| dc.contributor.advisor | Yang, Bian | |
| dc.contributor.advisor | Snekkenes, Einar Arthur | |
| dc.contributor.author | Yeng, Prosper Kandabongee | |
| dc.date.accessioned | 2023-06-02T11:23:05Z | |
| dc.date.available | 2023-06-02T11:23:05Z | |
| dc.date.issued | 2023 | |
| dc.identifier.isbn | 978-82-326-7043-7 | |
| dc.identifier.issn | 2703-8084 | |
| dc.identifier.uri | https://hdl.handle.net/11250/3069792 | |
| dc.description.abstract | The human aspect of information security practice has become a global concern. According to Verizon’s 2022 data breaches report, over 80% of data breaches were caused by the human aspect, and this trend has been consistent over the past three years. Among the industries, 22% of the violations occurred within healthcare. These breaches are widely caused by external actors (61%) who are motivated by financial gains. Ransomware through phishing attacks has been the preferred tactic. Such incidents have caused financial loss to some hospitals and resulted in the loss of human life.
The security practice in relation to the human aspect is about how people comply with organizational security requirements towards safe-guiding the confidentiality, integrity and availability (CIA) of assets within an IT infrastructure. Technological security configurations have predominantly been relied on as the default and traditional information security controls. Through consistent development, the technological aspect has comparatively been enhanced and matured, thereby, increasing the puzzle for cyber-criminal to circumvent. As a result, cyber-criminals tend to exploit the human aspect as an easy entry point.
This research work, therefore, delves into the human aspect of security practice aimed to contribute towards the fortification of ”the human firewall”, through incentivising the security practice of healthcare staff. Some research activities have been conducted in this area. However, initial state of-the-art studies revealed in-comprehensiveness in the existing efforts. As a result, comprehensive approaches were first explored for modelling and analyzing the security practice of healthcare staff in the aspects of data-driven and artificial intelligence or machine learning approaches, attack and defence simulations and psychological, social, cultural and work factors. Furthermore, motivational methods for incentivizing security practices were also explored. This is deemed to be a holistic approach towards enhancing security practices among healthcare staff.
Within the area of data-driven, various methods, including, K-means clustering with iterative and discriminate clustering, were used to assess the security practice in electronic health records (EHR) logs in this research work. Through the assessment, an unusual session duration was revealed in which an average session of about 12,330 hours was detected. Meanwhile, at maximum, a healthcare staff session is estimated to be about 24 hours. Essentially, the K-Means iterative and discriminate (KID) model predicted normal security practices that could be explored towards the adoption of supervised machine learning methods for real-time abnormal detection and prevention of data breaches.
Furthermore, in this project, the security practices of healthcare staff were assessed through SMS-based phishing simulation attacks. These attacks were performed having analysed and modelled scenarios through literature review work and observational measures. Through state-of-the-art studies, the in-the-wild-field study was adopted to perform a simulated SMS-based attack in a typical hospital. From a total of 167 participants (comprising nurses, doctors and other healthcare staff), about 101 (61%) were victims of the attack. This trend of high victims in a phishing attack was also identified in a related study in this work where out of 830 healthcare staff who were involved in a simulated email-based study, over 50% of the participant fell victim to the attack. Meanwhile, a cybercriminal might need just one person to click the malicious link in a real attack. The higher susceptibility among healthcare staff to the phishing attack, therefore, poses a higher phishing security behaviour risk within the healthcare sector.
Additionally, comprehensive psychological, social, cultural, personal and work-related factors were identified, assessed and analyzed through in-depth literature reviews. Constructs from theories such as the health belief model (HBM), protection motivation theory (PMT), Theory of planned behaviour (TPB), General deterrence theory (GDT) and The big five (TBF) personality theory were adopted and assessed. Through that, variables such as agreeableness were assessed to be a significant positive predictor of self-efficacy (SE) risk and perceived severity (PS) risks.
