Professional Documents
Culture Documents
HEALTHCARE END-USERS
by
Jerry Alsay
Capella University
February 2019
ProQuest Number: 10979006
All rights reserved
INFORMATION TO ALL USERS
The quality of this reproduction is dependent upon the quality of the copy submitted.
In the unlikely event that the author did not send a complete manuscript
and there are missing pages, these will be noted. Also, if material had to be removed,
a note will indicate the deletion.
ProQuest 10979006
Published by ProQuest LLC (2019 ). Copyright of the Dissertation is held by the Author.
All rights reserved.
This work is protected against unauthorized copying under Title 17, United States Code
Microform Edition © ProQuest LLC.
ProQuest LLC.
789 East Eisenhower Parkway
P.O. Box 1346
Ann Arbor, MI 48106 - 1346
© Jerry Alsay, 2019
Abstract
Social engineering attacks are a significant cause for data breaches among healthcare
organizations that electronically transmit health information in the United States. Such breaches
are costly for healthcare organizations, can negatively impact patients, and are becoming
increasingly common. The purpose of this quantitative study was to address the research
question: to what extent does organizational security factors, information security awareness
factors, and individual security factors predict the level of social engineering awareness among
end-users of healthcare organizations. The theoretical framework for the study was based on
transformational leadership theory, organizational security culture, and the theory of planned
behavior. Multiple regression was used to analyze data collected from a sample of 113
employees of healthcare organizations in the continental United States. The level of social
engineering awareness was found to be statistically significantly associated with both individual
security factors and information security awareness factors. However, no significant relationship
was found between organizational security factors and the level of social engineering awareness.
The results indicate that to improve social engineering awareness among employees,
management should focus more on individual security factors and information security
I would like to dedicate this study to my wife, Stephanie and two children, Curtis and
Camille. Without their support and patience throughout this whole journey, I would not have
completed it.
iii
Acknowledgments
I owe thanks to many people who helped and supported me while I worked on this study.
I am grateful for having a supportive and patient doctoral committee and wish to thank Dr.
Oludotun Oni, Dr. Alfredo Dominguez, and Dr. Susan Ferebee for their guidance and patience.
iv
Table of Contents
Acknowledgments.................................................................................................. iv
Introduction ..............................................................................................................1
Background ..............................................................................................................4
Rationale ................................................................................................................11
Significance............................................................................................................16
Definition of Terms................................................................................................17
Introduction ............................................................................................................22
Research Strategy...................................................................................................22
v
Research Method ...................................................................................................60
Summary ................................................................................................................62
Introduction ............................................................................................................64
Setting ....................................................................................................................69
Instrumentation ......................................................................................................72
Hypotheses .............................................................................................................74
Summary ................................................................................................................84
Introduction ............................................................................................................85
Analysis of Hypotheses..........................................................................................97
Summary ................................................................................................................98
Introduction ..........................................................................................................100
vi
Evaluation of Research Questions .......................................................................100
Conclusions ..........................................................................................................108
REFERENCES ................................................................................................................110
vii
List of Tables
Table 4. VIF and Tolerance for the Predictor Variables, N = 113 ...................................92
Table 7. Regression Results for Level of Social Engineering Awareness on Predictor Variables,
N = 113 ...............................................................................................................97
viii
List of Figures
Figure 3. Histogram with normal curve overlay for the regression residuals ....................93
ix
CHAPTER 1. INTRODUCTION
Introduction
In today’s networked world, organizations must provide for the security of their
information assets. For healthcare organizations, this is especially important, because security
breaches can have negative effects on patient outcomes and healthcare quality (Ponemon
Institute, 2016). Healthcare organizations that deal with patient data include health plans,
healthcare clearinghouses, and healthcare providers (e.g., hospitals) that electronically transmit
health information. Hereafter, the term healthcare organizations is used to refer to these entities
in aggregate. The Health Insurance Portability and Accountability Act of the United States
(HIPAA) regulates protected health information (PHI) about patient healthcare, health status, and
payment for healthcare, requiring that such information is treated with special care. For the
purpose of the present study, the terms patient data, medical records, and patient information
Patients whose medical records are stolen from healthcare organizations may be treated
owing to false entries in their medical records (Agaku, Adisa, Ayo-Yusuf, & Connolly, 2014).
Additionally, lost or stolen healthcare records result in up to $7 billion in losses to the healthcare
industry annually (Agaku et al., 2014). Therefore, there is an urgent need for strong information
1
320% from 2015 to 2016 (Gammons, 2017). One reason for this increase is that patient health
data is worth a premium on the black market, yielding greater profits for cybercriminals than
other types of stolen data (Ablon & Libicki, 2015). Understanding the gaps in security that make
successful cyberattacks possible is key to updating security policies to reverse this trend.
information (Ahmad, Maynard, & Park, 2014; Crossler et al., 2013), may be the main cause of a
(e.g., doctors, nurses, technicians) and administrators (e.g., billing professionals, records
keepers), lack an appropriate level of social engineering awareness, so they may be unable to
recognize social engineering attacks, resulting in a data breach (HIMSS, 2016; Junger, Montoya,
Social engineering is a particularly troubling issue because it is one of the most difficult
types of security threats to prevent (Indrajit, 2017). Whereas other types of attacks are
preventable using firewalls and other software- and hardware-based techniques, preventing
social engineering requires attention to the human element, including an understanding of the
factors that correlate with end-user awareness of social engineering (Indrajit, 2017; Nishani &
Biba, 2016). Recent research has identified security awareness as an important factor in
organizational information security (Narain Singh, Gupta, & Ojha, 2014). An emerging research
trend has demonstrated that end-users’ security awareness and intention to resist social
engineering can be predicted with factors such as organizational culture, end-user awareness
training, and security self-efficacy (Decker, 2008; Hauser, 2017; Holbert, 2013; Rocha Flores &
2
Ekstedt, 2016). Additionally, there is an extensive body of research on the role and importance of
security awareness in preventing social engineering attacks (Medlin, Cazier, & Foulk, 2008;
Mishra, Caputo, Leone, Kohun, & Draus, 2014). However, none of these studies focused on
factors that predict social engineering awareness among end-users in the healthcare industry. The
lucrative market for private health information on the black market has made it imperative to
investigate the factors that influence to the level of social engineering awareness among
healthcare end-users, as PHI is especially attractive to cybercriminals, who can yield greater
profits for this type of stolen data than other types of stolen data (Ablon & Libicki, 2015). While
researchers know that social engineering awareness is important in healthcare, they still lack
robust information on the factors that influence it. This lack of information is limiting
practitioners’ ability to improve their level of social engineering awareness by addressing its
antecedents. Also, because the structure and culture of a healthcare organization is always
changing, and the methods of cybersecurity attackers are always improving, it is important to
healthcare industry could help information technology professionals and healthcare managers
take action to prevent social engineering attacks by focusing on the individual and organizational
elements that are statistically important to security awareness. Therefore, the aim of this
leadership and information security culture), information security awareness factors (i.e., general
information security awareness and information security policy awareness), and individual
security factors (i.e., end-users’ self-efficacy, attitude, and normative beliefs) that predict social
3
engineering awareness in healthcare organizations.
This chapter introduces the study and proceeds as follows. The first study contains a brief
background of the study. Next is a statement of the business technical problem and purpose of
the study, followed by a list of the research questions and hypotheses. The chapter also contains
descriptions of the rationale, theoretical framework, and significance of the study. Next, a section
on the definition of terms provides the meanings of keywords and concepts used in the study.
This is followed by a description of the assumptions and limitations of the study. A summary,
presenting the organization of the remainder of the study, concludes the chapter.
Background
assets. In many industries, such as the healthcare sector, most valuable assets are increasingly
moving to consisting of data only; which is being stored, moving in transit, or used throughout
the internet or throughout a cloud infrastructure. This is creating an increased burden on those
responsible for protecting non-physical assets that may not be entirely in their control. The
dependency has increased steadily throughout the years and has led the industry to be susceptible
to having their information systems compromised and valuable data being stolen, or patient
Healthcare organizations have been using electronic medical records for over 20 years,
but recent developments in Internet-based storage and networking have emerged as a challenge
to the security and privacy of electronic health records (Mishra et al., 2014). While maintaining
information stored online could be at risk to the evolving technological threat of cyberattacks
4
security awareness is crucial in healthcare to protect private health information and minimize
2017). The healthcare industry has become a major target for hackers for several reasons: (a) the
information is sensitive in nature, (b) information stolen from hospitals is harder to track, and (c)
the healthcare industry has been slow to adopt cybersecurity measures (Loughlin et al., 2014). A
study by the Healthcare Information and Management Systems Society (HIMSS) revealed that
business and information technology priority (HIMSS, 2016). This is not surprising, given the
increasing threat of cyberattacks and the financial cost that organizations can incur from security
breaches. As healthcare information technology evolves, patients are becoming more aware that
their sensitive health information is at risk (Choi, Kim, & Park, 2015).
The general problem of interest to researchers is that cybercriminals can take private
health information and sell it for high prices on the dark web. Stolen medical records sell for 10
to 20 times more than any other type of data (Ablon & Libicki, 2015). According to an even
more shocking estimate, criminals can make $50 on medical records for every $1 they would
make on credit card information (Lowes, 2014). The lucrative market for private health
including hospitals and private practices, and it affects patients and healthcare industry
technology to gain and maintain a competitive edge (Hyatt, 2015). A component of that
competitive edge is the security posture of the organizational computing infrastructure, which
5
contributes to maintaining the confidentiality, integrity, and availability of patients’ personal
health information (Holtfreter & Harrington, 2015). As cybercriminals search for more profitable
targets, healthcare organizations and the personal health information that they hold have been
targeted. Cybercriminals are attracted by the wealth of patient information that healthcare
organizations hold because it has more lasting value than other types of information (Kamoun &
Nicho, 2014). Attacks on healthcare information systems have rapidly increased in recent years,
by one estimate 125% faster than attacks on other types of data (Ponemon Institute, 2016).
Attackers often choose the path of least resistance to compromise systems, and the weakest link
in information security continues to be the end users (Abawajy, 2014). Interconnectivity and
information sharing across healthcare organizations make it easier for criminals to access private
health information (Warfield, 2012). There are several types of healthcare cyberattacks: (a)
ransomware, involving malicious software that locks files until the organization pays a ransom to
unlock the information (Richardson & North, 2017); (b) stolen private health information,
involving hacking of medical records, which is the most common type of attack (Mearian, 2016);
(c) insurance fraud, involving the use of personal data to file fake claims and the collect
reimbursement for nonexistent services (Clough, 2015); and (d) social engineering, or targeting
healthcare employees with methods such as phishing to infect the health system with malware
(Junger et al., 2017). Social engineering is a particularly troubling issue for the healthcare
industry because healthcare employees are naturally trusting, and they have a desire to be helpful
(HIMSS, 2016).
The current best solution to the problem is for information security managers to
implement plans to identify, assess, and mitigate the evolving risk of cyberattacks on health
6
information. Technical solutions such as artificial intelligence and machine learning have great
potential to help mitigate cyberattacks (Nishani & Biba, 2016), but these new technologies will
not remove the need to focus on the human factor since end users are recognized as the most
assets unless the human element is adequately addressed. In healthcare settings, focusing on the
human factor to protect client data involves hiring and training a knowledgeable workforce and
developing a culture or security, in which employees are aware of the value of their
organizations’ data and actively work to reduce the risk of data breaches (Ponemon Institute,
2016). There are multiple methods of addressing the human factor, and scholars do not yet
clearly understand which of these ways is the best and most efficient.
Healthcare organizations have seen damages of more than $20 billion per year from attacks
(Holtfreter & Harrington, 2015). More than 69% of chief information security officers from the
healthcare industry have a concern about how to educate end users of their organizations to avoid
program (Wolf, Haworth, & Pietron, 2011). A security awareness program refers to a program
designed to influence user behavior to promote the protection of the organization’s information
assets (Rocha Flores & Ekstedt, 2016). Such programs often focus on social engineering, which
having them perform an action that benefits the attacker (Rocha Flores & Ekstedt, 2016).
Employees’ level of social engineering awareness is important in determining whether they were
7
able to resist this type of attack.
There are organizational, information security awareness, and individual security factors
that can shape a person’s level of social engineering awareness (Decker, 2008; Holbert, 2013;
Rocha Flores & Ekstedt, 2016). Organizational factors are internal factors, which are factors
(Decker, 2008; Holbert, 2013; Hyatt, 2015; Rocha Flores & Ekstedt, 2016). Individual factors
are inherent factors related to individual employees; for example, self-efficacy describes whether
employees feel that they are capable of recognizing and resisting social engineering attacks
(Decker, 2008; Holbert, 2013; Rocha Flores & Ekstedt, 2016). There are also external factors,
which are factors external to an organization; these can include social media or news outlets.
External factors take into account how forces outside an organization can influence an
employee’s ability to recognize a social engineering attack (Decker, 2008; Holbert, 2013; Rocha
Flores & Ekstedt, 2016). Together, these types of factors may determine how an employee reacts
The present study addressed the issue of antecedent factors to social engineering
awareness in healthcare organizations using the theory of planned behavior. This theory is
relevant to the study because it describes how individuals’ attitudes, subjective norms, and
perceptions of behavioral control influence their motivation and intention to act in particular
ways. The present study uses security attitude, subjective norms, and security self-efficacy (i.e.,
the perception of behavioral control with respect to security) as variables, so the theory of
planned behavior is a fit for the present study. Other researchers investigating security awareness
have used the theory of planned behavior (Ifinedo, 2014; Safa et al., 2015), because it follows
logically from questions addressing end-users’ intention to resist social engineering and other
8
cyberattacks. While previous research focused on security awareness from an organizational
view, this study focused on security awareness from an individual view. The ultimate goal of
understanding the factors antecedent to security awareness is to empower end-users with the
intention to resist social engineering, so the theory of planned behavior is relevant in the present
context.
There is a problem with data breaches from social engineering attacks among healthcare
organizations that electronically transmit health information in the United States (HIMSS, 2016).
Although healthcare leaders implement programs to reduce attacks (Ponemon Institute, 2016;
Rocha Flores & Ekstedt, 2016; Wolf et al., 2011), the number of attacks grew 320% from 2015
to 2016 (Gammons, 2017; Ponemon Institute, 2016). Previous studies have been conducted to
gauge the extent to which organizational security factors, information security awareness factors,
and individual security factors influence social engineering awareness (Rocha Flores & Ekstedt,
2016; Holbert, 2013; Decker, 2008). These studies focused on the organizational view of social
engineering awareness, not the individual view. Also, these studies did not focus specifically on
the healthcare industry, which is a high target area. Cybercriminals are using various social
engineering methods to attack healthcare end-users, which are causing financial and reputational
losses for the healthcare industry and their clients. More than 78% of security practitioners
believed that a major cause of concern for data breaches are social engineering attacks
(Ponemon, 2016). This problem has negatively impacted the healthcare industry because attacks
are costing healthcare organizations up to $7 billion per year (Agaku et al., 2014). The problem
has also negatively impacted patients because patients whose medical records are stolen from
9
encounter employment difficulty owing to false entries in their medical records (Agaku et al.,
2014).
Research Purpose
organizational security factors, information security awareness factors and individual security
factors predict the level of social engineering awareness among healthcare end-users in
understanding of what factors can raise a healthcare end-user level of social engineering
awareness, thus preventing a potential social engineering attack. The results of this study are
expected to contribute to the knowledge area of security awareness and social engineering
awareness within the healthcare industry by informing healthcare information technology leaders
on what to look for when understand the level of social engineering awareness among their
employees and how to develop of an efficient and effective information security awareness
Research Questions
leadership and information security culture) predict the level of social engineering awareness
RQ2: To what extent, if at all, do information security awareness factors (i.e., general
information security awareness and information security policy awareness) predict the level of
RQ3: To what extent, if at all, do individual security factors (i.e., end-users’ self-
10
efficacy, attitude, and normative beliefs) predict the level of social engineering awareness of
healthcare end-users?
Rationale
This quantitative multiple regression study furthered the studies conducted by Decker
(2008), Holbert (2013), and Rocha Flores and Ekstedt (2016). Decker analyzed internal, external,
and inherent factors to security awareness of end users in institutions of higher learning. Holbert
used Decker’s four factors to determine which had the greatest influence on the security
awareness level of end users. Rocha Flores and Ekstedt investigated how organizational and
individual factors shaped employees’ behavioral intention to resist social engineering within
various industries. This study used Rocha Flores and Ekstedt’s research instrument, which draws
on the theory of planned behavior to identify individual factors (i.e., self-efficacy, attitude, and
security culture), and security awareness factors (i.e., general information security awareness and
information security policy awareness) related to security behaviors. The focus of this study was
on the level of social engineering awareness, and the industry of focus was healthcare. This is
important because other researchers have studied social engineering awareness in other settings,
such as institutions of higher learning (Hauser, 2017) or the energy sector (Rocha Flores &
Ekstedt, 2016) and even other countries but have not specifically studied the healthcare industry.
The specific focus of this study was to determine which security factor or factors have the
greatest input on the level of social engineering awareness of a healthcare end-user. Too many
security awareness programs are designed to meet a compliance requirement and do not take into
account the concept of educating the user to fully recognize when they are being social
engineered. Many end-users do not learn or retain information the same way, so healthcare
11
organizations must think about the most efficient way their end-users retain awareness
information that can be gained from a successful attack by intruders. As stated earlier, PHI is
very valuable and can be detrimental for those affected if the information is violated. Effects of a
successful attack can be felt both financially and reputationally by the affected healthcare
organization and their affected client (Agaku et al., 2014; HIMSS, 2016). While other business
information assets are just as valuable, PHI is more valuable on the black market, which can lead
with social engineering attacks. Even though many healthcare end-users are highly educated
professionals, they can still be susceptible to high engineered phishing attacks, due to their nature
of work.
Theoretical Framework
distinguished from transactional leadership. Whereas transactional leaders use systems of reward
and punishment to motivate subordinates to perform specific tasks, transformational leaders use
subordinates (Barling, Slater, & Kelloway, 2000). Transformational leadership theory is relevant
to the present study because transformational leadership is one of the organizational factors that
The core assumption of transformational leadership theory is that leaders can motivate
12
subordinates to perform beyond their own expectations by generating buy-in to the goals and
values of the organization as a whole or the smaller team within which they work (Miner, 2015).
