SOCIAL ENGINEERING AS AN EVOLUTIONARY THREAT TO INFORMATION SECURITY IN HEALTHCARE ORGANIZATIONS

Information security in healthcare settings is overlooked even though it is the most vulnerable for social engineering attacks. The theft of hospital information data is critical to be monitored as they contain patients’ confidential health information. If leaked, the data can impact patients’ social as well as professional life. The hospital data system includes administrative data, as well as employees’ personal information hacked, which can cause identity theft. The current paper discusses types and sources of social engineering attacks in healthcare organizations. Social engineering attacks occur more frequently than other malware attacks, and hence it is crucial to understand what social engineering is and its vulnerabilities to understand the prevention measures. The paper describes types of threats, potential vulnerabilities, and possible solutions to prevent social engineering attacks in healthcare organizations. Keywords: social engineering, hospitals, healthcare organizations, information security.

Think twice before you click! : exploring the role of human factors in cybersecurity and privacy within healthcare organizations

The urgent need to protect sensitive patient data and preserve the integrity of healthcare services has propelled the exploration of cybersecurity and privacy within healthcare organizations [1]. Recognizing that advanced technology and robust security measures alone are insufficient [2], our research focuses on the often-overlooked human element that significantly influences the efficacy of these safeguards. Our motivation stems from the realization that individual behaviors, decision-making processes, and organizational culture can be both the weakest link and the most potent tool in achieving a secure environment. Understanding these human dimensions is paramount as even the most sophisticated protocols can be undone by a single lapse in judgment. This research explores the impact of human behavior on cybersecurity and privacy within healthcare organizations and presents a new methodological approach for measuring and raising awareness among healthcare employees. Understanding the human influence in cybersecurity and privacy is critical for mitigating risks and strengthening overall security posture. Moreover, the thesis aims to place emphasis on the human aspects focusing more on the often-overlooked factors that can shape the effectiveness of cybersecurity and privacy measures within healthcare organizations. We have highlighted factors such as employee awareness, knowledge, and behavior that play a pivotal role in preventing security incidents and data breaches [1]. By focusing on how social engineering attacks exploit human vulnerabilities, we underline the necessity to address these human influenced aspects. The existing literature highlights the crucial role that human factors and awareness training play in strengthening cyber resilience, especially within the healthcare sector [1]. Developing well-customized training programs, along with fostering a robust organizational culture, is vital for encouraging a secure and protected digital healthcare setting [3]. Building on the recognized significance of human influence in cybersecurity within healthcare organizations, a systematic literature review became indispensable. The existing body of research might not have fully captured all ways in which human factors, such as psychology, behavior, and organizational culture, intertwined with technological aspects. A systematic literature review served as a robust foundation to collate, analyze, and synthesize existing knowledge, and to identify gaps where further research was needed. In complement to our systematic literature review and investigation of human factors, our research introduced a new methodological approach through a concept study based on an exploratory survey [4]. Recognizing the need to uncover intricate human behavior and psychology in the context of cybersecurity, we designed this survey to probe the multifaceted dimensions of cybersecurity awareness. The exploratory nature of the survey allowed us to explore cognitive, emotional, and behavioral aspects, capturing information that is often overlooked in conventional analyses. By employing this tailored survey, we were able to collect insights that provided a more textured understanding of how individuals within healthcare organizations perceive and engage with cybersecurity measures

The Evolution of Cyber Risk and the Cyber Insurance Market

Insurance and hedging instruments can help corporations manage many of the operational and financial risks they face. Yet, additional complexities are introduced now that many risks are increasingly interdependent and thus strongly correlated, making them more challenging to manage. Few risks illustrate this challenge better than cyber risk. This thesis will focus on the increasing attention that the management of cyber risks receives in corporations, institutions and industries, and the role that insurance and risk management strategies play in mitigating this risk. The decision to focus on cyber risks—and the financing and management of those risks—is directly related to the exponential increase in cyber threats throughout the global economy. Thirty years ago, few would have predicted the magnitude of damage that cyber-attacks would routinely inflict upon organizations of all sizes—with the potential for far more severe losses looming ever larger. The rapid evolution and escalation of cyber threats—along with their ubiquitous nature—has led to a comprehensive reassessment of how organizations manage risks of all types. Insurers have been meeting the changing risk management needs of these organizations through innovations in product design, which now commonly include elements of loss control and post-event mitigation—in addition to traditional loss financing. This thesis begins with a historical review of cyber threats and proceeds to examine the varied nature of cyber threats impacting several key industries. Data on major attacks for each industry examined in this thesis were researched, collected and analyzed, and are displayed in the database included in the appendix to this paper. For the discussion of early-stage cyber threats, I will trace the evolution of cyber threats from relatively simplistic denial-of-service attacks, to early computer viruses, to phishing emails, and to the multiplicity of sophisticated threats seen today, such as ransomware. The objective is to provide those who are unfamiliar with cyber risk (i.e., students or other professionals) with an increased awareness of the threats, as well as an understanding of how organizations can mitigate such threats

