This research paper (February 2019) explores behavioural patterns related to information security in healthcare using the theory of planned behaviour with integrated trust theories.
Abstract: Employees are often considered the weakest link in information security. Their compliance with security policies has been a major area of research, which reveals that employees continue to click on phishing links even after receiving training.
Study Focus: This study explores the factors that influence information security policy compliance, using the theory of planned behavior (TPB) and integrating trust theories.
Methods: The study group conducted a survey in hospitals to investigate the components of compliance intention and match employees’ survey results with their actual clicking data from organisational phishing campaigns.
Results: The analysis (N = 430) revealed that TPB factors (attitude, subjective norms, and perceived behavioural control), as well as collective felt trust and trust in information security technology, have positive effects on compliance intention. However, surprisingly, compliance intention does not predict compliance behaviour. Of the variables we tested, only the level of employees’ workload shows a significant relationship to their actual behaviour.
Conclusions: This study contributes to the information systems literature by understanding factors influencing compliance behavior. Also, unlike studies that assess behaviour through a questionnaire, our method was able to measure observable compliance behaviour using clicking data. Our findings can help organisations augment employees’ compliance with their cybersecurity policies and reduce the likelihood of clicking on phishing links.
PANACEA Research perspectives: This research is directly related to one of the tools that PANACEA is developing, called Secure Behaviour Nudging. The tool is designed to help staff responsible for encouraging cybersecure behaviours within a healthcare organisation. Designed by a team of behaviour change experts from the University of Northumbria (UK).
Keywords: Information security management, phishing emails, compliance, trust, theory of planned behavior
Lookout Watch entry date: 07/08/2019