In so doing, employees transcend their own self-interest to work for the good of a greater whole,
rather than for a contingent reward like a paycheck or a promotion (Miner, 2015). In the 1990s,
Avolio and Bass (1995) expanded the transformational leadership theory to emphasize the
leaders) and organization-level transformational leadership (i.e., the culture that promotes
selfless commitment to organizational goals). Because the theory supports the view that
organizational and individual factors comprise a unified whole, it is especially relevant to the
present study, which attempts to understand the organizational and individual factors that predict
(Rocha Flores & Ekstedt, 2016) and in the effectiveness of security countermeasures (Humaidi &
Balakrishnan, 2015). Owing to its logical connection to the independent variable and to existing
organizational culture as “the system of shared beliefs and values that guides the behaviors of its
members to maintain suitable patterns of social systems to survive in the dynamic environment”
(Lim, Chang, Ahmad, & Maynard, 2012, p. 298). Organizational culture is important to business
scholarship in many industries and research topics, but recent theoretical work has begun to
13
identify a particular type of organizational culture that is important to security. Specifically, an
organizational culture that places value on security is important to ensure that employee behavior
aligns with security requirements. A key theoretical work in this vein that provides the
The theoretical framework of Lim et al. (2012) is particularly relevant to the present
study because the authors argue that an organizational security culture is important at both the
individual and organizational levels. Not only does organizational security culture influence the
behavior of employees (i.e., the individual level), it also enables the implementation of security
at the organizational level, because the organization’s long-term plan and shared security values
facilitate new and improved security practices (Lim et al., 2012). This is relevant to this present
study because the study asks about both organizational and individual factors that influence
security awareness. The Lim et al. (2012) framework supports this research aim by focusing on
Ajzen (2011) developed the theory of planned behavior, which describes how
individuals’ attitudes, subjective norms (or normative beliefs), and perceptions of behavioral
control (or self-efficacy) influence their motivation and intention to act in particular ways. This
theory aligns with the present study, which asks about the extent to which individual factors of
self-efficacy regarding resisting social engineering, attitude toward resisting social engineering,
and normative beliefs about resisting social engineering predict security awareness in healthcare
organizations.
her tendency to evaluate things either positively or negatively. For example, information security
14
attitude refers to an individual tendency to feel either positively or negatively toward information
security (Safa et al., 2015). Subjective norms refer to an individual’s beliefs about what is
important to his or her peers and superiors (Ifinedo, 2014). For example, if an individual believes
that society expects him or her to behave in a certain way, the individual is more likely to behave
in that way, according to the theory of planned behavior. Behavioral control refers to the extent
to which individuals believe they, rather than someone else, have the power to accomplish
particular tasks. For research purposes, behavioral control is often equated with self-efficacy or
the extent to which an individual believes he or she is capable of accomplishing a task (Ifinedo,
2014). For example, according to the theory of Planned Behavior, people who believe they are
capable of becoming aware of information security are more likely to intend to pursue behavior
Many researchers have used the theory of planned behavior to investigate information
security at the organization level (Ifinedo, 2014; Lebek et al., 2014; Safa et al., 2015), and these
studies have largely confirmed its constructs. Researchers have used other theories in
information security research, including the protection motivation theory and the general
deterrence theory (Crossler et al., 2013). Additionally, some researchers have used the theory of
Reasoned Action, which predates the theory of planned behavior (Siponen, Mahmood, &
Pahnila, 2014). However, the central constructs of these theories are similar to those of the
theory of planned behavior (Lebek et al., 2013). Because the theory of planned behavior has been
so widely used, and because evidence has so widely confirmed its applicability to information
security research, the theory of planned behavior is appropriate for use in this study.
Additionally, the theory of planned behavior addresses the same individual factors that this study
15
Significance
Contribution to Researchers
The research objective of this study was to examine the relationships between
organizational security factors, information security awareness factors, and individual security
factors and the level of social engineering awareness of healthcare end-users. Although there
have been prior security awareness and social engineering awareness studies (Decker, 2008;
Hauser, 2017; Holbert, 2013; Rocha Flores & Ekstedt, 2016; Medlin, Cazier, & Foulk, 2008;
Mishra, Caputo, Leone, Kohun, & Draus, 2014), the relationship between the organizational
security factors, information security awareness factors, and individual security factors of
have agreed that the combination of organizational security factors, information security
awareness factors, and individual security factors elements exists (Decker, 2008; Hauser, 2017;
Holbert, 2013; Rocha Flores & Ekstedt, 2016), however, an investigation into this combination
involving healthcare end-users is needed due to the criticality to support healthcare information
The results of this study helped to fill the gap in the literature by explaining the level of
planned behavior and by determining whether the level of social engineering awareness was the
factors, and individual security factors of healthcare end-users. In addition, a reduction in the gap
of knowledge for social engineering awareness from an individual level perspective, in contrast
16
as it addresses a particular security concern (i.e., social engineering attacks) in a particular
industry (i.e., healthcare), adding to the granularity of detail with which the research community
Contribution to Practitioners
demonstrating the importance of understanding the level of social engineering awareness among
their employees. Continuous cyberattacks against their most important asset require management
to develop and redefine strategies for security awareness and in particular social engineering.
This study was meaningful to the community of healthcare organizations because it identified
factors that may predict a high level of social engineering awareness. With knowledge of these
factors and their predictive value for security awareness, healthcare stakeholders were
empowered to develop and promote new initiatives that were more effective and efficient in
preventing social engineering attacks by increasing end-user security awareness. The research
such professionals are tasked with vouchsafing the private health data that is entrusted to them.
The problem is also significant to executives of healthcare organizations because data breaches
result in significant financial losses to the organizations, which may be tasked by shareholders
(in the case of private companies) or taxpayers (in the case of public organizations) to maximize
Definition of Terms
The major concepts in this study are social engineering, social engineering awareness,
and information security awareness. These concepts and other important terms are defined in the
17
Attitude is the degree to which information security behavior is positively valued
(Decker, 2008).
through malicious acts from an anonymous source that steals, alters, or destroys a specified
End-user is an individual who uses a computer system and computer applications for
own awareness of the general information security phenomena (Rocha Flores & Ekstedt, 2016).
Individual security factors are inherent security factors that relate to an individual
Information security is the protection of an information system that uses, stores, and
Information security awareness factors are internal security factors that relate to an
cognizance of the actual information security policies in their organization (Rocha Flores &
Ekstedt, 2016).
Normative beliefs are an employee perceived social pressure about their social
18
engineering security behavior caused by behavioral expectations of managers or colleagues
Organizational security factors are internal security factors which are present within an
Security awareness is the level of comprehension that users have about the importance of
the protection of the organization’s information assets (Rocha Flores & Ekstedt, 2016).
about their level of social engineering awareness (Rocha Flores & Ekstedt, 2016).
Assumptions
This study involved several assumptions. The first assumption is that each participant is a
that give the employee access to PHI that is protected under HIPAA. The second assumption is
that all participants have full knowledge of their organization’s security awareness program, so
they can accurately answer the survey questions. The third assumption is that the participants
were truthful in their responses and did not manipulate their answers to hide their true beliefs.
There are also assumptions related to the statistical tests that were conducted with this study: (a)
19
there is a linear relationship between variables, (b) that the residuals are normally distributed, (c)
there was no multicollinearity between variables, (d) there was homoscedasticity across
variables, (e) the data does not have any outliers, and (f) the residuals (errors) were normally
distributed.
Limitations
Several limitations were present in this study. The first limitation of the study is the use
quantitative research, according to Steckler, McLeroy, Goodman, Bird, & McCormick (1992).
The second limitation of the study is that it was only available over the Internet, so it did not
include participants that do not have Internet access, and little was known about participants’
characteristics. According to Wright (2005), these are inherent disadvantages of online survey
research. The third limitation of this study is that the sample was not generalizable beyond the
population from which it was drawn, largely owing to the sampling issues inherent in online
This chapter provided an overview of the study, the purpose of which is to determine if
there are any correlations between organizational and individual security factors and the level of
social engineering awareness of healthcare end-users. The researcher explained the significance
of the study, with emphasis on the potential positive effect of understanding the factors that
The remaining chapters presented the following: Chapter 2 presented a thorough review
of professional and academic literature related to the research topic from a historical and
20
contemporary point of view. Chapter 3 discussed the research design and methodology, along
with a discussion of the research instrument, data collection and analysis methods, reliability and
validity of the selected instruments, and ethical considerations. Chapter 4 presented data relating
21
CHAPTER 2. LITERATURE REVIEW
Introduction
The purpose of this study is to determine whether organizational and individual factors of
the healthcare end-user predict the level of social engineering awareness of the healthcare end-
users in the continental United States. This chapter contains a review of existing theoretical and
empirical literature related to the research topic. The goal of this review is to provide an
overview of the literature on security awareness programs and social engineering awareness
programs. The chapter proceeds as follows. First, the researcher describes the literature search
types of information security, information security in the healthcare industry, and types of
information security breaches, with a focus on social engineering. In the following section, the
researcher presents a discussion of internal factors that influence organizational security, divided
into individual and organizational factors. There is a separate discussion for each factor pertinent
to the study, and links are drawn among the factors within each of the subsections. Next, a brief
section describes the existing literature on the importance of security awareness training for
preventing security breaches, followed by a section considering the research method for the
present study. Finally, there is a discussion of the theory of planned behavior, its development,
Research Strategy
This chapter contains a review of research studies and scholarly content related to
security awareness generally, social engineering specifically, and the factors that influence end-
user awareness of security and social engineering. The researcher used the following databases to
search for relevant articles: ProQuest, Academic Search Premiere, ProScience, Google Scholar,
22
and Academic One File. Using these databases, the researcher searched for articles using the
following search terms, alone and in combination: behavioral intent, behavioral intention, cyber-
Search results were narrowed to include only articles published since 2013. The purpose
of this limitation was to emphasize recent literature. As a result, this chapter heavily emphasizes
recent findings in the field of information security. However, when recent articles contained
citations leading to seminal works, or when no recent articles did not contain results for
organizations have assets and resources that exist only in the form of digital information,
whether stored locally on computer servers or remotely using cloud-based storage (Crossler et
al., 2013; Narain Singh, Gupta, & Ojha, 2014). Information and technologies are essential to
business success because they represent sources of market knowledge and innovation, and these
organization suffers a breach to the security of its information, it could lose its competitive edge,
Security breaches can negatively affect businesses, even when data is not lost. For
example, denial of service attacks can disrupt an organization's internet connectivity and e-mail
23
access, leading to costly downtime and loss of productivity (Ahmad et al., 2014). Therefore,
ensuring information security is essential if businesses are to avoid losses from security breaches.
service attacks, and behavioral intrusion such as social engineering (Crossler et al., 2013).
Because technologies change rapidly, organizations must constantly adapt and respond,
modifying their information security management in ways that prevent emerging types of
security breaches (Burns, Posey, Courtney, Roberts, & Nanayakkara, 2017; Crossler et al., 2013;
Narain Singh et al., 2014). Such responses constitute information security management.
technological tools, such as firewalls and denial of service detection, in an attempt to prevent
information security breaches (Crossler et al., 2013). Ahmad et al. (2014) reported that 60% of
encryption of data in transit, and intrusion detection systems" (p. 358). Although it is vital for
organizations to implement such technologies, these efforts are not enough, because security
As Crossler et al. (2013) pointed out, scholars have long recognized that “the individual
user within an organization,” or the end user, “is a predominant weakness in properly securing
information assets” (p. 90). Narain Singh et al. (2014) echoed this sentiment, stating that
information security management is not merely, or even primarily, a technical issue, but that “the
management and behavioral aspects are also of pivotal importance but are often overlooked by
organizations” (p. 644). Empirical evidence supports the argument that managers take one-sided
24
managers from eight organizations, Ahmad et al. (2014) found that security managers took an
ad-hoc approach to implement security strategies, and they focused on maintaining access to data
(e.g., by preventing denial of service attacks), ignoring the risks to business and competitiveness.
The strategies that Ahmad et al. (2014) surveyed were mostly externally oriented, neglecting the
behaviors of technology end-users within the organizations. This literature suggests that there is
a need for further investigation into how information security strategies affect the information
Scholars who have recognized the importance of the human element to protecting
involving a range of approaches to protecting organizational assets and privacy (Narain Singh et
al., 2014). In their synthesis of literature, Ahmad et al. (2014) identified nine strategies that
organizations use to secure their informational assets: (a) prevention strategies focus on
protecting data, for example by prohibiting unauthorized access to data, (b) deterrence strategies
focus on influencing people in a way that discourages them from trying to breach the
organization’s security, (c) surveillance strategies focus on monitoring information security, for
example using tools that attempt to detect denial of service attacks, (d) detection strategies
attempt to identify behavior that might result in security breaches, (e) response strategies focus
on repairing damage or reinstating security after breaches or attacks have occurred, (f) deception
strategies focus on leading attackers down the wrong path, protecting valuable assets by
attracting attackers toward less valuable assets, (g) perimeter defense strategies focus on
regulating incoming and outgoing information, reducing the number of points vulnerable to
attack, (h) compartmentalization strategies focus on dividing valuable information assets into
25
smaller sections and securing those sections separately, such that a majority of information will
remain secure, even if one of the sections is breached, and (i) layering strategies focus on using
multiple strategies to secure assets, so that the full complement of strategies will work together,
These nine strategies can apply to security efforts broadly, including physical security,
but Ahmad et al. (2014) argued that all nine are relevant to information security at the
organizational level. In their qualitative study, they found that all the strategies except deception
were in use in at least some of the organizations they studied. However, managers’
understanding of and ability to effectively implement these strategies was lacking (Ahmad et al.,
2014). Additionally, managers did not effectively combine strategies into multifaceted
For the present study, some of the nine approaches to information security are more
relevant than others. For example, prevention strategies can include both technological tactics
(e.g., firewalls) and behavioral tactics (e.g., non-disclosure agreements). However, detection
strategies are generally technology-based and externally facing, so they do not address the
human element to security organizational data assets. This conceptual issue represents a
behavior. One of the goals of the present study is to determine whether internal and external
factors of information security correlate with employees' security awareness. A later section of
this chapter contains a review of literature related to these internal and external factors.
From a business perspective, there are also various strategies for information security
investment. According to Huang, Behara, and Goo (2014), organizational information security
26
investment decisions consist of three dimensions. First, organizations must decide how much to
invest in information security. Second, they must decide on what technologies, tools, or
measures to invest. Third, they must make implementation decisions about how to make
information security measures effective (Huang et al., 2014). In their cost-benefit analysis of
healthcare organizations’ information security investment, Huang et al. (2014) concluded that for
information assets where breaches would potentially be very costly, investing in security is
valuable from a business standpoint. However, they argued that healthcare organizations rarely
consider the intrinsic benefits of information security investment, focusing only on risk
reduction, and thereby potentially missing the benefits of enhanced security (Huang et al., 2014).
This suggests that organizations, especially healthcare organizations, could benefit from further
information security investment. A weakness of this theoretical work is that it does not present
outcome results from the empirical literature, indicating a need for further empirical research on
the impact of investment and various prevention strategies on actual security outcomes. The next
In the healthcare industry, information security breaches are costly. According to one
estimate, lost or stolen healthcare records result in up to $7 billion in losses to the healthcare
industry annually (Agaku et al., 2014). Unlike in other industries, however, information security
is not only a matter of protecting valuable business assets, but also a question of patient safety
and regulatory requirement. Breaches in healthcare information security can lead to identity
theft, causing dire financial and medical consequences for patients whose identities are stolen.
Agaku et al. (2014) pointed out that “victims of medical identity theft may receive inappropriate
medical treatment (including potentially harmful medication), exhaust their health insurance
27
benefits, or fail pre-employment medical screening examinations because of the presence of
bogus health conditions in their health records” (p. 374). Therefore, it is important from a patient
From a regulatory perspective, the Health Insurance Portability and Accountability Act
(HIPAA) requires that healthcare organizations take proactive measures to protect patient health
information (Kwon & Johnson, 2014). Additionally, the Health Information Technology for
Economic and Clinical Health (HITECH) Act of 2009, which incentivizes hospitals for
implementing healthcare technologies like electronic medical records, stipulates that healthcare
organizations must attest that they have implemented security provisions (Kwon & Johnson,
2014). Therefore, information security is an especially relevant topic in the healthcare industry.
applications and technologies, such as mobile devices and cloud-based storage, are vulnerable to
unauthorized access such as hacking. Additionally, healthcare providers often exchange sensitive
healthcare information to facilitate care provision (Agaku et al., 2014). For example, a clinic may
send protected information to an insurance provider via e-mail in order to expedite insurance
claim processing. In such an example, not only is the information subject to interception by
thieves if not adequately secured, but it is also vulnerable to misuse by employees who are
Despite the existence of legislation requiring that healthcare organizations secure patient
health data, there are still concerns in the industry regarding the safety of electronic health
information. Agaku et al. (2014) conducted a survey study to assess perceptions of healthcare
data security among nearly 4,000 U.S. adults and to determine whether such perceptions affected
their tendency to disclose sensitive information to healthcare providers. The results indicated that
28
around two-thirds of participants were concerned about the potential for security breaches when
they transferred their health information by fax or electronically (Agaku et al., 2014).
Furthermore, patients who felt that they had little or no control of their medical records were
42% more likely than others to withhold health information due to security concerns (Agaku et
al., 2014). These results underscore the importance of information security to patient health
outcomes; if patients are concerned about data security and withhold information, healthcare
providers may have a limited ability to provide adequate care, because they do not have all the
In another important empirical study, Angst, Block, D'Arcy, and Kelley (2017)
organizations. They hypothesized that, in organizations where information security strategies are
closely linked to actions (as opposed to merely symbolic, e.g., unenforced policies), security
investment would be more effective regarding reducing the number of data breaches over time.
