Detecting and Rectifying the Non-Malicious Insider Threat in a Healthcare Setting

Detecting and Rectifying the Non-Malicious Insider Threat in a Healthcare Setting

Humayun Zafar
Copyright: © 2022 |Pages: 20
DOI: 10.4018/IJSSSP.315766
Article PDF Download
Open access articles are freely available for download

Abstract

This paper aims to apply habit-based research to the domain of information security. It proposes a new training paradigm in which a user “automatically” does the right thing without being an expert in the area of information security. The authors used a multiphased approach in which a new security training program was created and assessed for three groups: administrators (mostly managers), medical professionals (included physicians, physician assistants etc.) and staff (appointment coordinators, billing specialists etc.). The authors were able to find strong correlations between habit creation and security threats such as phishing, unauthorized cloud computing use, and password sharing. The authors were also able to ascertain that traditional security training and awareness programs need to move away from the “one-size” fits all technique to custom models that need to look at employee groups. This study supports the idea of training programs that are focused on changing habits, which is an area that has not yet been extensively researched in this context.
Article Preview
Top

Introduction

Samantha needed to work on a large file at home. It was too big to email, so she absent-mindedly plugged a flash drive someone had left in the break room into her desktop’s USB port. This was not an issue for her since she had used the flash drive plenty of times in the past. She had logged on with her password, and the company’s email client was open. This simple act started a chain reaction, launching malware hidden on the flash drive that propagated by attaching a copy of the malignant code to every email she sent. Within hours, the corporate network was thoroughly compromised. This hypothetical vignette illustrates an important insight that eludes many information technology (IT) managers tasked with information security - many breaches occur when users are not consciously aware of what they are doing. Also, contrary to recent headlines, not all threats in the cyber realm are malicious in nature. According to a Ponemon study, 70% of US survey respondents and 64% of German respondents stated that more security incidents were caused by unintentional mistakes rather than malicious acts (Ponemon, 2015). We contend that most of these unintentional mistakes are due to habitual behavior that promotes an automatic response. Previous research supports the idea that automated behavior results from the force of habit (Jasperson et al., 2005; Kim et al., 2005; Ouellette & Wood, 1998). However, this issue has not been investigated in information security in any context.

We were tasked by a global leader in healthcare, heretofore referred to as the Caregiver to assist with efforts to strengthen their internal security protocols based on identified threats, in light of threats at a time when information technology is increasing in scope, scale, and importance to all areas of medicine. A critical element of this effort based on our research was training the disparate groups of professionals that must coordinate their efforts to provide best-of-care standards that are the hallmark of this organization. Because a high percentage of security breaches are the result of automated behaviors, traditional information security education is not enough since it assumes that all decisions are made rationally. Automated decisions are made by the brain in an area that is considered to be unconscious (Martin & Morich, 2011). Also, because information technology continuously evolves, along with digital exploits, trying to keep the Caregiver’s personnel up to date via classroom instruction would be too time consuming to be plausible. We content for the organization to achieve its information security goals, every member of the organization must be trained to automatically do the right the thing at the right time every time. Not only is it not necessary to educate staff on the complexities of information security, doing so would be counterproductive. The key is to train all personnel individually based on their disciplines and their IT contexts to do the right procedure without having to consciously think about it. Based on our research, we contend that the answer may lie in addressing the difference between conscious and unconscious errors in security breaches. This issue needs to be developed for any meaningful modeling (Benbasat & Barki, 2007). Unconscious habits form the center of human behavior, yet are largely underestimated and misunderstood. We adapted the Martin-Morich (Martin & Morich, 2011) model of behavior, which is described later to information security to answer the following research question: Does unconscious behavior need to be changed to reduce the probability of non-malicious insider threats?

In the next few sections we provide a review of previous research in information security and habits, a description of the research model that we adapted to information security, description of the research site, development of measures, and results before concluding.

Top

Literature Review

Because there is a paucity of information security research with respect to automated/habitual behavior, we have divided this section into two parts. The first presents relevant information security research that deals with employee compliance, whereas the second provides an overview of existing IS habit-based research.

Complete Article List

Search this Journal:
Reset
Volume 15: 1 Issue (2024): Forthcoming, Available for Pre-Order
Volume 14: 1 Issue (2023)
Volume 13: 2 Issues (2022): 1 Released, 1 Forthcoming
Volume 12: 2 Issues (2021)
Volume 11: 2 Issues (2020)
Volume 10: 2 Issues (2019)
Volume 9: 4 Issues (2018)
View Complete Journal Contents Listing