An Analysis of Phishing Susceptibility Through the Lens of Protection Motivation Theory

Users of communication tools are vulnerable to a cyberattack called phishing which aims to trick a recipient into giving away information or access that the attacker should not have. There is a great need to protect the recipient from becoming a victim of phishing. Protection can be done a multitude of ways; however, the human will be last barrier of entry when all digital protection fails. This is why anti-phishing training is used to enable email users to see the difference between real email and phishing attacks. This research explores the use of Protection Motivation Theory (PMT) to analyse phishing susceptibility by interviewing ten employees in a large financial company. The analysis spanned all aspects of the original Protection Motivation Theory and sought to answer the research question: “How do employees in a company protect themselves against phishing attacks?”. Furthermore, the study investigated the relationship between the experiences of the participants and what the theory suggested would increase protection motivation. The analysis resulted in findings that were consistent with PMT on the positive effects of rewards for employees to increase protection motivation. Furthermore, a low response cost led to a positive effect where employees had the freedom to properly examine the emails they received and handle them accordingly. Last finding that was consistent with PMT was the positive effect of high efficacy which led to the enabling of employees to make their own decisions based on their experience and knowledge. Surprisingly, findings also contradicted some core aspects of PMT. These include the perception of vulnerability and severity in combination with fear appeal. Although the perception of vulnerability and severity was high, the fear appeal was very low. This is inconsistent with PMT as high perception of vulnerability and severity should lead to high fear appeal. Most importantly, these findings suggest that fear appeal is not as necessary as research has proposed and that protective behaviour in the absence of fear appeal can be replaced by a protective mindset. These findings point to important implications both in theory and in practice. The theoretical implications include the support of rewards and response cost positively affecting protection motivation if rewards are high and response cost is low. Another implication is that fear appeal contrary to peer-reviewed research might not be as important if the company itself focus on security and promote a healthy method of dealing with phishing attacks. The final theoretical implication is the protection behaviour that is a protective mindset. The concept correlates with multiple different behaviours that promote secure behaviour; however, it does so by analysing the need of fear appeal and promote research which investigates protective behaviours without the need for PMT’s version of fear appeal. The practical implication of this study includes the promotion of a healthy protective mindset which can be achieved by anti-phishing training, phishing simulations, and voluntary high awareness when looking at emails. Furthermore, findings show that the financial company studied in this thesis provide a great understanding of secure behaviour and the requirements to achieve it. However, this is done by forcing training whilst experiencing organisational support and incentives to do well. Although it could seem harsh, this has worked well, and should continue to work well

Alpha Phi-shing Fraternity: Phishing Assessment in a Higher Education Institution

Phishing is a common social engineering attack aimed to steal personal information. Universities attract phishing attacks because: 1) they store employees and students sensitive data, 2) they save confidential documents, 3) their infrastructures often lack security. In this paper, we showcase a phishing assessment at the University of Redacted aimed to identify the people, and the features of such people, that are more susceptible to phishing attacks. We delivered phishing emails to 1.508 subjects in three separate batches, collecting a clickrate equal to 30%, 11% and 13%, respectively. We considered several features (i.e., age, gender, role, working/studying field, email template) in univariate and multivariate analyses and found that students are more susceptible to phishing attacks than professors or technical/administrative staff, and that emails designed through a spearphishing approach receive a highest clickrate. We believe this work provides the foundations for setting up an effective educational campaign to prevent phishing attacks not only at the University of Redacted, but in any other university

Securing the Human – Exploring Current Security Awareness among Employees and Finding Ways to Improve it in the Organizational Setting

As organizational security breaches increase, it becomes imperative to understand the factors that lead to these breaches and take the necessary steps to minimize threats. Since employees are considered the weakest link in ensuring the security of corporate data, this paper evaluates various employee characteristics (demographic, company-specific, and skills-based) to understand their relationship with security knowledge and likelihood of becoming a security breach victim. This paper accounts for four different, yet intertwined, security risk areas: phishing, passwords, BYOD and laptop usage in the organizational setting. Findings from a survey of 250 employees at a medium-sized US consulting firm identify higher-risk employees and evaluate the relationship between employee characteristics, understanding of security policies, and security risks. Based on these findings and separate interviews with security experts, the study concludes with a set of recommendations for companies to improve organizational security and reduce risks caused by human factors in securing organizations’ endpoints

An Examination of the Human Factors in Cybersecurity: Future Direction for Nigerian Banks