By analyzing data from 5,000 hospitals in the United States, they found that, contrary to their
hypothesis, investment in symbolic security measures (i.e., those without concrete links to
action, whether internal or external to the organization) led to an increase in the likelihood of
security breach. Simply investing in information security was not enough to reduce data
breaches. Rather, the researchers found that decreased likelihood of data breaches was associated
with institutional factors, and they concluded that institutional factors influence how healthcare
organizations invest in information security in ways that are meaningful for security outcomes
(Angst et al., 2017). Although this research is not conclusive, because additional studies and
replications have not yet occurred to validate the result, the finding suggests that there is a need
to understand how institutional factors influence information security. In this study, the
29
researcher addressed this need by examining the extent to which institutional and personal
hospitals, private practices), including healthcare practitioners (e.g., doctors, nurses, technicians)
and administrators (e.g., billing professionals, records keepers). By addressing this population,
the present study fills an important gap in existing research. As evidenced in this section, the
majority of recent research on security awareness in healthcare has focused only on management
practices, organizational security policies, and other top-down approaches. For example, Angst
et al. (2017) focused on security policies and data breaches, not the individual human element.
Mishra, Draus, Goreva, and Caputo (2016) conducted a study focusing on social engineering in
healthcare settings, but their survey sample consisted of students in healthcare programs, so their
results are likely not applicable to understanding user behavior in real-world healthcare settings.
There are many types of security breaches to which organizations might fall victim to,
including hacking, denial of service attacks, and behavioral intrusion such as social engineering
(Ahmad et al., 2014; Crossler et al., 2013). The greatest percentage of data breaches can be
2016). In the United States, there are hundreds of data breaches annually, resulting in millions of
lost or stolen records, and affected firms incur tens of millions of dollars in costs from the
breaches (Soomro et al., 2016), indicating the urgency of addressing this issue.
behavior, which is known to be the weakest link in organizational information security (Rocha
30
Flores & Ekstedt, 2016). This type of breach occurs when employees click on malicious e-mail
links, inadvertently download malicious software onto their computers, reveal their passwords
over the phone, and fall victim to phishing scams. All such behavioral data breaches fall into the
In a survey of cyber-attack types, Raiyn (2014) defined several types. Notably, in remote
to local user attacks, an attacker outside the organization gains access to a remote organizational
similarly, in user to root attacks, an attacker with access to an organizational account (within the
information. These types of attacks frequently occur in sequence. An attacker, having gained
access to a user account, can then use the user account access to gather and leak data. This
dangerous attack pattern can begin with social engineering (Raiyn, 2014). If an attacker can get
access to a user account via phishing or another social engineering strategy, the attacker can
often proceed from there to wreak havoc for the information security of the organization.
Such attack pathways are called advanced persistent threats (Krombholz et al., 2015).
According to Krombholz et al. (2015), social engineering is the most dangerous form of a
security breach because even the most technologically secure systems are vulnerable. Further,
social engineering can be automated, for example by creating a mass e-mailing system to phish
for passwords throughout even very large organizations. High-profile organizations like Google,
The New York Times, PayPal, and Facebook have fallen victim to social engineering
(Krombholz et al., 2015). Therefore, there is an increased interest in understanding the causes of
social engineering success and preventing employees from falling victim to such attacks.
Krombholz et al. (2015) defined five social engineering approaches: (a) physical
31
approaches rely on gathering information from a physical, rather than virtual, environment.
Examples include taking notice of passwords written on sticky notes, often after having
legitimately gained access to an employee’s office space, and dumpster diving, (b) social
approaches rely on persuading individuals to give away privileged information, often after
developing a relationship with the victim to enhance trust. Attackers usually engage in this type
of behavior over the phone, (c) in reverse social engineering approaches, attackers secretly
sabotage victims’ computer systems and then advertise their services to help fix the problems. In
the process of fixing the computer system, the attackers will ask for passwords or ask victims to
install malicious software, claiming that these measures are required for the fix, (d) technical
approaches involve searching the internet for data that users have previously made available in
public forums like social media. According to Soomro, Shah, and Ahmed (2016), social media is
fundamentally incompatible with organizations’ information security interests, and (e) socio-
technical approaches combine elements of social and technical approaches. This category
includes e-mail phishing as well as the more sophisticated technique of spear-phishing, whereby
attackers target phishing messages directly to individuals after gathering data on those
Although this list covers a wide range of malicious behavior and potential data breaches,
perhaps best understood using Rocha Flores’ and Ekstedt’s (2016) broader definition of an attack
in which organizational end users knowingly or unknowingly perform actions that benefit
attackers.
In recent years, research on social engineering awareness has largely emphasized linking
32
the variable to other variables or testing interventions to improve social engineering awareness.
However, it is reasonable first to review a small number of studies that have directly addressed
the state of social engineering awareness in various settings. A qualitative study conducted in
Sweden found that, although managers at production companies had a good awareness of social
engineering, they had divergent views on the potential impact of social engineering attacks
(Svanlund, Kronberg, & Jeppsson, 2015). One potential explanation for this finding could be that
The idea that managers have different educational backgrounds finds support in Hauser’s
(2017) study, which addressed social engineering awareness in higher education settings. The
results of Hauser’s study showed that faculty and students in information technology programs
were aware of social engineering, but business students and faculty lacked awareness. This
finding is relevant to the present study because it suggests that organizations whose managers
have not received specific training in information technology may not have the knowledge
engineering awareness, as Drevin, Kruger, Bell, and Steyn (2017) found in their study, based in
South Africa. The study took place at a group of hospitals, and the researchers’ goal was to
assess the level of security awareness among healthcare employees. They gave participants a
vocabulary test to determine whether they were familiar with words and concepts related to
security awareness. They found that there were significant differences across business functions,
supporting the Hauser (2017) study and that there were differences across language groups. This
finding suggests that social engineering awareness could be language specific. Although the
present study does not address the role of participants’ native language, the finding is still
33
relevant because it underscores the extent to which individual factors play a role in information
security outcomes.
awareness, Alkhamis and Renaud (2016) found that, after watching a training video, employees
in Saudi Arabia were able to pass a social engineering awareness quiz. Similarly, Bullée,
Montoya, Pieters, Junger, and Hartel (2015a) conducted a study in which they first administered
intervention, the researchers staged a security attack, using a prewritten script to try to convince
employees to voluntarily hand their office keys to the people posing as offenders. They found a
striking difference in how employees responded to the threat: 62.5% of employees who did not
receive the intervention fell victim to the social engineering attack, compared with only 37% of
those who received the training (Bullée et al., 2015a). From this study, it is possible to draw two
important conclusions. First, without the appropriate training, employees may show an alarming
lack of social engineering awareness, evidenced by the fact that more than half of respondents
gave their keys to an attacker in the Bullée et al. (2015a) study. Second, intervention appeared to
Although research like the Bullée et al. (2015a) study is useful for identifying the
potential benefit of interventions for increasing social engineering awareness, not all scholars are
in favor of such research. For example, Mouton, Malan, Kimppa, and Venter (2015) raised
concerns about the ethics in social engineering research. They identified studies in which
researchers stage social engineering attacks as a potential ethical concern, with the possibility to
cause harm to research participants. Therefore, it is important for researchers to ensure that they
follow proper ethical measures when they research this topic. Chapter 3 contains a discussion of
34
the ethical considerations of the present study.
In a theoretical article, Bullée, Montoya, Pieters, Junger, and Hartel (2015b) made the
case that research on social engineering attacks can be beneficial to practitioners in preventing
social engineering attacks. The authors suggested that, by using regression analysis data from
social sciences research, practitioners can incorporate the complexities of the human element
into their models for understanding and preventing social engineering attacks. Korpela (2015)
made a similar argument in an article describing methods for subjecting existing research data to
data analytics in order to better prevent cyber security attacks. These arguments suggest that
there may be significant practical benefit from research on social engineering, in part
Another study by Junger et al. (2017) raises further questions about the efficacy of certain
types of interventions. They found that, among a sample of shoppers in the Netherlands, the
majority of participants provided personal information to staged attackers, even after receiving
priming questions and a warning about social engineering attacks. Just under half of the
participants (43.5%) provided their bank account details, with much higher percentages for other
types of information, including e-mail addresses and purchase history (Junger et al., 2017). This
alarming result underscores the need for further research into ways of improving social
Rocha Flores and Ekstedt (2016) conducted one of the most important recent works in
this field. They studied information security awareness, rather than social engineering awareness
per se, but their large sample of 4,296 employees at multiple organizations in Sweden makes
their study one of the most robust to date. The results showed that participants attitude toward
social engineering and their self-efficacy concerning social engineering were significantly
35
predictive of information security awareness (Rocha Flores & Ekstedt, 2016). This study is
especially important to the present research because this present study uses variables and a
theoretical framework similar to those that Rocha Flores and Ekstedt used.
Turning the category of studies that examine the relationships between social engineering
awareness and other variables, Rocha Flores, Antonson, and Ekstedt (2015), in a study prior to
the one described above, collected data from information security executives and employees at
24 different organizations, with the goal of determining whether there was a relationship between
social engineering awareness and how the organizations governed information security. They
found that organizations with explicit information security departments or committees had
significantly better awareness among their employees (Rocha Flores et al., 2015). This suggests
that, in addition to intervention and employee training, organizations can build social engineering
The studies reviewed in this section are the primary research works on social engineering
awareness from the past half-decade. Although earlier research exists, the vast majority of
current work is theoretical, providing information on types of social engineering attacks and
prevention strategies. Technology and social engineering strategies change rapidly, so do these
taxonomies (Gardner & Thomas, 2014; Mann, 2017). Therefore, there is a gap in existing
research related to social engineering awareness, particularly about the factors that influence
Security Factors
Existing research has attempted to identify factors related to organizational security, but results
are heterogeneous, and no standardized, generally agreed upon set of factors exists (Narain Singh
36
et al., 2014). However organizational security factors can be classified into external and internal
categories.
External factors are “external in nature, i.e., organizations do not have any control over
them, but have to comply or act according to them” (Narain Singh et al., 2014). Examples of
external security factors include the current level of information technology, changing security
risks from outside the organization (e.g., hacking and social engineering strategies), legislation
and regulation, and characteristics of the market and competitors (Narain Singh et al., 2014).
Internal factors are “factors that organizations have to control and manage internally,
such as business issues, IT infrastructure, strategic vision, and aligning IT with [the] company’s
strategy” (Narain Singh et al., 2014, p. 649). Decker (2008) indicated that internal factors include
security policies, end-user awareness training, and management. Harris (2010) identified that
organizational security policies are the pillar for protecting data and security awareness training
is the instrument to instruct end users about security policies. Therefore, the internal factors that
contribute to organizational security interact with and mutually reinforce one another.
Internal factors can be further categorized into organizational and individual factors.
These two types of internal factors constitute the dependent variables in the study. Therefore, this
section focuses on internal factors. Broadly speaking, the existing research on organizational
factors (transformational leadership and information security culture) and individual factors
(self-efficacy, attitude, and normative beliefs) support the research questions for the present
study, because research demonstrates that these factors are relevant to organizational security
outcomes (e.g., Rocha Flores & Ekstedt, 2016). However, literature focusing on social
engineering awareness, and literature focusing on healthcare settings, is limited. The remainder
of this section reviews existing research related to the research topic to demonstrate this gap and
37
justify the need to ask the research questions of the present study.
There are two types of internal factors: individual factors and organizational factors
(Rocha Flores & Ekstedt, 2016). Individual factors are those that pertain to end users and vary
from person to people, such as information security awareness and self-efficacy. Organizational
factors, by contrast, are factors about management and to the organization as a whole, such as
leadership and organizational culture. To date, few studies have explicitly conceptualized
security factors in this way. Instead, many researchers focus on one or the other of organizational
organizations make investments in organizational and individual factors, for example by training
employees and enacting culture change, without a clear understanding of how these factors
interact and to what extent they influence actual security behaviors and outcomes (Rocha Flores
For example, one way in which organizations can invest in information security is to hire
new employees with security credentials or to invest in training existing employees with
credentials (Merkow & Breithaupt, 2014). Many information security credentials exist that
generally apply and to specific industries. In the healthcare industry, the Healthcare Information
Security and Privacy Practitioner (HCISPP) credential ensure that practitioners have an
individual factors (credentials and knowledge). This study addressed the gap in the literature by
Individual Factors
Internal factors include employee behaviors and internal policies that regulate or attempt
38
to regulate employee behaviors. This is important because, in the words of Burns et al. (2017),
“interactions among individuals and their environments at the micro-level form the overall
security posture at the macro-level” (p. 509). Indeed, researchers have long recognized that
employee behaviors, including employees’ adherence (or lack thereof) to security policies, are
one of the most important factors in organizational information security (Lebek et al., 2013;
objective was to develop a model explaining employees' security adherence behavior. Using a
sample of 669 employees at four organizations in Finland, the researchers used structural
equation modeling to determine the extent to which each of the following individual factors
influenced the intent to comply with security policies: perceived severity of security threats,
security threats, security adherence self-efficacy, attitude, normative beliefs, and rewards
(Siponen et al., 2014). Their results indicated perceived severity, self-efficacy, perceived
Importantly, the researchers also tested whether the intention to comply with security policies
correlated to actual compliance with security policies. Although compliance was self-reported
and could, therefore, be subject to social desirability bias, this result nevertheless suggests that
outcomes.
Rocha Flores and Ekstedt (2016) conducted another important study of organizational
and individual security factors. They followed a rigorous mixed method process to develop a
research instrument measuring seven factors. At the organizational level, the measured
39
transformational leadership and organizational security culture. At the individual level, they
normative beliefs, and intention to resist social engineering. The researchers defined all
individual factors, except for security awareness, as intrinsic factors, or factors specific to each
and not determined by factors outside the individual (Rocha Flores & Ekstedt, 2016). After
developing and validating their research instrument, Rocha Flores and Ekstedt surveyed 4,296
employees of diverse organizations in Sweden to examine how the organizational and individual
The Rocha Flores and Ekstedt (2016) study, although not without flaws (described in the
next paragraph), was rigorous, and the results appear to be highly conclusive. The findings
revealed that attitude toward resisting social engineering was positively associated with intention
to resist social engineering. Self-efficacy and normative beliefs were also associated with
intention to resist, but with weaker coefficients. At the organizational level, the researchers found
security culture and employees’ information security awareness. A significant positive link
between transformational leadership and attitude toward resisting social engineering was fully
mediated by information security culture (Rocha Flores & Ekstedt, 2016), suggesting that
transformational leaders tend to enact organizational security cultures, and employees develop
Although Rocha Flores and Ekstedt (2016) revealed important insights for organizational
security culture, one of the major limitations of their study is that it took place entirely in
Sweden. Therefore, the interactions between organizational and individual security factors
cannot be extended to other countries, and it remains unknown how organizational and
40
individual factors interact in other settings. Therefore, this study drew on their research,
employing their rigorously developed survey instrument, to test the influence of organizational
and individual factors on employee security awareness in the United States. Because this study
used the same variables as those used in the Rocha Flores and Ekstedt study, the remainder of
this section reviews literature related to the individual factors in that study.
perception of both his/her general knowledge about information security and his/her cognizance
of the information security policy" (Rocha Flores & Ekstedt, 2016, p. 31). Several researchers
have identified the need for robust security awareness to protect organizational information
assets (Ciampa, 2009; Narain Singh et al., 2014; Siponen et al., 2014). Lack of information
security awareness is one of the roots of user mistakes that lead to costly security breaches (Safa
et al., 2015). Therefore, it is essential that organizations understand how to improve information
Butavicius, Pattinson, and Jerram (2014) found that knowledge of policy and procedures
influenced employees’ attitudes toward information security. Based on the results of their
analysis, the researchers concluded that training intended to improve awareness should focus not
only on policies and facts but also on the importance of information security behaviors, in order
to influence employees’ attitudes (Parsons et al., 2014). This result is important for the present
study because it elucidates the importance of awareness and supports the need to understand the
Lebek et al. (2013) conducted a review of the literature related to employee security
awareness and its relationship to security behavior. The researchers sought to determine which
41
were the dominant theories used to study employee security awareness and behavior. Although
the results identified 54 different theories used in 113 published works, Lebek et al. found that
there were four key theories used in the majority of literature: the theory of planned behavior (the
conceptual framework for this present study), the goal disruption theory, the protection
motivation theory, and the technology acceptance model. As the authors pointed out, there is
considerable evidence of alignment among the core constructs of these four models, indicating a
consensus that information security awareness and behavior are goals- and motivation-driven.
There are many ways of improving information security awareness among employees,
although research into the relative effectiveness of these various methods is lacking (Abawajy,
2014). Security awareness training methods include text-based training (e.g., information
delivered to employees in e-mails and handouts), game-based training, and video-based training.
In one study of these three methods, Abawajy (2014) found that it was most effective to combine
One problem in the existing literature is the failure to distinguish among user-caused
security breaches that stem from different motivations. According to Crossler et al. (2013),
security awareness training may not be effective in reducing security breaches that result from
employees purposely striving to do harm to the organization or seeking personal benefit. Despite
this limitation of existing research, the studies reviewed here reveal that security awareness is a
key factor in improving security outcomes organization-wide. However, not enough research
exists about the antecedents to security awareness at the individual and organizational levels.
Therefore, in the present study, the researcher examines security awareness as the independent
variable.
Attitude. According to Rocha Flores and Ekstedt (2016), attitude is “The degree to
42
which the performance of the information security behavior is positively valued” (p. 31).
Existing research has shown that attitude is important in predicting security policy compliance.
For example, Safa et al. (2015) identified several factors statistically related to employees’
collaboration, commitment, and personal norms. Safa et al. (2015) analyzed several factors, such
as collaboration and commitment, that other researchers have not explored in detail or at all,
making it difficult to draw conclusions about the importance of those factors in general.
However, the study also included factors like norms and information security knowledge, which
are similar to the factors studied elsewhere (e.g., Rocha Flores & Ekstedt, 2016; Siponen et al.,
2014). Additionally, Safa et al. (2015) confirmed the findings of Rocha Flores and Ekstedt
(2016) by revealing that employees’ attitude toward information security associated positively
As mentioned above, Siponen et al. (2014) found that attitude positively related to
intention to comply with security policies in their sample of Finish employees. Rocha Flores and
Ekstedt (2016) found a similar result when considering intention to resist social engineering as
the outcome variable. Again, Parsons et al. (2014) found that attitude toward security policy and
procedures accounted for 72% of the variation in self-reported compliance behaviors among
relationship between attitudes toward compliance and actual compliance with information
security policies. Together, these studies strongly suggest that attitude is important to
organizational security outcomes. The literature search did not reveal any studies that failed to
find significant links between attitude and other information security–related variables, further
43
Although the research reviewed here shows that security awareness can influence
security attitude among employees, few researchers have posited the reverse causal relationship.