Following this revelation of varying security practice gaps, originating from multifaceted factors in the assessments, cognitive dissonance (CD) theory, together with other motivational methods, were identified and examined in a controlled experiment. So the CD was used as an independent variable while the other variables were the dependent variables in this controlled experiment. The findings in the experiment showed less susceptibility risk of the actual phishing clicks behaviour among the healthcare staff in the experiment group. To this end, inducing motivational factors such as cognitive dissonance, cues-to-action, and perceived severity, factors among healthcare staff could reverse this global security incident trend in the human aspect.
Future research could explore the adoption of psycho-education with the aid of state-of-the-art training techniques such as virtual reality, and augmented or mixed realities to inculcate long-lasting conscious care behaviour among healthcare staff. | en_US |
| dc.language.iso | eng | en_US |
| dc.publisher | NTNU | en_US |
| dc.relation.ispartofseries | Doctoral theses at NTNU;2023:170 | |
| dc.relation.haspart | Paper 1:
Yeng, Prosper; Fauzi, Muhammad Ali; Sun,Luyi; Yang, Bian.
Legal Aspect of Information Security Requirement for Healthcare in Three Countries: A scoping Review as a Benchmark towards Assessing Healthcare Security Practice | en_US |
| dc.relation.haspart | Paper 2:
Yeng, Prosper; Yang, Bian; Snekkenes, Einar Arthur.
Framework for Healthcare Security Practice Analysis, Modeling and Incentivization 2019 IEEE International Conference on Big Data (Big Data) https://doi/10.1109/BigData47090.2019.9006529 | en_US |
| dc.relation.haspart | Paper 3: Yeng, Prosper; Yang, Bian; Snekkenes, Einar Arthur. Observational measures for effective profiling of healthcare staffs? security practices. Computer Software and Applications Conference 2019 ;Volum 2. s. 397-404 2019 IEEE 43rd Annual Computer Software and Applications Conference (COMPSAC) https://doi.org/10.1109/COMPSAC.2019.10239 | en_US |
| dc.relation.haspart | Paper 4: Yeng, Prosper; Nweke, Livinus Obiora; Woldaregay, Ashenafi Zebene; Yang, Bian; Snekkenes, Einar Arthur. Data-Driven and Artificial Intelligence (AI) Approach for Modelling and Analyzing Healthcare Security Practice: A Systematic Review. Advances in Intelligent Systems and Computing 2020 ;Volum 1250. https://doi.org/10.1007/978-3-030-55180-3_1 | en_US |
| dc.relation.haspart | Paper 5: Yeng, Prosper; Nweke, Livinus Obiora; Yang, Bian; Fauzi, Muhammad Ali; Snekkenes, Einar Arthur. Artificial Intelligence–Based Framework for Analyzing Health Care Staff Security Practice: Mapping Review and Simulation Study. JMIR Medical Informatics 2021 ;Volum 9.(12) https://doi.org/10.2196/19250 This is an open-access article distributed under the terms of the Creative Commons Attribution License (https://creativecommons.org/licenses/by/4.0/) | en_US |
| dc.relation.haspart | Paper 6: Yeng, Prosper; Fauzi, Muhammad Ali; Yang, Bian. Comparative analysis of machine learning methods for analyzing security practice in electronic health records' logs.. IEEE BigData 2020 2020 IEEE International Conference on Big Data; https://doi.org/10.1109/BigData50022.2020.9378353 | en_US |
| dc.relation.haspart | Paper 7: Yeng, Prosper; Fauzi, Muhammad Ali; Yang, Bian. Workflow-based anomaly detection using machine learning on electronic health records’ logs: A Comparative Study. The 2020 International Conference on Computational Science and Computational Intelligence (CSCI) https://doi.org/10.1109/CSCI51800.2020.00143 | en_US |
| dc.relation.haspart | Paper 8:
Yeng, Prosper; Fauzi, Muhammad Ali; Yang, Bian; Yayilgan,Sule
Y.
