A Systematic Review

Nifakos

Chandramouli

Nikolaou

et al. 2021

Sensors

102

View full text Add to dashboard Cite

show abstract

“…Maqbool et al (2020) argued that penalizing individuals should increase security behaviours. Along these lines, Baillon et al (2019) used a phishing experiment (in which participants click on a link which then ask them to provide their passwords) to study how simulated experience with prior phishing can impact future behaviour. They found that experiencing simulated phishing (i.e., a negative outcome) increases compliance with security policies in the computer system users.…”

Section: Improving Security Behaviours Using Psychological Methodsmentioning

confidence: 99%

“…They found that experiencing simulated phishing (i.e., a negative outcome) increases compliance with security policies in the computer system users. It has been found that providing information about the prevalence of phishing (i.e., negative outcome can occur to people) can decrease clicking on suspicious links in phishing emails (Baillon et al, 2019). Accordingly, computer system users should be provided with simulated experience of negative outcomes that may occur due to their erroneous cyber security policies.…”

Section: Improving Security Behaviours Using Psychological Methodsmentioning

confidence: 99%

“…The use of laboratorybased phishing experiment has been shown in a recent study to relate to real-life phishing (Hakim et al, 2020). One study found that over 30% of government employees click on a suspicious link in this phishing email, and many of these have provided their passwords (Baillon et al, 2019). In another study using a similar phishing experiment, around 60% of university students clicked on suspicious link in a phishing email (Diaz et al, 2018).…”

Section: Human Cyber Security Errorsmentioning

confidence: 99%

See 1 more Smart Citation

The Role of User Behaviour in Improving Cyber Security Management

2021

View full text Add to dashboard Cite

Information security has for long time been a field of study in computer science, software engineering, and information communications technology. The term ‘information security’ has recently been replaced with the more generic term cybersecurity. The goal of this paper is to show that, in addition to computer science studies, behavioural sciences focused on user behaviour can provide key techniques to help increase cyber security and mitigate the impact of attackers’ social engineering and cognitive hacking methods (i.e., spreading false information). Accordingly, in this paper, we identify current research on psychological traits and individual differences among computer system users that explain vulnerabilities to cyber security attacks and crimes. Our review shows that computer system users possess different cognitive capabilities which determine their ability to counter information security threats. We identify gaps in the existing research and provide possible psychological methods to help computer system users comply with security policies and thus increase network and information security.

show abstract

The Role of Cognition in Developing Successful Cybersecurity Training Programs – Passive vs. Active Engagement

Prümmer

2024

Augmented Cognition

View full text Add to dashboard Cite

Informing, simulating experience, or both: A field experiment on phishing risks

Cited by 28 publications

References 29 publications

Influence of Human Factors on Cyber Security within Healthcare Organisations: A Systematic Review

Influence of Human Factors on Cyber Security within Healthcare Organisations: A Systematic Review

The Role of User Behaviour in Improving Cyber Security Management

The Role of Cognition in Developing Successful Cybersecurity Training Programs – Passive vs. Active Engagement

Contact Info

Product

Resources

About