Readers should note that, of the results reviewed here, none can be used to make direct causal
claims, because all of the statistical analyses used correlation analysis, which does not
necessarily imply causation. Therefore, it is possible that security attitude leads to an increase in
security awareness since positive attitudes could motivate employees to seek and retain more
information about security policies and practices. This logic motivates the hypothesis of the
study, but, to this researcher’s knowledge, no existing studies have theorized the relationship in
this direction.
Self-efficacy. In general terms, the concept of self-efficacy refers to one’s belief in one’s
ability to succeed or accomplish a given task by mobilizing one’s own capacities and resources
(Schwarzer, 2014). The psychologist Albert Bandura developed the notion of self-efficacy as a
part of his social cognitive theory, and researchers have applied the notion in many fields and
self-efficacy can predict domain-specific performance because, when individuals believe they
can accomplish a task, they are more likely to persevere with the task in the face of problems,
less likely to become frustrated, and more likely to exert effort to cope with the difficulties they
In the context of social engineering, Rocha Flores and Ekstedt (2016) defined social
resisting social engineering” (p. 31). Safa et al. (2015) offered a definition of information
security self-efficacy, which is slightly broader than the Rocha Flores and Ekstedt (2016)
definition: “a belief in [one’s own] ability to protect information and system from unauthorized
44
disclosure, loss, modification, destruction, and lack of availability” (p. 70). In the Rocha Flores
and Ekstedt study, self-efficacy positively related to intention to resist social engineering, and
this relationship was statistically significant, but the effect size was small, with a path coefficient
of only 0.09. This indicates that, although self-efficacy had an effect, it was a much weaker
Interestingly, Siponen et al. (2014) revealed an almost identical result to that reported in
the Rocha Flores and Ekstedt (2016) report. They found that, although self-efficacy was
positively related to intention to comply, and although the relationship was significant at the p <
.01 level, the effect size was only 0.087, almost exactly the same as the effect size that Rocha
Flores and Ekstedt observed. These two findings mutually reinforce one another and suggest that
training. Nevertheless, as Crossler et al. (2013) pointed out, many organizations indeed focus on
By contrast, a study by Safa et al. (2015) revealed that information security–related self-
efficacy influenced security behavior more strongly. Their study consisted of a structural
equation model based on survey responses from 212 information technology professionals (of
which about half worked in information security roles specifically) in Malaysia. The researchers
hypothesized that a high degree of self-efficacy would positively influence behaviors because it
would lead to increased coping efforts, persistence, and self-regulation (i.e., ability to manage
stress and other negative effects) in the face of problems. The coefficient of the resulting path
between self-efficacy and behavior was 0.617 (Safa et al., 2015). One potential explanation of
the difference between this result and results in similar studies is that all of the participants in the
Safa et al. (2015) study were information technology professionals. It is possible that self-
45
efficacy is a greater determinant of technology-related behavior among employees whose work
Although Ifinedo (2014) did not examine self-efficacy specifically, the researcher tested
relationship between each of these constructs and information security policy compliance.
Together, the results reviewed here suggest that self-efficacy, while important to security
outcomes, may not be as important as other factors. Nevertheless, the conflicting evidence
suggests that more research is warranted to definitively reveal the nature and extent of the
studies yet exist examining the predictive value of self-efficacy on security awareness.
Normative beliefs. According to Rocha Flores and Ekstedt (2016), normative beliefs
refer to "an employee's perceived social pressure about his/her social engineering security
colleagues, and managers" (p. 31). Siponen et al. (2014) noted that peers and superiors could
influence normative beliefs, and they also included normative beliefs as a variable in their study.
Siponen et al. (2014) found that normative beliefs had a statistically significant, positive
effect on the intention to comply with security policies, with a moderate effect size (β = 0.327).
In the Rocha Flores and Ekstedt study, there was also a positive relationship between normative
beliefs and intention to resist social engineering, but the effect size was quite small (β = 0.08),
indicating that employees’ attitude is more important to their security behavior intentions. One
explanation for this discrepancy in findings might be that the two studies used slightly different
46
outcome variables. Siponen et al. (2014) studied intention to comply with security policies,
organizational superiors, who have put the policies in place and who may monitor employees’
compliance. By contrast, Rocha Flores and Ekstedt examined intention to resist social
engineering, which, while potentially indirectly tied to the security policy (e.g., if security
policies explicitly require social engineering resistance), examines a security-related, rather than
Ifinedo (2014) also included normative beliefs (called subjective norms in that study) in a
study of information security policy compliance. Using partial least squares analysis, they found
that normative beliefs significantly positively related to both the attitude toward compliance and
the intention to comply. Both effect sizes were small, but the effect on attitude approached
moderate (β = 0.25). Attitude toward compliance, which the researchers modeled in the
mediating between multiple individual variables and intent to comply, strongly influenced intent
to comply (β = 0.63; p < .001), suggesting that, if normative beliefs are important to security
One mechanism by which normative beliefs might influence security behavior is the
perception that security policies are mandatory. The mandatory nature of security policies relates
policy memo, Lowry and Moody (2015) found that the more employees perceived the new
policy as mandatory, the stronger was their intent to comply with the policy (β = 0.420). Narain
Singh et al. (2014) confirmed this finding in their review and factor analysis, which found that
47
organizations. This suggests that employees' perceptions of management expectations can
influence their security behavioral intent. Although the literature search for this review did not
yield any studies examining the effect of normative beliefs on security awareness, previous
findings on normative beliefs' effect on attitude suggest that employees may be more motivated
to seek out and retain security-related knowledge if they perceive an organizational norm in
favor of doing so. This may be especially true in cases where an information security policy
mandates were maintaining security awareness, for example through mandated training.
to engage in a certain behavior in the future. In the context of information security and social
engineering, it refers to “an employee’s intention to resist social engineering” (Rocha Flores &
Ekstedt, 2016, p. 32). Behavioral intention is central to several theories of behavior and
motivation, including the theory of planned behavior, which serves as the theoretical framework
engage in security behavior. The term security behavior is a new term in our connected society.
Guo, Yuan, Archer, and Connelly (2011) defined a security behavior as the behaviors engaged in
by employees who voluntarily bypass organizational information systems security policies with
the intention of benefiting the performance of their work. Herath and Rao (2009) suggested that
security behavior could be determined or defined by the attitude, subjective norms, and
behavioral control of users. Aytes and Connolly (2004) defined security behavior as user’s
intentions based on their perception about the usefulness of good security behavior and the
negative consequences of not demonstrating these behaviors and that these behaviors can be
48
A majority of studies that focus on end-user factors related to information security use
behavioral intention as an outcome variable. However, the type of behavior tested varies widely
from study to study. Rocha Flores and Ekstedt (2016) studied intent to resist social engineering,
whereas several other research teams have studied intent to comply with security policies
(Ifinedo, 2014; Lowry & Moody, 2015; Safa et al., 2015; Siponen et al., 2014). As mentioned
previously, this subtle difference in behavioral intention variables could influence the outcomes
of information security research. Some factors, like normative beliefs, could have different
effects on intent to comply with policy versus intent to resist social engineering independent of
policy compliance. Which outcome variable is appropriate could depend on the organizational
context and the overall strategy for information security. For example, an organization whose
Although some have argued that behavioral intention, which surveys research can easily
examine, does not necessarily reflect actual behavior, some recent research in information
security suggests that intention and behavior are correlated (Ifinedo, 2014; Rocha Flores, Holm,
Nohlberg, & Ekstedt, 2015; Siponen et al., 2014). Therefore, it is appropriate to include
employees’ behavior.
Organizational Factors
In addition to individual factors like the ones described above, there are also
organization-level factors that affect security behaviors and outcomes. In recent years,
49
organizational factors have received less attention than individual factors, owing to a growing
interest in the “human factor”, that is, the role of individual behaviors in security outcomes.
However, organizational factors are still important in determining the overall security posture of
organizations, which can interact with individual factors to yield security outcomes (Burns et al.,
transformational leadership. These two factors are variables in the study, and they also form key
elements of the theoretical framework (described in Chapter 1). Therefore, this section aligns
with the theoretical framework and the research questions of the study.
Organizational factors include any factors that are directly under the organization’s
control but that exist either organization-wide or at the level of management (rather than at the
level of end-user employees). For example, information security policies themselves are a type
organizational factor influencing both security outcomes and employees’ security behavior (Safa
et al., 2015).
In an important early study, Kraemer, Carayon, and Clem (2009) conducted two focus
groups, each consisting of five information security experts, to determine the individual and
organizational factors that influence security outcomes and vulnerabilities. The results uncovered
numerous important factors of both types. Among the organizational factors that Kraemer et al.
(2009) listed were lack of management support for information security management,
decentralized security practices, lack of information security ownership and planning, outdated
policies, undocumented or poorly documented policies, policy overload (i.e., too many policies),
mismatch, inappropriate technology environments, and lack of user training. Chang and Ho
50
(2006) identified the following additional organizational factors as important to effective
industry type, and organization size. This early research demonstrates that many elements of an
organization’s security management can influence security outcomes, and organizational security
In their study, Rocha Flores and Ekstedt (2016) examined two organizational security
factors: transformational leadership and informational security culture. Because this study
followed the Rocha Flores and Ekstedt study and utilized their research instrument, the
element of the theoretical framework for this present study. Bass (1998) introduced the concept
model. Rather, transformational leaders inspire employees to perform by generating buy-in with
higher order values (Choi, 2016). “Transformational leadership appeals to the moral values of
followers in an attempt to raise their consciousness with regard to ethical issues and mobilize
their energy and resources to reform institutions” (Choi, 2016, p. 638). Researchers have
information technology at the organizational level (Lebek et al., 2014). In the context of
information security research, Rocha Flores and Ekstedt (2016) defined transformational
leadership as “a leader’s actions to generate awareness and motivate employees to change their
51
information security behaviors” (p. 31). Owing to the increased focus on individual factors in
security management research, only a few studies have examined the influence of
in employees’ intention to resist social engineering (Rocha Flores & Ekstedt, 2016) and in the
Lebek et al. (2014) conducted a study with the specific goal of determining how
transactional leadership influences employee security behaviors. They collected data from 208
employees across different industries in the United States, and they used structural equation
modeling to analyze the survey responses. Findings revealed that transformational leadership had
found an indirect relationship via organizational climate (Lebek et al., 2014). This indicates that
one way in which transformational leaders lead to improved security outcomes is by influencing
Findings from Rocha Flores’ and Ekstedt’s (2016) study strongly confirm the Lebek et al.
(2014) findings related to transformational leadership. Rocha Flores and Ekstedt found a
awareness (β = 0.52). This finding is particularly important for the present study because it
shows that transformational leaders can influence employees’ awareness of security concepts and
policies. Additionally, according to their results, Rocha Flores and Ekstedt concluded that a
positive relationship between transformational leadership and attitude toward resisting social
engineering was, in their sample, mediated by information security culture. Again, this suggests
that leaders have a strong influence on culture, which is the mechanism through which they
52
influence employees’ behavior. The next subsection contains a review of literature related to
security culture.
information security effectiveness, Choi (2016) surveyed 180 information security managers in
South Korea to test four aspects of transformational leadership with respect to their influence on
the perceived relevance of information security policy and the enforcement of information
security policy. The aspects were the idealized influence, intellectual stimulation, individualized
consideration, and inspirational motivation. Choi’s results indicated that three of the four factors
significantly positively influenced the outcome variables; intellectual stimulation did not have a
Effect sizes were moderate but strongly significant (Choi, 2016). This indicates that
transformational leaders can enhance information security outcomes when they act in symbolic
organizational information security. They found that, in articles published since 2004,
management’s role in information security was the second most widely distributed concept, after
effective policies, awareness, and training. Lack of top management support for information
security initiatives is an often-cited problem in extant research (Narain Singh et al., 2014;
Soomro et al., 2016). However, the importance of management is often framed in terms of
funding and resource allocation for information security investment, or in terms of ensuring
leadership on employees’ behaviors is much more rarely discussed. Therefore, the present study
fills a gap in existing literature by contributing further data related to transformational leadership
53
and its influence on employees’ security awareness.
theoretical framework for this present study. According to Rocha Flores and Ekstedt (2016),
information security culture is “an employee’s individual perception of shared beliefs and values
among colleagues in the work environment” (p. 32). Harris (2010) stated that security culture
could be outlined as a set of beliefs, principles, or norms that are shared by people within an
the activities of the organization and its employees by placing constraints upon the activities and
behavior of employees and by prescribing what the organization and its employees must, can, or
cannot do” (AlHogail & Mirza, 2014, p. 2). Although scholars have defined information security
culture in a variety of ways, there is a general consensus that when information security culture
is present, engaging in information security-related activities is a natural part of daily life within
Culture plays a crucial role in information security (Kraemer et al., 2009), and there
exists a large body of literature describing security culture and related factors (for a review, see
Narain Singh et al., 2014). Research has found that one of the key factors in ineffective
information security management is a lack of alignment between information security needs and
the overall business strategy (Soomro et al., 2016). Robbins and Judge (2008) identified that
security culture could be utilized as a control mechanism to shape the attitudes and behaviors of
users. North, Perryman, Burns, and North (2010) identified security culture as the theory about
perceptions and posture, which the organization supports in a manner that integrates security
behaviors in users. Lacey (2009) posed that security culture carries weight in the development of
security awareness of a user. Implementing information security culture using appropriate and
54
effective change management principles can lead to organization-wide security gains (AlHogail
& Mirza, 2014). Through information security culture, organizations can ensure that employees
at all levels and in all functions across an organization value security and understand the
One important study on security culture, by Goo, Yim, and Kim (2014), showed that,
among a sample of 581 end-user employees in South Korea, information security climate had a
addition, the researchers described the effect of security culture on employees’ normative
commitment. This suggests that security culture can influence normative beliefs about the
Parsons et al. (2015) focused on organizational security culture, seeking to understand its
employees in Australia, and their results showed that information security culture positively and
concluded that developing information security culture is worthwhile for organizations hoping to
improve security outcomes and minimize risk from social engineering and other threats.
In their study, Rocha Flores and Ekstedt (2016) observed findings supporting those of
Huang et al. (2014). They found that information security culture positively associated with
information security awareness, attitude, and normative beliefs. Additionally, their results
relationship between security culture and behavioral intention to resist social engineering. These
results suggest that security culture’s influence on employees’ security behaviors is important but
indirect.
55
To explain the influence of information security culture on human behavior, AlHogail
(2015) developed a framework of security culture. The author described four areas in which
information security culture influences behavior: (a) preparedness, which includes training and
information security practices; (c) management, which is largely related to policy and direction,
but which could also include transformational leadership, as described in the previous
subsection; and (d) society and regulations, which relates to how factors external to the
organization interact with the organization’s culture (AlHogail, 2015). With respect to the
present study, this framework is relevant because it posits a relationship between information
security culture and employee security awareness, which is one of the hypotheses tested in this
study.
internal, external, and inherent security factors. Researchers have identified various factors that
affect end-users’ levels of security awareness (Decker, 2008; Holbert, 2013; Rocha Flores &
Ekstedt, 2016), but these studies have focused on only general populations. Studies also provided
validation for looking into the factors that influence end-users’ information security awareness
level (Holbert, 2013). Decker developed a framework that integrated various theoretical
constructs to capture the inherent, internal, and external factors that affect the levels of security
indicates that inherent factors, internal factors, and external factors extend in their effect to end-
user levels of security awareness. In this study, the focus was on organizational, information
56
Security Awareness Training
al., 2014). According to Lee and Lee (2002), security awareness programs can minimize user
program. In order for a security awareness program to be successful, it has to focus on the human
component. Lee and Lee (2002) noted that, if a security awareness program is unsuccessful, it is
Organizations have valuable data that they need to protect from intruders that wish to
access the data. Organizations often invest heavily in data security technologies to protect against
unauthorized access, but often this does not protect the information, owing to user errors (Kim,
2010). Most organizations consider end users to be the weakest link within their security
programs (Okenyi & Owens, 2007). User security violations are most often attributed to poor
security awareness training. Although it is useful to train users to have a robust security
awareness, most organizations fail to invest in such training or fail to conduct training on a
consistent basis.
specifically focused on social engineering awareness, in schools. Mohammed and Apeh (2016)
argued that such training is important, not only for students but also for teachers, who can be the
victims of social engineering attacks in the workplace. The researchers implemented a pilot
program to assess their model for improving social engineering awareness in schools and found
that their educational program led to behavior change among the teachers, who had to learn the
material in order to teach it (Mohammed & Apeh, 2016). This study provides another important
57
data point in favor of security awareness training.
component of the theoretical framework for this study. The theory of planned behavior describes
how individuals’ attitudes, subjective norms (or normative beliefs), and perceptions of
behavioral control (or self-efficacy) influence their motivation and intention to act in particular
ways. This section traces the development of the theory over time and reviews the current state
of the theory.
Ajzen developed the theory of Planned Behavior in 1991, but its precursor, the theory of
reasoned action, was developed by Fishbein in 1967. The TRA emerged as a response to a
growing body of empirical literature showing that people’s attitudes correlate poorly with their
behaviors (Wicker, 1969; Montaño & Kasprzyk, 2015). For example, an individual’s attitude
toward breast cancer does not predict her tendency to get regular mammograms. The major
advance of the TRA was to reframe behavioral prediction in terms of individuals’ intentions, or
attitudes toward the behaviors themselves. Early research showed that intention was a much
better predictor of behavior than attitudes as they had been previously studied (Ajzen &
The development of TRA involved defining the variables that contribute to the intention
by individuals' attitudes toward performing a behavior and their subjective norms associated with
that behavior. However, the TRA did not account for the degree to which individuals feel they
have control over performing a certain behavior. Even if an individual has a positive attitude
toward behavior and values the behavior as a subjective norm, the individual may not have the
58
intention to perform that behavior if he or she feels unable to do so. To overcome this limitation,
Ajzen's (2011) theory of Planned Behavior added perceived control (consisting of control beliefs
and perceived power), extending the TRA. The inclusion of perceived control is important in
contexts like a business where individuals may feel that regulations or organizational controls
Recently, Montaño and Kasprzyk (2015) proposed a further extension of the TPB, which
they termed the Integrated Behavior Model (IBM). The IBM incorporates the variables from the
TPB and adds a few other factors, notably self-efficacy (an individual's belief that he or she is
able to perform a behavior successfully) and knowledge necessary to perform the behavior.