Analysing digital evidence towards enhancing healthcare security practice: The KID model.
2022 1st International Conference on AI in Cybersecurity (ICAIC) | en_US |
| dc.relation.haspart | Paper 9: Yeng, Prosper; Fauzi, Muhammad Ali; Yang, Bian; Nimbe, Peter. Investigation into Phishing Risk Behaviour among Healthcare Staff. Information 2022 ;Volum 13.(8) s. 1-30 https://doi.org/10.3390/info13080392 This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/). | en_US |
| dc.relation.haspart | Paper 10: Yeng, Prosper; Yang, Bian; Snekkenes, Einar Arthur. Healthcare Staffs' Information Security Practices Towards Mitigating Data Breaches: A Literature Survey. Studies in Health Technology and Informatics 2019 ;Volum 261. s. 239-245 https://doi.org/10.3233/978-1-61499-975-1-239 | en_US |
| dc.relation.haspart | Paper 11: Yeng, Prosper; Szekeres, Adam; Yang, Bian; Snekkenes, Einar Arthur. Mapping the Psychosocialcultural Aspects of Healthcare Professionals’ Information Security Practices: Systematic Mapping Study. JMIR Human Factors 2021 ;Volum 8.(2) Suppl. e17604 https://doi.org/10.2196/17604 This is an open-access article distributed under the terms of the Creative Commons Attribution License (https://creativecommons.org/licenses/by/4.0/) | en_US |
| dc.relation.haspart | Paper 12:
Yeng, Prosper; Fauzi, Muhammad Ali; Yang, Bian.
Behaviour Coding Approach for Assessing Pitfalls in a Questionnaire Instrument towards assessing healthcare security Practice Preprints.org 2022, 2022120369. https://doi.org/10.20944/preprints202212.0369.v1 | en_US |
| dc.relation.haspart | Paper 13: Yeng, Prosper; Fauzi, Muhammad Ali; Yang, Bian. A Comprehensive Assessment of Human Factors in Cyber Security Compliance toward Enhancing the Security Practice of Healthcare Staff in Paperless Hospitals. Information 2022 ;Volum 13.(7) s. 1-22 https://doi.org/10.3390/info13070335 This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/). | en_US |
| dc.relation.haspart | Paper 14: Yeng, Prosper; Fauzi, Muhammad Ali; Yang, Bian. Assessing the effect of human factors in healthcare cyber security practice: An empirical study. PCI 2021: 25th Pan-Hellenic Conference on Informatics https://doi.org/10.1145/3503823.3503909 | en_US |
| dc.relation.haspart | Paper 15:
Yeng, Prosper; Fauzi, Muhammad Ali; Pedersen, Monica Stolt.
Assessing cyber-security compliance level in paperless hospitals: An ethnographic approach 2022 9th International Conference on Internet of Things: Systems, Management and Security (IOTSMS) https://doi.org/10.1109/IOTSMS58070.2022.10061936 | en_US |
| dc.relation.haspart | Paper 16:
Yeng, Prosper; Yang, Bian; Fauzi, Muhammad Ali; Priharsar, Diah.
A Framework for Assessing Motivational Methods Towards Incentivizing Cybersecurity Practice in Healthcare SIET '22: Proceedings of the 7th International Conference on Sustainable Information Engineering and Technology
https://doi.org/10.1145/3568231.3568285 | en_US |
| dc.relation.haspart | Paper 17:
Yeng, Prosper; Fauzi, Muhammad Ali; Yang, Bian; Vestad,Arnstein; Moor,Katrien R.D.; Jacobson, Christian.
Exploring cognitive dissonance towards mitigating phishing susceptibility in healthcare: A controlled experiment based on phishing sim- ulation attack in an actual hospital | en_US |
| dc.title | Healthcare Security Practice Analysis, Modelling and Incentivization | en_US |
| dc.type | Doctoral thesis | en_US |
| dc.subject.nsi | VDP::Technology: 500::Information and communication technology: 550 | en_US |