Information and communication technology has become necessary for conducting business operations and ensuring business survival in Nigerian banks. However, this has come with some encumbrances, as this technology is vulnerable to attacks due to technical or human factors. These human factors have been very challenging for organizations due to their multi-dimensional nature and the fact that humans have been responsible for most cybersecurity incidents. Resolving issues arising from cybersecurity incidents is expensive and time-consuming. Therefore, this study is crucial as it will enable Nigerian banks witnessing increased attacks to take preventive measures and reduce the enormous expenditure required for remediation. This study adopts a literature review approach, reviewing previous studies on human factors in cybersecurity to determine the factors responsible for successful cyber-attacks and their suggested mitigations. The findings categorize these human factors into social engineering, poor information security culture, risky password practices, stress, burnout, and security fatigue. The study presents mitigations but notes that training and cybersecurity awareness are the most common reoccurring pre-emptive actions recommended. This research is significant as very little prior research has been conducted in this area targeted at the Nigerian banking sector. Practically, the findings of this study are expected to point Nigerian banks toward the critical human factors that they need to concentrate on to minimize the success rate of cyber-attacks and reduce the associated costs of recovering from these attacks

"It may take ages":understanding human-centred lateral phishing attack detection in organisations

Smartphones are a central part of modern life and contain vast amounts of personal and professional data as well as access to sensitive features such as banking and financial apps. As such protecting our smartphones from unauthorised access is of great importance, and users prioritise this over protecting their devices against digital security threats. Previous research has explored user experiences of unauthorised access to their smartphone – though the vast majority of these cases involve an attacker who is known to the user and knows an unlock code for the device. We presented 374 participants with a scenario concerning the loss of their smartphone in a public place. Participants were allocated to one of 3 scenario groups where a different unknown individual with malicious intentions finds the device and attempts to gain access to its contents. After exposure, we ask participants to envision a case where someone they know has a similar opportunity to attempt to gain access to their smartphone. We compare these instances with respect to differences in the motivations of the attacker, their skills and their knowledge of the user. We find that participants underestimate how commonly people who know them may be able to guess their PIN and overestimate the extent to which smartphones can be ‘hacked into’. We discuss how concerns over the severity of an attack may cloud perceptions of its likelihood of success, potentially leading users to underestimate the likelihood of unauthorised access occurring from known attackers who can utilize personal knowledge to guess unlock codes

Phishing simulation exercise in a large hospital: A case study

Background: Phishing is a major threat to the data and infrastructure of healthcare organizations and many cyberattacks utilize this socially engineered pathway. Phishing simulation is used to identify weaknesses and risks in the human defences of organizations. There are many factors influencing the difficulty of detecting a phishing email including fatigue and the nature of the deceptive message. Method: A major Italian Hospital with over 6000 healthcare staff performed a phishing simulation as part of its annual training and risk assessment. Three campaigns were launched at approx. 4-month intervals, to compare staff reaction to a general phishing email and a customized one. Results: The results show that customization of phishing emails makes them much more likely to be acted on. In the first campaign, 64% of staff did not open the general phish, significantly more than the 38% that did not open the custom phish. A significant difference was also found for the click rate, with significantly more staff clicking on the custom phish. However, the campaigns could not be run as intended, due to issues raised within the organization. Conclusions: Phishing simulation is useful but not without its limitations. It requires contextual knowledge, skill and experience to ensure that it is effective. The exercise raised many issues within the Hospital. Successful, ethical phishing simulations require coordination across the organization, precise timing and lack of staff awareness. This can be complex to coordinate. Misleading messages containing false threats or promises can cause a backlash from staff and unions. The effectiveness of the message is dependent on the personalization of the message to current, local events. The lessons learned can be useful for other hospitals

YOU ARE THE WEAKEST LINK: ADDRESSING CYBER SECURITY CONCERNS WITHIN THE FIRE DEPARTMENT OF NEW YORK

The evolving cyber threat landscape consistently challenges organizational cybersecurity defenses. Cyberattacks, which were once rare, have become alarmingly frequent. In response, organizations have traditionally focused on technological solutions; however, human error remains a leading cause of network data breaches. The lack of effective security measures aimed at mitigating human error leaves organizations, such as the Fire Department of New York (FDNY), vulnerable to cyber intrusions. The FDNY’s dependence on digital networks for day-to-day operations underscores the need for security measures that address both technological and human vulnerabilities. This research combines descriptive, evaluative, and prescriptive methods, including a red-team exercise simulating a social engineering attack, to assess how the current cyber threat environment affects the FDNY. The study uncovers significant vulnerabilities, particularly among frontline personnel, who are often overlooked in traditional cybersecurity practices. Based on the findings, the research proposes strategic recommendations to strengthen the FDNY’s cyber defenses. The study promotes a comprehensive “all-hands-on-deck” approach that highlights the importance of making cybersecurity a shared responsibility, encompassing everyone from frontline personnel to senior leadership. This approach offers insights and methods applicable to other organizations seeking to strengthen their cybersecurity posture.Distribution Statement A. Approved for public release: Distribution is unlimited.Civilian, Fire Department of New Yor