Another recent development is the reasoned action approach (RAA), which is based on the TPB.
The RAA’s major contribution is to subdivide the three TPB variables into two distinct
were not sufficiently elaborated in the TPB. This development has been interesting to researchers
because it retains the fundamental structure of the TPB while overcoming some of the TPB’s
alleged oversimplifications (McEachan et al., 2016). However, the IBM, the RAA, and other
novel theories lack the years of empirical support that the TPB enjoys (Armitage & Conner,
2001). Furthermore, the TPB’s parsimony is a major strength that competing theories have not
Despite its popularity, the TPB is not without its limitations. Notably, research evidence
on the variable of subjective norms has been equivocal; Armitage and Conner (2001) suggested
that measurements of subjective norms have lacked rigor, and the research understanding of
subjective norms has been too narrow. Similarly, the TRA variables together account for less
variation in individuals' behaviors than perceived control alone (Armitage & Conner, 2001).
59
Sniehotta, Presseau, and Araújo-Soares (2014) conducted a thorough review of evidence
contradicting the validity and utility of the TPB, to which Ajzen (2015) wrote a rebuttal
defending the complexity and explanatory power of the theory. These questions about the TPB
Nevertheless, recent research in business settings (e.g., Kautonen, van Gelderen, & Fink,
2015) has continued to demonstrate the robust efficacy of the TPB in predicting intention and
subsequent behavior. Furthermore, interventions that follow the TPB framework by focusing in
on changing participants’ intentions also tend to lead to changes in behavior (Webb & Sheeran,
2006). Moreover, several researchers have used the TPB to investigate information security at
the organization level (Ifinedo, 2014; Lebek et al., 2014; Safa et al., 2015), and these studies
have largely confirmed its constructs. In a literature review of 113 studies on information
security awareness and behavior, the TBP/TRA was the most commonly used theoretical
framework (Lebek et al., 2013). Therefore, the TPB is appropriate for the present study and is
Research Method
The present study uses a quantitative multiple regression method, which is described in
detail in Chapter 3. This section contains a discussion of the strengths and limitations of this
method in the context of the research topic. Among existing studies investigating factors related
to information security awareness and behavior, quantitative methods are by far the most widely
used (Lebek et al., 2013). One reason for this focus on quantitative methods is because
quantitative research is appropriate for establishing statistical relationships between and among
predefined variables (Creswell & Creswell, 2018). In the quest to discover which factors predict
information security behaviors, quantitative research has enabled scholars to test correlations and
60
their predictive value. Additionally, quantitative methods have enabled researchers and business
stakeholders to measure information security awareness (Kruger & Kearney, 2006), giving them
a way to tangibly understand both the state of security awareness within organizations and the
Lebek et al. (2013) conducted a literature review on the research approaches used to
understand employee information security awareness and behavior. In a total of 113 published
studies, Lebek et al. identified 54 different theories used to research the topic, of which the
TPB/TRA was the most common, used in 27 studies. The next most commonly used theories
were general deterrence theory (17 studies) and protection motivation theory (10 studies). This
indicates that existing research has found the TPB to be a useful framework for studying security
awareness and behavior and that the greatest compatibility and comparability with existing
Lebek et al. (2013) also investigated the methods employed in existing studies on the
research topic. They found that, among existing publications that reported empirical research (as
opposed to theoretical pieces and case study, for example), 90% used quantitative methods. The
results of these studies underscored the relevance of the TPB, particularly the perceived control
construct; in 92% of cases where researchers evaluated the relationship between intention to
comply with information security policies or recommendations, on the one hand, and perceived
behavioral control, on the other, the relationships were significant at the 95% level (Lebek et al.,
2013). However, the authors did not report on the use of particular quantitative designs.
The findings of the Lebek et al. (2013) review support the use of quantitative research in
the present study. However, the authors also pointed out some limitations of this common
research approach, which bear discussion. First, the variables of the TPB lend themselves to
61
quantitative research because they are most easily measurable using self-report questionnaires.
However, there are well known methodological issues with self-report research including the
potential for common method variance and social desirability bias (Lebek et al., 2013),
potentially leading to unreliable data. Furthermore, some research indicates that self-reported
behavioral intention may not adequately predict employees’ actual behavior (Workman,
Bommer, & Straub, 2008). However, as Lebek et al. acknowledged, it can be difficult to conduct
observational studies of employees’ security behaviors owing to the sensitive nature of the data,
which organizations may be unwilling to reveal. Therefore, on the whole, quantitative self-report
survey research continues to be a good approach to studying awareness and behavioral intention
related to organizational security. Additionally, owing to a large number of studies that have
used this approach, the present study bearded comparison with the existing body of research
Summary
There exists a large body of research on the factors that influence information security
outcomes in organizations. In recent years, researchers have given more attention to the “human”
factors like leadership and culture. Individual factors are important because scholars generally
agree that individual end users are the weakest link in organizational information security.
However, individual factors alone do not explain information security outcomes, because
organization-level factors interact with individuals to influence awareness and attitudes, which,
in turn, influence individuals’ behaviors and behavioral intentions. For this reason, it is important
to study both organizational and individual factors when examining information security
outcomes. The study asks whether organizational factors, on the one hand, and individual
62
factors, on the other hand, influence end users’ information security awareness in organizational
settings. The literature reviewed in this chapter reveals that, without security awareness,
organizations understand how to promote awareness in end users. The remaining chapters
presented the following: Chapter 3 discussed the research design and methodology, along with a
discussion of the research instrument, data collection and analysis methods, reliability and
validity of the selected instruments, and ethical considerations. Chapter 4 presented data relating
63
CHAPTER 3. METHODOLOGY
Introduction
This chapter includes a description of this study research and data collection process,
including a discussion of the research and methodology design, population and sampling plan,
data collection plan, and data analysis plan. The basis of the research was to gain completed
the United States. Survey distribution and data collection involved using SurveyMonkey
Audience for access to a panel of healthcare IT professionals. Participation in the survey was
voluntary, and questions at the beginning of the survey ensured no employees who were not
This quantitative multiple regression study was an expansion of earlier work by Rocha
Flores and Ekstedt (2016). Rocha Flores and Ekstedt studied the resistance of social engineering
in various industries in Sweden, but the study did not focus specifically on the healthcare
industry. Social engineering in the form of phishing and ransomware attacks have been
successful in evading technical solutions of cybersecurity programs; this has made it critical that
healthcare employees can detect and resist these attacks. In addition to expanding Rocha Flores
and Ekstedt’s study regarding the industry, this study broadens the geographic reach as well by
The annual cost of cybercrime continues to climb, reaching $400 billion in 2015 and is
expected to reach $2.1 trillion by 2019 (Morgan, 2016). Defending against social engineering
attacks with corporate policies, standards, and a sound social engineering awareness program are
64
Design and Methodology
The design of this study was to evaluate an existing theory, the theory of planned
behavior, as it relates to specific research questions using empirical analysis methods. Out of the
2018). With this worldview, applying the quantitative method is most appropriate. Within a
between variables by reducing them into a framework in which it can be tested. In this method,
the theory is simplified into a research question that a researcher can predict based on a given
historical means. With quantitative research, researchers can use existing instruments for their
study (Cooper & Schindler, 2014). The researcher determined that the quantitative method would
be the best fit for this study. Quantitative research seeks to answer a question based on (a)
problem identification, (b) question formulation, and (c) hypothesis formulation (Cooper &
Schindler, 2014). The questions posed seek to determine a relationship between predictor
variables (organizational, security awareness, and individual factors) and one criterion variable
(level of social engineering awareness of healthcare end-users) and to answer the research
question posed earlier in the study. Therefore, a quantitative method is appropriate because it
allows a researcher to define the research question and its related hypotheses clearly. Subjectivity
Regression design assesses the relationships between two or more variables (Creswell &
Creswell, 2018). The advantage of using a regression design is that the researcher can test
65
relationships between and among variables. Additionally, the researcher can make predictions
based on the results. The disadvantage of using this design is that the researcher cannot draw
causal inferences about the relationships (Cooper & Schindler, 2014). The regression design is
appropriate based on the research questions of this study. The researcher is interested in
determining the extent to which the predictor variables (organizational security factors,
information security awareness security factors, individual security factors) may predict the
criterion variable (level of security awareness). A theoretical model is shown in Figure 1 on how
these factors may predict the level of social engineering awareness. Various findings within
academic literature have identified the variables in this study with security awareness and
security issues in general (Decker, 2008; Holbert, 2013; and Rocha Flores & Ekstedt, 2016). The
benefit of using the regression design is that it is capable of demonstrating whether the predictor
variables predict or influence the criterion variable (Creswell & Creswell, 2018).
Quantitative research begins with a set of hypotheses that are either strengthened or
weakened through evaluation. Researchers collect data by using surveys to refine or change
claims made based on existing theory. As evidence collected in research is never absolute and
perfect, quantitative research does not provide a final position for the presented hypotheses but
rather indicates whether the research results fail to reject them. Instead of providing a precise
In reviewing past research on the subject of human behavior within the context of
information security awareness and social engineering, most research involves using a
quantitative, non-experimental method. This research used Rocha Flores and Ekstedt’s (2016)
research instrument but did not follow their data analysis method, which was structural equation
66
modeling. The results from the study, therefore, helped expand on Rocha Flores and Ekstedt’s
findings and explain identified relationships in a different context and using a different research
design. In doing so, practitioners were able to assess if any difference indeed exists in the way
healthcare IT professionals respond to awareness programs and thus whether programs should be
customized for different audiences. For researchers, a direct focus on healthcare IT professional
population provided insight into areas for future research when selecting a sample.
The population of this study was healthcare end-users from the healthcare industry
located within the continental United States. The sample frame for the study consisted of
members of SurveyMonkey Audience who are professionals in the healthcare industry between
the ages of 21-65. The study did not consider members of SurveyMonkey Audience that were
not in the healthcare industry. The participants were a random sample from the sample frame.
The sample size used was determined by G*Power 3.1, A priori analysis to compute the
required sample size with a focus on multiple linear regression: fixed model, R2 deviation from
zero. The input parameters of effect size f2 = .15, a err prob = .05, power = 0.95, and the number
of predictors = 2 which comes to a minimum sample size of 107 for this study, but with a survey
study, a sample size over the minimum is always the goal. The sample size was 118. The margin
of error for tolerance in this study was a confidence interval of +/- 5% and a confidence interval
of 95%. Previous research studies used a confidence interval of 95%, which provides support
that this is a supported method (Creswell & Creswell, 2018). The standard error (SE) for the
This study considered previous research about the return rate of online survey
respondents, which tends to be equal to or lower than traditional survey formats (Evans &
67
Mathur, 2005). The geographical location of this study was the continental United States, but the
actual location within the United States varied, as participants resided across the country, based
between the ages of 21 and 65. A healthcare end-user is a healthcare employee involved in using
a healthcare information technology system which gives the healthcare employee access to PHI.
These end-users are the prime targets for cyberattackers since they have direct access to PHI
through their daily job functions. This study did not include any participants that were not
healthcare end-users. Participants were contacted via a recruitment e-mail asking them to
participate in the study from SurveyMonkey Audience. The period of recruitment and
participation of participants remained open until the minimum number of responses were
collected. The recruitment e-mail contained a brief overview of the purpose of the study and an
invitation link. From there, the participants were guided to a secure survey website to accept the
consent form and complete the survey. The consent form contained information relating to the
intent and purpose of the study, information ensuring the participant that his or her identity and
confidentiality would not be compromised throughout this process, and a statement that the
participant was under no pressure to complete the survey. The information gained from the
participants was coded, so no identifying information from the participant is known, as such, it
would be impossible for the researcher to remove a participant response if a participant contacts
the researcher asking to remove. The participant had opportunities at the beginning of the survey,
throughout the survey and at the end of the survey to decide not to participate in the survey by
68
Setting
The research of this study took place through online surveys distributed to healthcare
influence the outcome of this study. The advantage of the online nature of this survey allowed
the participant to take the survey in an environment that is comfortable to them. Another
advantage of this setting is the low cost of data collection. Finally, the participant was willing to
share information more freely due to there being no interviewer. There are disadvantages to the
use of online-survey, such as limited participant availability, but the use of SurveyMonkey
Audience should mitigate that risk. SurveyMonkey Audience uses survey panels of their own
created over time (SurveyMonkey Audience, 2018). Also, SurveyMonkey Audience seeks
individuals through social media systems to join their panels (SurveyMonkey Audience, 2018).
The surveys are sent out by e-mail with only a description of the survey length included in the e-
Data Collection
As the various methods of issuing surveys have their advantages and disadvantages, often
the deciding factor comes down to the cost, collection time, and the response rate of the survey
(Deutskens, de Ruyter, & Wetzels, 2006). Web-based data collection is used frequently because
of its “low costs, flexible format, and fast response” (Granello & Wheaton, 2004, p. 387).
Data was collected through a composite online survey instrument. A Likert-type scale
was used to capture the respondents' level of agreement with each statement, ranging from 0
(strongly disagree) to 10 (strongly agree). Only the respondent ID and the level of agreement for
each survey question was captured and stored. The survey was administered electronically using
the survey tool called SurveyMonkey. SurveyMonkey is an online survey company that
69
provides, customizable surveys (SurveyMonkey Audience, 2018). For each participant response,
SurveyMonkey can ensure that each response collected are: (a) anonymous and (b) coded. To
ensure responses are anonymous, SurveyMonkey has an option called Anonymous Responses,
turning this option on ensured each participant response is not trackable and identifiable
information is not stored (SurveyMonkey Audience, 2018). This option was used to ensure
anonymity for the participant within the survey, web links and email invitations. To ensure
responses are coded, each response collected with SurveyMonkey contained a respondent ID,
which is unique to the response and not the respondent (SurveyMonkey Audience, 2018). This is
to ensure that in no way a response can be traced back to a respondent. With this, a researcher
can only see the respondent ID within the exported data. The collected data was exported from
SurveyMonkey in excel spreadsheet format, from which the information was uploaded into IBM
IBM SPSS Statistics is one of the software packages that was used for descriptive and
statistical analysis of the data that was being gathered. IBM SPSS Statistics is widely used in
social science research and can be used to analyze the distribution of variables of this study
(George & Mallery, 2017). It can also be used for multivariate analysis methods, such as
Only the researcher had access to the SurveyMonkey Audience survey tool. The e-mail to
the participants included an introduction, description of the study, its purpose, a URL link to the
web survey, and notification that it would remain confidential and anonymous. The period of
recruitment and participation of participants remained open until the minimum number of
responses are collected. At the survey website, participants were notified again that they would
remain anonymous and their responses would remain confidential, and by accepting a consent
70
form and completing the survey that they provided their informed consent.
IRB Process
Before collecting data, the researcher received the required approval for data collection
from the Capella University Institutional Review Board (IRB). The required ethical training
modules on Human Subjects Research through the Collaborative Institutional Training Initiative
(CITI) must be completed and the required IRB items submitted, including: (a) IRB application,
(b) consent form, (c) CITI Ethical Certificate, (d) permission to use existing survey instrument,
Informed Consent
Survey Monkey Audience was be used to solicit prospective participants for this study.
An e-mail invitation contained a letter of consent that outlined the purpose of the research and
allowed potential participants the opportunity to decline the invitation. Participants indicated
their willingness to partake in the study by clicking a link that took them to the survey. By
clicking the link, participants agreed to accept all risks associated with the survey.
Participation was voluntary and confidential. Volunteer participants were notified about
the confidential and anonymous nature of the study and were asked to acknowledge that they
have read and understood these conditions and agreed to them before completing the survey. If
the prospective participants are not interested in the survey, they can disregard the e-mail
Confidentiality
their responses. The responses were anonymous in that there was not a way to connect
identifying information with survey responses through the methods mentioned in the data
71
collection section. The respondents were not asked to give any names or code numbers. The
researcher stored all research information, records, and electronic and paper data in a private,
secure storage area that only the researcher had access to. After seven years, the researcher will
destroy the data using third-party Department of Defense approved deletion software.
Instrumentation
composite scales consisting of quantitative scaled questions and a demographic section. The
demographic section captured the age and gender of the participant. The instrument included
four scales. These scales are: (a) organizational structure scale, (b) information security
awareness scale, (c) intrinsic beliefs scale, and (d) the intention to resist scale (Rocha Flores &
Ekstedt, 2016).
The first scale is a list of 12 questions that comprised the analysis of organizational
transformational leadership (TL) and (b) information security culture (ISC). Each item uses
Likert-type scales of 0 (strongly disagree) to 10 (strongly agree) (Rocha Flores & Ekstedt, 2016).
Items scores were summed for an overall index. No anchors were given for other scale points.
The second scale consisted of six questions that comprised the analysis of information
security awareness, which is a one-dimensional construct with composite indicators (items): (a)
general information security awareness (GISA) and (b) information security policy awareness
(ISPA) (Rocha Flores & Ekstedt, 2016). Each item uses Likert-type scales of 0 (strongly
disagree) to 10 (strongly agree) (Rocha Flores & Ekstedt, 2016). Items scores were summed for
an overall index. No anchors were given for other scale points. The scores ranged from 0 to 60.
72
The third scale consisted of 17 items that comprised the analysis of intrinsic beliefs,
which measures a one-dimensional construct with composite indicators (items): (a) self-efficacy
(SE), (b) attitude (A), and (c) normative beliefs (NB) (Rocha Flores & Ekstedt, 2016). Each item
uses Likert-type scales of 0 (strongly disagree) to 10 (strongly agree) (Rocha Flores & Ekstedt,
2016). No anchors were given for other scale points. Items scores were summed for an overall
The fourth scale consisted of 5 items that comprised the analysis of intention to resist,
which measures a one-dimensional construct with composite indicators (items): level of social
engineering awareness (LSEA) (Rocha Flores & Ekstedt, 2016). Each item uses Likert-type
scales of 0 (strongly disagree) to 10 (strongly agree) (Rocha Flores & Ekstedt, 2016). No anchors
were given for other scale points. Items scores were summed for an overall index. The scores
The scales identified for this study was adopted from Rocha Flores and Ekstedt (2016).
These scales tie in with the theoretical framework, described in Figure 1 and the research
questions of the study as it is the researcher goal to determine if organizational security factors,
information security awareness factors, and individual security factors predict the level of
security awareness. The scales used multiple-item measures, which increase accuracy and
consistency when measuring the variables. Measuring the variables with Likert-type scales
facilitates standardizing and quantifying the relative effects (Wikman, 2006). There is an
ongoing debate as to the ordinal versus interval nature of the Likert-type scales, but several
studies explained that when using multiple Likert-type questions, interval assumptions are
appropriate (Awang, Afthanorhan, & Mamat, 2016; Carifio & Perla, 2008). Also, when the
responses to the scales are summed the result or sum is looked at as a continuous variable. No
73
modification of the existing scales was done to adjust for this study.
Previous reliability and validity values for these scales are indicative of adequate
numbers. For the organizational structure variable, the reliability and validity measures were CR
= 0.957 and AVE = 0.816 for transformational leadership and CR = 0.911 and AVE = 0.594 for
information security culture (Rocha Flores & Ekstedt, 2016). For the information security
awareness variable, the reliability and validity measures were CR = 0.922 and AVE = 0.855 for
general information security awareness (Rocha Flores & Ekstedt, 2016). For information security
policy awareness, the reliability and validity measures were CR = 0.918 and AVE = 0.736 and
the standardized coefficients were between 0.64 and 0.64 (Rocha Flores & Ekstedt, 2016). For
the intrinsic beliefs variable, the reliability and validity measures were CR = 0.942 and AVE =
0.903 for self-efficacy (SE) (Rocha Flores & Ekstedt, 2016). For attitude (A), the reliability and
validity measures were CR = 0.947 and AVE = 0.817 (Rocha Flores & Ekstedt, 2016). For
normative beliefs, the reliability and validity measures were CR = 0.965 and AVE = 0.873
Hypotheses
The research questions of this study are: (a) To what extent, if at all, do organizational
security factors (i.e., transformational leadership and information security culture) predict the
level of social engineering awareness among healthcare end-users? (b) To what extent, if at all,
do information security awareness factors (i.e., general information security awareness and
information security policy awareness) predict the level of social engineering awareness among
healthcare end-users? and (c) To what extent, if at all, do individual security factors (i.e., end-
users’ self-efficacy, attitude, and normative beliefs) predict the level of social engineering
74
The model shown below in Figure 1 was constructed because the research questions
asked about the ability of organizational security factors, information security awareness factors,
and individual security factors to predict the level of social engineering awareness. The model
represents that the level of social engineering awareness as an effect of organization security
Figure 1. Research model showing the level of social engineering awareness as an effect of
organizational security factors, information security awareness factors, and individual security
factors.
H1o: The organizational security factors (i.e., transformational leadership and information
security culture) do not significantly predict the level of social engineering awareness of
healthcare end-users.
H1a: The organizational security factors (i.e., transformational leadership and information
security culture) significantly predict the level of social engineering awareness of healthcare end-
75
users.
H2o: The information security awareness factors (i.e., general information security
awareness and information security policy awareness) do not significantly predict the level of
H2a: The information security awareness factors (i.e., general information security
awareness and information security policy awareness) significantly predict the level of social
H3o: The individual security factors of (i.e., end-users’ self-efficacy, attitude, and
normative beliefs) do not significantly predict the level of social engineering awareness of
healthcare end-users.
H3a: The individual security factors of (i.e., end-users’ self-efficacy, attitude, and
normative beliefs) significantly predict the level of social engineering awareness of healthcare
end-users.
Data Analysis
Data analysis techniques of descriptive statistics and multiple regression analysis was
used in this study. Descriptive statistics were used to analyze the distribution of variables of the
study using IBM SPSS Statistics. Multiple regression was used to learn about the relationship
between the predictor variables and the criterion variable using IBM SPSS Statistics. Multiple
regression allowed the researcher to ask which predictor variables are the best indicator of the
criterion variable.
76
homoscedasticity, normality, and linearity. The IBM SPSS computer program, used for the
multiple regression analyses discussed below, provided the statistical analysis of these
assumptions. If these assumptions are not met, transformations of the raw data were used, where
• The observations are independent. The respondents completed the survey independently.
• There is a linear relationship between the criterion variable and each of the predictor
variables. This assumption was verified by constructing the scatterplots of the criterion
• Data shows homoscedasticity (the variances along the line of best fit remain similar as
• Data does not show multicollinearity. This assumption was verified by examining the
tolerance and Variance Inflation Factor (VIF) values. A tolerance value of .10 or less
• Data does not have any outliers. The Outlier Labeling Rule was used to determine if there
• The residuals (errors) are approximately normally distributed. This was checked by
Descriptive Statistics
The researcher used descriptive statistics to describe the basic attributes of the
distribution of the data in the form of means, standard deviations, and score ranges. The means
77
and standard deviations summarized the distribution, and the score range showed how much
responses vary. Also, the researcher computed internal consistency reliability coefficients
relationship between sets of variables. This type of analysis helps one to understand how the
typical value of the criterion variable changes when any one of the predictor variables is varied,
while the other predictor variables are held fixed. Multiple regression analysis is widely used for
prediction and forecasting and is also used to understand which among the predictor variables are
related to the criterion variable, and to explore the forms of these relationships. Relationships
depicted in regression analysis are, however, associative only, and any cause-effect (causal)
Statistical tests were conducted to obtain the F statistic, the R2, the adjusted R2, the t
statistic, and the standardized coefficients (Beta coefficients). The F statistic for the model was
used to determine if the combination of the three predictors significantly predicts the criterion
variable. The R2 was used to determine the proportion of variability in the criterion variable that
is explained by the combination of the three predictors. Adjusted R2 would be an estimate for the
population R2 if the model were used on the study population. Adjusted R square gives a
realistic indication of the predictive power of the study model whereas R2 is overoptimistic. The
t statistic for each coefficient was examined to determine which predictors contribute
significantly to the prediction of the criterion. The standardized coefficients (Beta coefficients)
was examined to determine the relative strength of each predictor in the prediction of the
78
criterion variable. Below are the research questions, hypotheses, criterion and predictor
variables, which shows how the criterion and predictor variables relate to the hypotheses and
leadership and information security culture) predict the level of social engineering awareness
Hypotheses:
H1o: The organizational security factors (i.e., transformational leadership and information
security culture) do not significantly predict the level of social engineering awareness of
healthcare end-users.
H1a: The organizational security factors (i.e., transformational leadership and information
security culture) significantly predict the level of social engineering awareness of healthcare end-
users.
Variables:
Criterion – the level of social engineering – measured by the intent to resist scale which
consists of 5 items. The scale responses range from 0 - strongly disagree to 10 - strongly agree.
The score is calculated by summing the responses. The score is calculated by summing the
which consists of 12 questions. The scale responses range from 0 - strongly disagree to 10 -
strongly agree. The score is calculated by summing the responses. The scores ranged from 0 to
120.
RQ2: To what extent, if at all, do information security awareness factors (i.e., general
79
information security awareness and information security policy awareness) predict the level of
Hypothesis:
H20: The information security awareness factors (i.e., general information security
awareness and information security policy awareness) do not significantly predict the level of
H2a: The information security awareness factors (i.e., general information security
awareness and information security policy awareness) significantly predict the level of social
Variables:
Criterion – the level of social engineering – measured by the intent to resist scale which
consists of 5 items. The scale responses range from 0 - strongly disagree to 10 - strongly agree.
The score is calculated by summing the responses. The score is calculated by summing the
awareness and information security policy awareness scale which consist of 6 items. The scale
responses range from 0 - strongly disagree to 10 - strongly agree. The score is calculated by
summing the responses. The score is calculated by summing the responses. The scores from
RQ3: To what extent, if at all, do individual security factors (i.e., end-users’ self-
efficacy, attitude, and normative beliefs) predict the level of social engineering awareness of
healthcare end-users?
Hypotheses:
80
H30: The individual security factors (i.e., end-users’ self-efficacy, attitude, and normative
beliefs) do not significantly predict the level of social engineering awareness of healthcare end-
users.
H3a: The individual security factors of (i.e., end-users’ self-efficacy, attitude, and
normative beliefs) significantly predict the level of social engineering awareness of healthcare
end-users.
Variables:
Criterion - the level of social engineering awareness – measured by the intent to resist
scale which consists of 5 items. The scale responses range from 0 - strongly disagree to 10 -
strongly agree. The score is calculated by summing the responses. The scores ranged from 0 to
50.
Predictor – individual security factors – measured by the intrinsic beliefs scale which
consists of 17 items. The scale responses range from 0 - strongly disagree to 10 - strongly agree.
The score is calculated by summing the responses. The scores ranged from 0 to 170.
The survey used for this study was adapted from a pre-existing survey developed by
Rocha Flores and Ekstedt (2016). The instruments were drawn from past literature and based on
their nature are not limited to any industry (Rocha Flores & Ekstedt, 2016). The instrument was
pretested on a sample of 200 employees; the results of the pretest resulted in minor corrections to
the wording of the items (Rocha Flores & Ekstedt, 2016). To ensure that the minor wording
company (Rocha Flores & Ekstedt, 2016). All instruments showed adequate reliability and
validity, measured concerning composite reliability (CR) and average variance extracted (AVE).
81
However, these values, along with Cronbach’s alpha internal consistency and the reliability
coefficients were computed again in the study to ensure that validity and reliability are
The CR is similar to Cronbach’s alpha except that the factor loadings are considered,
rather than assuming that each item is equally weighted in forming the latent variable, an
acceptable rating for this is 0.7 (Rocha Flores & Ekstedt, 2016). The AVE is a validity measure
of the amount of observed variance in the items that are attributable to the hypothesized factors;
For the organizational structure variable, the reliability and validity measures were CR =
0.957 and AVE = 0.816 for transformational leadership and CR = 0.911 and AVE = 0.594 for
information security culture (Rocha Flores & Ekstedt, 2016). For the information security
awareness variable, the reliability and validity measures were CR = 0.922 and AVE = 0.855 for
general information security awareness (Rocha Flores & Ekstedt, 2016). For information security
policy awareness, the reliability and validity measures were CR = 0.918 and AVE = 0.736 and
the standardized coefficients were between 0.64 and 0.64 (Rocha Flores & Ekstedt, 2016). For
the intrinsic beliefs variable, the reliability and validity measures were CR = 0.942 and AVE =
0.903 for self-efficacy (SE) (Rocha Flores & Ekstedt, 2016). For attitude (A), the reliability and
validity measures were CR = 0.947 and AVE = 0.817 (Rocha Flores & Ekstedt, 2016). For
normative beliefs, the reliability and validity measures were CR = 0.965 and AVE = 0.873
(Rocha Flores & Ekstedt, 2016). These values are indicative of adequate reliability and validity.
Ethical Considerations
Before collecting data for the study, the researcher received training and the required
approval from the Capella University Institutional Review Board (IRB). The researcher
82
completed the required ethical training modules and submit the required IRB forms for approval.
Before collecting data, the researcher required participants to provide written, informed
consent. Potential participants received an e-mail invitation containing a letter of consent that
outlined the purpose of the research and the risks and benefits of participation. There are no
direct benefits of participation, and the researcher did not provide any reward or incentive, but
the participants may benefit indirectly through improved security awareness training that may
partly result from the findings of this study. Risks of participation are negligible but may include
some degree of emotional distress if participants have strong emotional reactions to issues
related to security awareness and cybercrime. Participants indicated their consent by clicking a
The method of solicitation stressed that participation in this study was voluntary and
confidential. Responses were anonymous in that there was not a way to connect a participant to a
specific survey response. The researcher informed participants of their anonymity and
confidentiality in the e-mailed consent letter. Participants did not receive feedback on their
participation in the study, but they did have access to the researcher's contact information and the
contact information of a representative of the researcher's university, and they can contact either
of those people if they are interested in receiving a copy of the published dissertation.
Regarding data collection and analysis, the data was anonymized by the SurveyMonkey
data collection tool, so the researcher did not have access to any personally identifying
information for any of the respondents. The researcher downloaded the anonymous responses
from SurveyMonkey and stored the data on a password-protected hard drive during the data
analysis process. In the final research report, the researcher presented results only in aggregate,
83
not providing the details of any individual response, to further protect participants' anonymity.
After the study concluded, the researcher will keep the raw data on a password-protected hard
drive for seven years, after which the data will be securely erased from the drive.
The researcher does not intend to edit or fabricate data, and the researcher intends to
report all findings, not just those representing positive or significant results. The researcher did
not change the hypotheses of the study to fit the research findings, nor did the researcher avoid
reporting negative findings. This study, including all data, is the result of the researcher’s
original work.
Summary
This chapter summarized the purpose of the study; it then described the research design
and methodology, the target population and sample size, and data collection technique. This
chapter also described the quantitative instrumentation and the data analysis procedures, which
included explaining the justification of using a pre-existing survey. Finally, this chapter
described participant selection criteria, along with a discussion for ensuring data access and
mitigating confidentiality concerns for the study participants. The remaining chapters presented
the following: Chapter 4 presented data relating to the study results. Chapter 5 presented
84
CHAPTER 4. RESULTS
Introduction
information and multiple linear regression model results. Descriptive statistics were calculated
for each of the demographic questions. The hypotheses were tested using multiple regression
analysis. Multiple regression was used to measure the extent to which individual security factors,
information security awareness factors, and organizational security factors predicted the level of
social engineering awareness among healthcare end-users. The chapter starts by answering the
research questions and hypotheses. The next section discusses the sample, demographics, and
descriptive statistics. Following is a section containing details about the results, including the
multiple regression analysis. The chapter concludes by restating the findings and answers the
research questions.
The goal of this study was to determine the extent to which individual security factors,
information security awareness factors, and organizational security factors predicted level of
social engineering awareness among healthcare end-users. The researcher followed a quantitative
regression approach to test the hypotheses and address the research questions. Assumption
testing was also conducted and showed that the predictor variables did not contain
multicollinearity and the criterion variable closely followed a normal distribution. The results of
the hypothesis testing showed that there was a statistically significant relationship between
individual security factors and level of social engineering awareness among healthcare end-users,
there was a statistically significant relationship between information security awareness factors
and level of social engineering awareness among healthcare end-users, and there was no
statistically significant relationship between organizational security factors and level of social
85
engineering awareness among healthcare end-users.
In total, 118 responses were received via SurveyMonkey Audience. The number of
responses was higher than the minimum of 107 required, as indicated by the power analysis. The
participants’ responses were loaded into SPSS to perform the statistical analysis and test the
hypotheses. The respondent data were analyzed by first searching for and addressing any missing
values and outliers. Upon visual inspection of the data, a total of five outliers were eliminated
from the analysis; all five outliers had exceptionally low scores on one or more of the scales. For
the organizational structure scale, three responses scored below 20. For the information security
awareness scale, three responses scored below 20. For the intrinsic beliefs scale, two responses
scored below 50. For the intent to resist scale, three responses scored below 25. After outlier
removal, a final sample of 113 usable responses was retained for analysis.
Instrument Reliability
number between zero and one (Tavakol & Dennick, 2011). Internal consistency measures how
similar the items are within the scale. The survey instrument was based on Rocha Flores and
Ekstedt’s (2016) instrument because it contained scales necessary to collect the data for this
study. The Rocha Flores and Ekstedt instrument contain measurement scales for organizational
security, information security awareness, individual security factors, and level of social
engineering awareness. In this study, the Cronbach alpha scores each scale were as follows:
organizational security (12 items), α = .965; information security awareness (six items), α = .941;
individual security (17 items), α = .973; level of social engineering awareness (five items), α =
.945. These alpha scores indicated a high degree of inter-item reliability. A reliability coefficient
86
of .90 or higher is considered excellent (Yang & Green, 2011). All the scales have reliability
within the excellent range. Table 1 summarizes the instrument reliability results.
Table 1
Variable Reliability
Predictor
Criterion
Assumption Testing
Before calculating the multiple regression model to address the research questions and
hypotheses, it was essential to establish whether the data met the statistical assumptions for
multiple regression analysis. Multiple regression analysis assumes that the predictor and criterion
variables are continuous, that observations are independent, that there is a linear relationship
between the criterion variable and the predictor variables, that data show homoscedasticity
(similar variances along the line of best fit), that there are no outliers, that there is no
continuous scale as the sum of the response scores for each of the six items. When the responses
are summed, the resulting variable is continuous. The predictor variables are also continuous;
87
each is measured as the continuous sum of the responses for all items within each scale.
Multiple regression analysis assumes that observations are independent, with no mutual
influence or dependency. The respondents completed the survey independently and answered the
questions independently. They had no interaction with one another during the process of
completing the survey, and they did not know of one another's identities. Therefore, their
responses could not have had any mutual influence, and the assumption of independent
observations is supported.
The third assumption is that there is a linear relationship between the criterion variable
and each of the predictor variables. This assumption was verified by calculating the correlations
between the criterion variable and the predictor variables. The correlations ranged from .831 to
.620. All the correlations were significant at the .01 level, indicating that there is a linear
relationship between the criterion variable and the predictor variables. Table 2 summarizes the
Table 2
Variables, N = 113
Variable r
The fourth assumption for multiple regression analysis is that data show
88
homoscedasticity (i.e., the variances along the line of best fit remain similar as you move along
the line). To test for homoscedasticity, the standardized residuals were plotted against the
standardized predicted values. A scatterplot centered around the best fit line with variance
results.
The fifth assumption is that there are no outliers in the data. The outlier labeling rule
89
(Hoaglin & Iglewicz, 1987) was used to determine whether there were any outliers in the
predictor and criterion variable distributions. The formulas for determining the lower and upper
Values that fell outside of the lower and upper limits were considered outliers. The
minimum value should be higher than the lower limit, and the maximum value should be less
than the upper limit. All the minimum and maximum values for the sample met this criterion.
Therefore, there are no outliers in the sample used for analysis (n = 113). Table 3 summarizes the
Table 3
Predictors
Criterion
Multiple regression analysis also assumes that there is no multicollinearity in the data.
This assumption was verified by examining the tolerance and variance inflation factor (VIF)
90
values. The tolerance value for a predictor variable is calculated as (1-R2). This represents the
proportion of a variance in a predictor variable that is not related to other predictor variables in a
model (O’Brien, 2007). If the tolerance value is .10 or less, multicollinearity is indicated. The
Variance Inflation Factor (VIF) is the reciprocal of the tolerance value. VIF measures how much
2007). VIF value is calculated as 1/(1-R2). If the VIF value is greater than 10, multicollinearity is
indicated. The tolerance values for all three predictor variables were greater than .10, and the
VIF values for all three predictor variables were less than 10, indicating no multicollinearity.
Table 4
Finally, multiple regression analysis assumes that the residuals (errors) are approximately
normally distributed. This was checked by constructing a histogram with a superimposed normal
curve. Figure 3 shows that the distribution of the residuals is approximately normal. Therefore,
91
Figure 3. Histogram with normal curve overlay for the regression residuals.
Descriptive Analysis
The descriptive analysis consists of two sections. In the first section, the demographic
statistics are presented, including those related to gender, age, and education. The second section
Demographic Statistics
The target population for this study consisted of healthcare end-users aged 21–65.
Demographic questions on the survey asked about gender, age, and level of education. Table 5
92
Table 5
Variable n %
Gender
Female 97 85.8%
Male 16 14.2%
Age
21 – 29 yrs 13 11.5%
30 – 39 yrs 30 26.5%
40 – 49 yrs 27 23.9%
50 – 59 yrs 33 29.3%
60 – 65 yrs 10 8.8%
Education
High School 35 31.0%
Associate 33 29.2%
Bachelor 24 21.2%
Master 14 12.4%
Doctorate 7 6.2%
For gender, there were 97 female and 16 male participants, which represented 85.8% and
14.2% of the sample, respectively. An analysis of the age groups shows that 11.5% identified
themselves in the 21–29 age group, 26.5% of participants were in the 30–39 age group, 23.9% of
participants were in the 40–49 age group, 29.3% were in the 50–59 age group and 8.8% were in
the 60–65 age group. An analysis of highest level of education shows that 31% of participants
identified themselves as having a high school diploma, 29.2% identified themselves as having an
associate’s degree, 21.2% identified themselves as having a bachelor’s degree, 12.4% identified
themselves as having a master’s degree, and 6.2% identified themselves as having a doctorate.
93
Variable Descriptive Statistics
awareness, and individual security) and one criterion variable (level of social engineering
awareness). The descriptive statistics for each variable are summarized in Table 6.
Table 6
Predictor
Criterion
disagree) to 10 (strongly agree). The score was calculated by summing the responses. Possible
scores could range from 0 to 120. For this sample, the scores ranged from 25.0 to 120.0, with a
The information security awareness scale contained six questions with a response scale of
0 (strongly disagree) to 10 (strongly agree). The score was calculated by summing the responses.
Possible scores could range from 0 to 60. For this sample, the scores ranged from 30.0 to 60.0,
94
to 10 (strongly agree). The score was calculated by summing the responses. Possible scores
could range from 0 to 170. For this sample, the scores ranged from 51.0 to 120.0, with a mean of
Level of social engineering awareness contained five questions with a response scale of
0 (strongly disagree) to 10 (strongly agree). The score was calculated by summing the responses.
Possible scores could range from 0 to 50. For this sample, the scores ranged from 25.0 to 50.0,
Multiple linear regression was utilized to test the research hypotheses and address the
security awareness, and individual security) contributed to the prediction of the criterion variable
(level of social engineering awareness). The F statistic for the model was used to determine if the
combination of the three predictors significantly predicted the criterion variable. R2 was used to
determine the proportion of variability in the criterion variable that was explained by the
combination of the three predictors. The t statistic for each coefficient was examined to
determine which predictors contributed significantly to the prediction of the criterion. The
standardized coefficients (β) were examined to determine the relative strength of each predictor
95
Table 7
Regression Results for Level of Social Engineering Awareness on Predictor Variables, N = 113
Variable B SE B β t p
The model was significant, F (3, 109) = 93.65, p < .001. The combination of the three
significantly predicts the criterion variable (level of social engineering awareness). The
combination of the three predictors accounts for 72% of the variability in the level of social
engineering awareness, which is shown with R2= .72 and adjusted R2 = .71.
organizational security does not contribute significantly to the prediction of the level of social
engineering awareness in the presence of the other two predictors. Information security
awareness was significant, (t = 3.345, p = .001), indicating that information security awareness
contributes significantly to the prediction of the level of social engineering awareness in the
presence of the other two predictors. Individual security was significant, (t = 4.358, p = .000)
indicating that individual security contributes significantly to the prediction of the level of social
engineering awareness in the presence of the other two predictors. The beta coefficients indicated
that individual security was the strongest predictor (β = .508), followed by information security
awareness (β = .394). These values indicate that both variables were strong predictors overall.
96
Analysis of Hypotheses
This study hypothesized that individual security factors, information security awareness
factors, and organizational security factors predict the level of social engineering awareness
among healthcare end-users. A hypothesis testing approach was used to answer the research
questions. The specific research questions and hypotheses are listed below. Also, listed below are
leadership and information security culture) predict the level of social engineering awareness
H1o: The organizational security factors (i.e., transformational leadership and information
security culture) do not significantly predict the level of social engineering awareness of
healthcare end-users.
H1a: The organizational security factors (i.e., transformational leadership and information
security culture) significantly predict the level of social engineering awareness of healthcare end-
users.
For Research Question 1, the null hypothesis was accepted, and the alternative hypothesis
was rejected. The organizational security factors (i.e., transformational leadership and
information security culture) do not significantly predict the level of social engineering
RQ2: To what extent, if at all, do information security awareness factors (i.e., general
information security awareness and information security policy awareness) predict the level of
H2o: The information security awareness factors (i.e., general information security
97
awareness and information security policy awareness) do not significantly predict the level of
H2a: The information security awareness factors (i.e., general information security
awareness and information security policy awareness) significantly predict the level of social
For Research Question 2, the null hypothesis was rejected, and the alternative hypothesis
was accepted. The information security awareness factors (i.e., general information security
awareness and information security policy awareness) significantly predict the level of social
RQ3: To what extent, if at all, do individual security factors (i.e., end-users’ self-efficacy,
attitude, and normative beliefs) predict the level of social engineering awareness of healthcare
end-users?
H3o: The individual security factors (i.e., end-users’ self-efficacy, attitude, and normative
beliefs) do not significantly predict the level of social engineering awareness of healthcare end-
users.
H3a: The individual security factors (i.e., end-users’ self-efficacy, attitude, and normative
beliefs) significantly predict the level of social engineering awareness of healthcare end-users.
For Research Question 3, the null hypothesis was rejected, and the alternative hypothesis
was accepted. The individual security factors (i.e., end-users’ self-efficacy, attitude, and
normative beliefs) significantly predict the level of social engineering awareness of healthcare
end-users.
Summary
The results of data analysis were presented in Chapter 4. The goal of this study was to
98
determine the extent to which organization security, information security awareness, and
individual security predicted the level of social engineering awareness among healthcare end-
users. The study followed a quantitative survey-based research method. Quantitative data were
collected and analyzed using IBM SPSS. Multiple linear regression was used to test the research
hypotheses. The chapter began with a discussion of the demographic results and descriptive
statistics. One hundred thirteen participants provided the data for the analysis. The instrument
reliability and multiple regression assumptions were delineated. The instrument scales provided a
high degree of reliability, with each scale providing over .90 for Cronbach alpha. Results
indicated that information security awareness and individual factors, but not organizational
factors, significantly predicted the level of information security awareness among healthcare
end-users. Chapter 5 contains a discussion of results and the conclusion of this study. The
chapter also includes the implications of the study and recommendations for future research.
99
CHAPTER 5. CONCLUSIONS
Introduction
The goal of this quantitative regression study was to determine to what extent, if any, do
organizational security factors, information security awareness factors, and individual security
predict the level of social engineering awareness of healthcare end-users. Participants from
demographic and Likert-type questions related to security factors and social engineering
awareness. One hundred and thirteen healthcare end-users participated in the survey. Chapter 5
presents an overview of the study and the research findings and implications. The objective of
this chapter is to present a discussion of the results of the study and also to discuss the
implications for future research and application to practice. First, the research questions are
evaluated, and the implications of the results are discussed. Next is a discussion of the extent to
which the study fulfilled the research purpose outlined in Chapter 1. The study's contribution to
the business technical problem is addressed next, followed by recommendations for further
research illuminated by the results of this study. A conclusion ends the dissertation.
The purpose of this quantitative multiple regression study was to determine whether
organizational security factors (i.e. transformational leadership and information security culture),
information security awareness factors (i.e., general information security awareness and
information security policy awareness), and individual security factors (i.e., end-users’ self-
efficacy, attitude, and normative beliefs) predict the level of social engineering awareness among
healthcare end-users in healthcare organizations in the continental United States. Based on this
purpose, three research questions were formulated. This section evaluates each of them in light
100
of the research results (presented in Chapter 4). Altogether, this study found that individual
factors and information security awareness factors were more important than organizational
factors in predicting the level of social engineering awareness among healthcare end-users.
Research Question 1 asked, “To what extent, if at all, do organizational security factors
(i.e., transformational leadership and information security culture) predict the level of social
engineering awareness among healthcare end-users?” The results indicated that organizational
security factors do not significantly predict the level of social engineering awareness among the
sample of this study. This result was surprising because two of the three components of the
security, transformational leadership has been found to help predict employees’ intention to
resist social engineering (Rocha Flores & Ekstedt, 2016) and to influence the effectiveness of
security countermeasures (Humaidi & Balakrishnan, 2015). Therefore, it was expected that
transformational leadership (one of the components of the organizational security measure in this
study) would significantly relate to end-users’ social engineering awareness, but this was not the
case.
Similarly, Lim et al. (2012) argued that an organizational security culture is vital in
influencing the behavior of employees. Based on this component of the theoretical framework, it
was expected that information security culture (the second component of the organizational
security measure in this study) would relate to end-users’ social engineering awareness.
101
However, no significance was identified.
The most important possible explanation for this surprising finding in the context of the
present study is that the data on organizational security factors were collected via self-report
from individual employees. These subjective responses may not have accurately reflected the
organizational security settings in which the respondents were employed. For example,
organizations with strong information security cultures at the leader level may not have been
rated as such by employees whose roles provide them little opportunity to interact directly with
culture and transformational leadership presupposes that employees receive communication and
are initiated into the culture of organizational security. Still, employees with negative attitudes
toward their workplaces or other factors may have been less likely to indicate that their
workplaces had strong organizational security cultures, regardless of the actual cultures in place.
Controlling for attitudes or directly observing organizational security cultures could have
prevented these possible errors; these will be necessary directions for future research.
Research Question 2 asked, “To what extent, if at all, do information security awareness
factors (i.e., general information security awareness and information security policy awareness)
predict the level of social engineering awareness among healthcare end-users?” The results
indicated that information security awareness factors do significantly predict the level of social
engineering awareness among the sample of this study. This was the expected result, based on
the theoretical framework. Rocha Flores and Ekstedt (2016) found that information security
awareness was related to organizational security and intention to comply with information
security policies. However, the relationship between information security awareness and social
102
engineering awareness has not been previously studied. This finding, therefore, represents a
significant contribution to the existing literature. This is an important result because it indicates
that an overall strong level of security awareness includes awareness of the type of security
Research Question 3 asked, “To what extent, if at all, do individual security factors (i.e.,
end-users’ self-efficacy, attitude, and normative beliefs) predict the level of social engineering
awareness of healthcare end-users?" The results indicated that individual security factors
significantly predict the level of social engineering awareness among the sample of this study.
This result supports the results of existing literature showing that the "human factor" is among
the most critical factors to ensuring the integrity of organizational information resources
(Crossler et al., 2013; Narain Singh et al., 2014). It also supports Rocha Flores and Ekstedt
(2016), who found a positive relationship between social engineering resistance and self-efficacy
Additionally, this finding supports the need to invest at the individual level in order to
improve social engineering awareness. Other researchers (e.g., Alkhamis & Renaud, 2016;
Bullée et al., 2015a) have found that individual-level investments like training can significantly
improve organizations’ security by reducing the rate at which employees engage in risky
Finally, this finding strongly supports the theoretical framework of the theory of planned
behavior. The theory of planned behavior posits that attitude, subjective norms, and self-efficacy
about particular behaviors predict users’ intention to engage in that behavior. Previous
researchers have confirmed the theory in studies of organizational information security (Ifinedo,
103
2014; Lebek et al., 2014; Safa et al., 2015). The present study adds another confirmation of the
engineering awareness has been found to prevent employees from falling victim to social
engineering attacks (Bullée et al., 2015a), this result suggests that focusing on improving
individuals’ self-efficacy, attitudes, and normative beliefs about social engineering resistance
The purpose of this study was to determine whether organizational security factors (i.e.
factors (i.e., general information security awareness and information security policy awareness),
and individual security factors (i.e., end-users’ self-efficacy, attitude, and normative beliefs)
predict the level of social engineering awareness among healthcare end-users in healthcare
organizations in the continental United States. The results of multiple regression analysis
(presented in Chapter 4) showed that information security awareness factors and individual
security factors, but not organizational security factors, were statistically significant in predicting
the level of social engineering awareness among the research sample. Because the data met all
assumptions for the analysis and the research questions were answered using the data analysis,
understanding or resolving the business technical problem. The problem addressed in this study
is the costly and increasing occurrence of data breaches in organizations that electronically
transmit health information in the United States (Agaku et al., 2014; Gammons, 2017; Ponemon
Institute, 2016). Social engineering is a particularly troubling type of security breach because it
104
exploits vulnerabilities in individuals within the organization, and attackers convince internal end
users to provide sensitive data. The present study contributes to this problem by reaffirming the
importance of the human element in preventing such security breaches. Individual security
factors and information security awareness factors were significant in predicting social
engineering awareness. Therefore, in order to address and prevent social engineering breaches in
the healthcare industry, it is crucial for IT managers to focus on improving individual security
factors, particularly self-efficacy, normative beliefs, and attitudes, which together were the
The business technical problem addressed in this study was the costly and increasing
occurrence of data security breaches in the healthcare industry in the United States (Agaku et al.,
2014; Gammons, 2017; Ponemon Institute, 2016). In order to resolve this problem, IT managers
need a thorough understanding of the factors that promote social engineering awareness and,
thereby, prevent end-users from falling victim to social engineering attacks (Bullée et al., 2015a).
If IT managers know factors related to social engineering awareness, they can invest in
interventions and people strategies that target those factors. As a result, the level of awareness of
social engineering among employees could increase, and, in turn, the prevalence of successful
social engineering attacks could decrease. It is important to prevent social engineering attackers
from finding success with their victims because data breaches cost the healthcare industry up to
The results of this study contributed to the general understanding of factors associated
with social engineering awareness. Findings presented in Chapter 4 indicated that the individual
security factors of end-users’ self-efficacy, attitude, and normative beliefs were the strongest
105
predictors of social engineering awareness among the research sample. This new knowledge
contributes to the business technical problem by indicating the importance of focusing on these
individual factors in any attempts to increase social engineering awareness. Researchers should
note that, because this present study was cross-sectional, it is not possible to draw any firm
conclusions regarding causal relationships among the variables. Thus, it is possible that the
association between individual factors and social engineering awareness is not a causal one, and
that improving the former would not necessarily result in an improvement in the latter. However,
the results of this study suggest that focusing on individual factors may be a fruitful direction for
Conversely, this study did not reveal a statistically significant relationship between social
engineering awareness and the organizational security factors of transformational leadership and
information security culture. This finding supports the opinions of scholars who believe that a
focus on the “human element” is crucial to preventing social engineering attacks (Indrajit, 2017;
Narain Singh et al., 2014; Nishani & Biba, 2016). Although the theoretical framework of this
study suggests that organizational factors are also important, the lack of association in this study
contributes to the business technical problem by reinforcing the importance of interventions and
Finally, and perhaps most importantly, this study is one of the few existing studies to
focus on social engineering awareness as an outcome variable, and one of the few studies to
focus on the healthcare industry specifically. This is an essential contribution to the business
technical problem because it arms healthcare IT managers with new knowledge pertaining
existing knowledge on data breach prevention applies across industries, there may be differences
106
in the importance of various factors depending on the specific work environment. Thus, by
focusing on social engineering awareness in healthcare specifically, this study provides new
knowledge that can help healthcare IT managers address the costly occurrence of data breaches
in the industry.
The results of this study illuminate several critical areas where further research can
benefit scholars and practitioners. First, in its examination of organizational security factors, this
study relied on self-reported data from end-users in the healthcare industry. Although end-users'
perceptions of organizational culture are essential, their reports could be subject to biases and
inaccuracies, which could have influenced the outcomes of this study. Therefore, the researcher
security factors, including security culture and transformational leadership, could influence
Second, this study assumes, based on existing research (Bullée et al., 2015a), that social
research on the correlation between awareness and attack susceptibility is still in its infancy. It is
possible, therefore, that end-users with strong social engineering awareness could still fall victim
to carefully constructed social engineering attacks. The researcher recommends that, in the
future, researchers focus on actual social engineering attack rates at various organizations,
determining the factors that lead to positive outcomes from data security. Awareness should still
outcomes can help elucidate the value of working to improve awareness among employees.
107
Finally, this present study was non-experimental, and the researcher did not test the
awareness. Therefore, it is not known whether investments based on the results of this study
would have the intended effect of improving social engineering awareness among healthcare
whether, if at all, interventions targeting individual factors and information security awareness
factors (both of which were significantly related to social engineering awareness in the present
Conclusions
In the healthcare industry, data breaches are not only costly from a monetary point of
view but can have detrimental effects on the patients whose sensitive health information is stored
in healthcare databases (Agaku et al., 2014). Stolen healthcare data are worth more on the black
market than other types of stolen information (Ablon & Libicki, 2015). Taken together, these
facts highlight the potentially explosive nature of the problem of information security breaches in
the healthcare industry. It is therefore essential to energetically research the factors that
This study represents an attempt to address the research need by investigating whether
organizational security factors (i.e. transformational leadership and information security culture),
information security awareness factors (i.e., general information security awareness and
information security policy awareness), and individual security factors (i.e., end-users’ self-
efficacy, attitude, and normative beliefs) predict the level of social engineering awareness among
healthcare end-users in healthcare organizations in the continental United States. The study was
108
organizational security culture, and the theory of planned behavior. Data from a total of 113
participants, all employed in the healthcare industry, were analyzed to determine the extent to
which each of the antecedent variables predicted social engineering awareness in the sample.
The results of this study indicated that individual factors and information security
awareness factors were both statistically significant predictors of social engineering awareness.
This finding corroborated past research (e.g., Alkhamis & Renaud, 2016; Bullée et al., 2015a;
Crossler et al., 2013; Narain Singh et al., 2014; Rocha Flores & Ekstedt, 2016). However, no
significant association was found between social engineering awareness and organizational
security factors. Although this finding supported the opinions of those who emphasize the
importance of organizational factors (e.g., Humaidi & Balakrishnan, 2015; Lim et al., 2012;
Rocha Flores & Ekstedt, 2016). One potential explanation for this surprising finding is that the
study relied on end-users’ self-reports, rather than direct observation, to assess organizational
security factors.
This study was one of the only existing studies to focus specifically on the healthcare
industry and to use social engineering awareness as an outcome variable. These facts indicate
that the studies contribute to the existing body of knowledge. If healthcare IT managers are to
address the costly and potentially dangerous occurrence of data breaches, especially those owing
to insidious methods like social engineering, they must pay attention to the individual factors
(self-efficacy, normative beliefs, and attitudes) that have routinely shown to promote positive
security outcomes.
109
REFERENCES
Abawajy, J. (2014). User preference of cyber security awareness delivery methods. Behaviour &
Ablon, L., & Libicki, M. (2015). Hackers' bazaar: The markets for cybercrime tools and stolen
Agaku, I. T., Adisa, A. O., Ayo-Yusuf, O. A., & Connolly, G. N. (2014). Concern about security
and privacy, and perceived control over collection and use of health information are
002079
Ahmad, A., Maynard, S. B., & Park, S. (2014). Information security strategies: Towards an
357-370. doi:10.1007/s10845-012-0683-0
Ajzen, I. (2011). The theory of planned behaviour: Reactions and reflections. Psychology &
Ajzen, I. (2015). The theory of planned behaviour is alive and well, and not ready to retire: A
131-137. doi:10.1080/17437199.2014.883474
Ajzen, I., & Fishbein, M. (1980). Understanding attitudes and predicting social behavior.
110
AlHogail, A., & Mirza, A. (2014). Information security culture: A definition and a literature
Alkhamis, E., & Renaud, K. (2016). The design and evaluation of an interactive social
Angst, C. M., Block, E. S., D’Arcy, J., & Kelley, K. (2017). When do IT security investments
matter? Accounting for the influence of institutional factors in the context of healthcare
Armitage, C. J., & Conner, M. (2001). Efficacy of the theory of planned behaviour: A meta‐
doi:10.1111/etap.12056
Avolio, B. J., & Bass, B. M. (1995). Individual consideration viewed at multiple levels of
Awang, Z., Afthanorhan, A., & Mamat, M. (2016). The likert scale analysis using parametric
Aytes, K., & Connolly, T. (2004). Computer security and risky computing practices: A rational
choice perspective. Journal of Organizational and End User Computing, 16(3), 22-40.
111
Barling, J., Slater, F., & Kelloway, E. K. (2000). Transformational leadership and emotional
Bhatnagar, N., Madden, H., & Levy, Y. (2016). Initial empirical testing of potential factors
Bullée, J. W. H., Montoya, L., Pieters, W., Junger, M., & Hartel, P. H. (2015a). The persuasion
and security awareness experiment: reducing the success of social engineering attacks.
Bullée, J. W. H., Montoya, L., Pieters, W., Junger, M., & Hartel, P. H. (2015b). Regression
Nodes: Extending attack trees with data from social sciences. In Socio-Technical Aspects
in Security and Trust (STAST), 2015 Workshop (pp. 17-23). Piscataway, NJ: IEEE.
Burns, A. J., Posey, C., Courtney, J. F., Roberts, T. L., & Nanayakkara, P. (2017).
9608-8
Carifio, J., & Perla, R. (2008). Resolving the 50-year debate around using and misusing Likert
Chang, S., & Ho, C. B. (2006). Organizational factors to the effectiveness of implementing
information security management. Industrial Management & Data Systems, 106(3), 345-
361. doi:10.1108/02635570610653498
112
Choi, D., Kim, D., & Park, S. (2015). A framework for context sensitive risk-based access
doi:10.3390/su8070638
Clough, J. (2015). Towards a common identity? The harmonisation of identity theft laws.
Cooper, D. R., & Schindler, P. S. (2014). Business research methods (12th ed.). Boston, MA:
McGraw-Hill.
Creswell, J. W., & Creswell, J. D. (2018). Research design: Qualitative, quantitative, and mixed
Crossler, R. E., Johnston, A. C., Lowry, P. B., Hu, Q., Warkentin, M., & Baskerville, R. (2013).
Future directions for behavioral information security research. Computers & Security, 32,
90-101. doi:10.1016/j.cose.2012.09.010
Decker, L. G. (2008). Factors affecting the security awareness of end-users: A survey analysis
113
Deutskens, E., de Ruyter, K., &Wetzels, M. (2006). An assessment of equivalence between
online and mail surveys in service research. Journal of Service Research, 8(4), 346-355
doi: 10.1177/1094670506286323
Drevin, L., Kruger, H. A., Bell, A. M., & Steyn, T. (2017). A linguistic approach to information
Global Digital Society: Vol 503. IFIP Advances in Information and Communication
Evans, J. R., & Mathur, A. (2005). The value of online surveys. Internet Research, 15(2), 195-
219. doi:10.1108/10662240510590360
Fishbein, M. (1967). A behavior theory approach to the relations between beliefs about an object
Fishbein, M., & Ajzen, I. (1975). Belief, attitude, intention, and behavior: An introduction to
Gammons, B. (2017, January). 6 must-know cybersecurity statistics for 2017 [Blog post].
Gardner, B., & Thomas, V. (2014). Building an information security awareness program:
Elsevier.
George, D., & Mallery, P. (2017). IBM SPSS statistics 23 step by step: A simple guide and
114
Goo, J., Yim, M. S., Kim, D. J. (2014). A path to successful management of employee security
Granello, D. H., & Wheaton, J. E. (2004). Online data collection: Strategies for research. Journal
Guo, K. H., Yuan, Y., Archer, N. P., Connelly, C. E. (2011). Understanding nonmalicious
Harris, S. (2010). All in One CISSP Exam Guide (5th ed.). Tata McGraw‐Hill Education: Noida,
India.
Theses database.
Healthcare Information and Management Systems Society (HIMSS). (2016). 2016 HIMSS
cybersecurity-report.pdf
Herath, T., & Rao, H. R. (2009). Encouraging information security behaviors in organizations:
Hoaglin, D. C., & Iglewicz, B. (1987). Fine-tuning some resistant rules for outlier labeling.
10.1080/01621459.1987.10478551
115
Holbert, D. A. (2013). Factors contributing to security awareness of the end user. (Doctoral
Holtfreter, R. E., & Harrington, A. (2015). Data breach trends in the United States. Journal of
http://www.emeraldinsight.com/journal/jfc
Huang, C. D., Behara, R. S., & Goo, J. (2014). Optimal information security investment in a
1-11. doi:10.1016/j.dss.2013.10.011
Humaidi, N., & Balakrishnan, V. (2015). Leadership styles and information security compliance
http://www.ijiet.org/
Hyatt, J. C. (2015). External, internal, and inherent factors affecting end-user security
Ifinedo, P. (2014). Information systems security policy compliance: An empirical study of the
effects of socialisation, influence, and cognition. Information & Management, 51(1), 69-
79. doi:10.1016/j.im.2013.10.001
Ilves, T. H. (2016). The consequences of cyber attacks. Journal of International Affairs, 70(1),
116
Junger, M., Montoya, L., & Overink, F. J. (2017). Priming and warnings are not effective to
doi:10.1016/j.chb.2016.09.012
Kamoun, F., & Nicho, M. (2014). Human and organizational factors of healthcare data breaches:
The Swiss cheese model of data breach causation and prevention. International Journal
doi:10.4018./ijhisi.201410103
Kautonen, T., Gelderen, M., & Fink, M. (2015). Robustness of the theory of planned behavior in
Knight, A., & Saxby, S. (2014). Identity crisis: Global challenges of identity protection in a
networked world. Computer Law & Security Report, 30(6), 617-632. doi:10.1108/JFC-
11-2014-0056
Korpela, K. (2015). Improving cyber security awareness and training programs with data
doi:10.1080/19393555.2015.1051676
Kraemer, S., Carayon, P., & Clem, J. (2009). Human and organizational factors in computer and
doi:10.1016/j.cose.2009.04.006
117
Krombholz, K., Hobel, H., Huber, M., & Weippl, E. (2015). Advanced social engineering
10.1016/j.jisa.2014.09.005
Kruger, H. A., & Kearney, W. D. (2006). A prototype for assessing information security
Kwon, J., & Johnson, M. E. (2014). Meaningful healthcare security: Does “meaningful-use”
http://www.econinfosec.org/
Lebek, B., Guhr, N., & Breitner, M. (2014). Transformational leadership and employees’
information security performance: The mediating role of motivation and climate. Paper
https://aisel.aisnet.org/icis2014/proceedings/ISSecurity/21/
Lebek, B., Uffen, J., Breitner, M. H., Neumann, M., & Hohler, B. (2013, January). Employees'
information security awareness and behavior: A literature review. 2014 47th Hawaii
doi:10.1109/HICSS.2013.192
Lee, J., & Lee, Y. (2002). A holistic model of computer abuse within organizations. Information
118
Lim, J. S., Chang, S., Ahmad, A., & Maynard, S. B. (2012). Towards an organizational culture
framework for information security practices. In G. Manish (Ed.), Strategic and Practical
Loughlin, S., Fu, K., Gee, T., Gieras, I., Hoyme, K., Rajagopalan, S. R., …Wirth, A. (2014). A
doi:10.2345/0899-8205-48.s1.8
Lowes, R. (2014, April 28). Stolen HER charts sell for $50 each on black market. Retrieved from
http://www.medscape.com/viewarticle/824192
Lowry, P. B., & Moody, G. D. (2015). Proposing the control‐reactance compliance model
Mann, I. (2017). Hacking the human: Social engineering techniques and security
McEachan, R., Taylor, N., Harrison, R., Lawton, R., Gardner, P., & Conner, M. (2016). Meta-
Mearian, L. (2016, June 30). Hackers are coming for your healthcare records – here’s why.
are-coming-for-your-healthcare-records-heres-why.html
Medlin, B. D., Cazier, J. A., Foulk, B. P. (2008). Analyzing the vulnerability of U.S. hospitals to
social engineering attacks: How many of your employees would share their password?
119
International Journal of Information Security and Privacy, 2(3), 71-83.
doi:10.4018/jisp.2008070106
Merkow, M. S., & Breithaupt, J. (2014). Information security: Principles and practices. Upper
Mishra, S., Caputo, D. J., Leone, G. J., Kohun, F. G., & Draus, P. J. (2014). The role of
Mishra, S., Draus, P., Goreva, N., & Caputo, D. J. (2016). A survey of social engineering
Mohammed, S., & Apeh, E. (2016, December). A model for social engineering awareness
doi:10.1109/SKIMA.2016.7916253
Montaño, D. E., & Kasprzyk, D. (2015). Theory of reasoned action, theory of planned behavior,
and the integrated behavioral model. In K. Glanz, B. K. Rimer, & K. Viswanth (Eds.),
Health Behavior: Theory, Research and Practice (pp. 95-124). Hoboken, NJ: John Wiley
& Sons.
120
Morgan, S. (2016, January 17). Cyber crime costs projected to reach $2 trillion by 2019.
costs-projected-to-reach-2-trillion-by-2019/#7f0b3b153a91
Mouton, F., Malan, M. M., Kimppa, K. K., & Venter, H. S. (2015). Necessity for ethics in social
doi:10.1016/j.cose.2015.09.001
Narain Singh, A., Gupta, M. P., & Ojha, A. (2014). Identifying factors of “organizational
Nishani, L., & Biba, M. (2016). Machine learning for intrusion detection in MANET: A state-of-
doi:10.1007/s10844-015-0387-y
North, M., Perryman, D., Burns, S., & North, S. (2010). A comparative study of information
https://www.ccsc.org
O’Brien, R. M. (2007). A caution regarding rules of thumb for variance inflation factors. Quality
Okenyi, O. P., & Owens, T. J. (2007). On the anatomy of human hacking. Information Systems
Parsons, K., McCormac, A., Butavicius, M., Pattinson, M., & Jerram, C. (2014). Determining
121
Parsons, K. M., Young, E., Butavicius, M. A., McCormac, A., Pattinson, M. R., & Jerram, C.
security decision making. Journal of Cognitive Engineering and Decision Making, 9(2),
117-129. doi:10.1177/1555343415575152
Ponemon Institute. (2016). Sixth annual benchmark study on privacy & security of healthcare
Resources%20%20Sixth%20Annual%20Benchmark%20Study%20on%20Privacy%20an
d%20Security%20of%20Healthcare%20Data%20.pdf?sid=TV2:g1ml2lh7d
Raiyn, J. (2014). A survey of cyber attack detection strategies. International Journal of Security
Richardson, R., & North, M. (2017). Ransomware: Evolution, mitigation and prevention.
http://imrjournal.org
Robbins, S. P., & Judge, T. A. (2008). Organizational behavior (13th ed.). Upper Saddle River,
Rocha Flores, W., Antonson, E., & Ekstedt, M. (2015). Exploring the link between organizations
Rocha Flores, W., & Ekstedt, M. (2016). Shaping intention to resist social engineering through
122
Rocha Flores, W., Holm, H., Nohlberg, M., & Ekstedt, M. (2015). Investigating personal
determinants of phishing and the effect of national culture. Information & Computer
Safa, N. S., Sookhak, M., Von Solms, R., Furnell, S., Ghani, N. A., & Herawan, T. (2015).
Schein, E. H. (1992). Organizational culture and leadership. San Francisco, CA: Jossey-Bass.
Schwarzer, R. (Ed.). (2014). Self-efficacy: Thought control of action. Boston, MA: Taylor &
Francis.
Siponen, M., Mahmood, M. A., & Pahnila, S. (2014). Employees’ adherence to information
security policies: An exploratory field study. Information & Management, 51(2), 217-
224. doi:10.1016/j.im.2013.08.006
Sniehotta, F. F., Presseau, J., & Araújo-Soares, V. (2014). Time to retire the theory of planned
Soomro, Z. A., Shah, M. H., & Ahmed, J. (2016). Information security management needs more
Steckler, A., McLeroy, K. R., Goodman, R. M., Bird, S. T., & McCormick, L. (1992). Toward
page]. SurveyMonkey, Inc. San Mateo, CA: SurveyMonkey, Inc. Retrieved from
http://www.surveymonkey.com/mp/audience
123
Svanlund, J., Kronberg, B., & Jeppsson, H. (2015). Social Engineering: A study in awareness
http://lup.lub.lu.se/student-papers/record/5474076
Tavakol, M., & Dennick, R. (2011). Making sense of cronbach’s alpha. International Journal of
von Solms, R., & van Niekerk, J. (2013). From information security to cyber security. Computer
Warfield, D. (2012). Critical Infrastructures: IT Security and Threats from Private Sector
doi:10.1080/19393555.2011.652289
Webb, T. L., & Sheeran, P. (2006). Does changing behavioral intentions engender behavior
249-268. doi:10.1037/0033-2909.132.2.249
Wicker, A. W. (1969). Attitudes vs. actions: The relationship of verbal and overt behavioral
4560.1969.tb00619.x
Wikman, A. (2006). Reliability, validity and true values in surveys. Social Indicators Research,
Wolf, M., Haworth, D., & Pietron, L. (2011). Measuring an information security awareness
program. Review of Business Information Systems (RBIS), 15(3), 9-21. Retrieved from
http://www.cluteintiture.com
124
Workman, M., Bommer, W. H., & Straub, D. (2008). Security lapses and the omission of
information security measures: A threat control model and empirical test. Computers in
online survey research, online questionnaire authoring software packages, and web
doi:10.1111/j.1083-6101.2005.tb00259.x
Yang, Y., & Green, S. B. (2011). Coefficient alpha: A reliability coefficient for the 21st century?
125
STATEMENT OF ORIGINAL WORK
Capella University’s Academic Honesty Policy (3.01.01) holds learners accountable for the
integrity of work they submit, which includes but is not limited to discussion postings,
assignments, comprehensive exams, and the dissertation or capstone project.
Established in the Policy are the expectations for original work, rationale for the policy,
definition of terms that pertain to academic honesty and original work, and disciplinary
consequences of academic dishonesty. Also stated in the Policy is the expectation that learners
will follow APA rules for citing another person’s ideas or works.
The following standards for original work and definition of plagiarism are discussed in the
Policy:
Learners are expected to be the sole authors of their work and to acknowledge the
authorship of others’ work through proper citation and reference. Use of another person’s
ideas, including another learner’s, without proper reference or citation constitutes
plagiarism and academic dishonesty and is prohibited conduct. (p. 1)
Capella University’s Research Misconduct Policy (3.03.06) holds learners accountable for research
integrity. What constitutes research misconduct is discussed in the Policy:
Research misconduct includes but is not limited to falsification, fabrication, plagiarism,
misappropriation, or other practices that seriously deviate from those that are commonly
accepted within the academic community for proposing, conducting, or reviewing
research, or in reporting research results. (p. 1)
Learners failing to abide by these policies are subject to consequences, including but not limited to
dismissal or revocation of the degree.
126
Statement of Original Work and Signature
I have read, understood, and abided by Capella University’s Academic Honesty Policy (3.01.01)
and Research Misconduct Policy (3.03.06), including Policy Statements, Rationale, and
Definitions.
I attest that this dissertation or capstone project is my own work. Where I have used the ideas or
words of others, I have paraphrased, summarized, or used direct quotes following the guidelines
set forth in the APA Publication Manual.
Learner name
and date Jerry Alsay January 10, 2019
Mentor name
and school Oludotun Oni School of Business and Technology
127