A Quantitative Regression Stud

A QUANTITATIVE REGRESSION STUDY OF THE EFFECT OF SECURITY
FACTORS ON THE SOCIAL ENGINEERING AWARENESS LEVEL OF
HEALTHCARE END-USERS
by
Jerry Alsay
OLUDOTUN ONI, PhD, Faculty Mentor and Chair
ALFREDO DOMINGUEZ, PhD, Committee Member
SUSAN FEREBEE, PhD, Committee Member
Tonia Teasley, JD, Interim Dean, School of Business and Technology
A Dissertation Presented in Partial Fulfillment
Of the Requirements for the Degree
Doctor of Information Technology
Capella University
February 2019

ProQuest Number: 10979006

All rights reserved

INFORMATION TO ALL USERS
The quality of this reproduction is dependent upon the quality of the copy submitted.

In the unlikely event that the author did not send a complete manuscript
and there are missing pages, these will be noted. Also, if material had to be removed,
a note will indicate the deletion.

ProQuest 10979006

Published by ProQuest LLC (2019 ). Copyright of the Dissertation is held by the Author.

All rights reserved.
This work is protected against unauthorized copying under Title 17, United States Code
Microform Edition © ProQuest LLC.

ProQuest LLC.
789 East Eisenhower Parkway
P.O. Box 1346
Ann Arbor, MI 48106 - 1346
© Jerry Alsay, 2019
Abstract
Social engineering attacks are a significant cause for data breaches among healthcare
organizations that electronically transmit health information in the United States. Such breaches
are costly for healthcare organizations, can negatively impact patients, and are becoming
increasingly common. The purpose of this quantitative study was to address the research
question: to what extent does organizational security factors, information security awareness
factors, and individual security factors predict the level of social engineering awareness among
end-users of healthcare organizations. The theoretical framework for the study was based on
transformational leadership theory, organizational security culture, and the theory of planned
behavior. Multiple regression was used to analyze data collected from a sample of 113
employees of healthcare organizations in the continental United States. The level of social
engineering awareness was found to be statistically significantly associated with both individual
security factors and information security awareness factors. However, no significant relationship
was found between organizational security factors and the level of social engineering awareness.
The results indicate that to improve social engineering awareness among employees,
management should focus more on individual security factors and information security
awareness factors and not on organization security factors.

Dedication
I would like to dedicate this study to my wife, Stephanie and two children, Curtis and
Camille. Without their support and patience throughout this whole journey, I would not have
completed it.
iii
Acknowledgments
I owe thanks to many people who helped and supported me while I worked on this study.
I am grateful for having a supportive and patient doctoral committee and wish to thank Dr.
Oludotun Oni, Dr. Alfredo Dominguez, and Dr. Susan Ferebee for their guidance and patience.
Without their support, I would have not succeeded.
iv
Table of Contents
Acknowledgments.................................................................................................. iv
List of Tables ....................................................................................................... viii
List of Figures ........................................................................................................ ix
CHAPTER 1. INTRODUCTION ........................................................................................1
Introduction ..............................................................................................................1
Background ..............................................................................................................4
Business Technical Problem ....................................................................................9
Research Purpose ...................................................................................................10
Research Questions ................................................................................................10
Rationale ................................................................................................................11
Theoretical Framework ..........................................................................................12
Significance............................................................................................................16
Definition of Terms................................................................................................17
Assumptions and Limitations ................................................................................19
Organization for Remainder of Study ....................................................................20
CHAPTER 2. LITERATURE REVIEW ...........................................................................22
Introduction ............................................................................................................22
Research Strategy...................................................................................................22
Organizational Information Security .....................................................................23
Security Factors .....................................................................................................36
Security Awareness Training .................................................................................57
Theory of Planned Behavior ..................................................................................58
v
Research Method ...................................................................................................60
Summary ................................................................................................................62
CHAPTER 3. METHODOLOGY .....................................................................................64
Introduction ............................................................................................................64
Design and Methodology .......................................................................................65
Population and Sampling .......................................................................................67
Setting ....................................................................................................................69
Data Collection ......................................................................................................69
Instrumentation ......................................................................................................72
Hypotheses .............................................................................................................74
Data Analysis .........................................................................................................76
Validity and Reliability ..........................................................................................81
Ethical Considerations ...........................................................................................82
Summary ................................................................................................................84
CHAPTER 4. RESULTS ...................................................................................................85
Introduction ............................................................................................................85
Data Collection Results..........................................................................................86
Descriptive Analysis ..............................................................................................92
Multiple Regression Results ..................................................................................95
Analysis of Hypotheses..........................................................................................97
Summary ................................................................................................................98
CHAPTER 5. CONCLUSIONS ......................................................................................100
Introduction ..........................................................................................................100
vi
Evaluation of Research Questions .......................................................................100
Fulfillment of Research Purpose..........................................................................104
Contribution to Business Technical Problem ......................................................105
Recommendations for Further Research ..............................................................107
Conclusions ..........................................................................................................108
REFERENCES ................................................................................................................110
STATEMENT OF ORIGINAL WORK ..........................................................................126
vii
List of Tables
Table 1. Reliability for the Predictor and Criterion Variables, N = 113...........................87
Table 2. Correlations of Criterion Variable (Level of Social Engineering Awareness) with
Predictor Variables, N = 113 ..............................................................................89
Table 3. Outlier Labeling Rule Analysis, N = 113 ...........................................................91
Table 4. VIF and Tolerance for the Predictor Variables, N = 113 ...................................92
Table 5. Sample Demographics, N = 113 .........................................................................94
Table 6. Variable Descriptive Statistics, N = 113 ............................................................95
Table 7. Regression Results for Level of Social Engineering Awareness on Predictor Variables,
N = 113 ...............................................................................................................97
viii
List of Figures
Figure 1. Research model showing level of social engineering awareness as an effect of
organizational security factors, information security awareness factors, and individual
security factors ....................................................................................................75
Figure 2. Scatterplot to check for homoscedasticity (standardized residual by unstandardized
predicted values for level of social engineering awareness)...............................90
Figure 3. Histogram with normal curve overlay for the regression residuals ....................93
ix
CHAPTER 1. INTRODUCTION
Introduction
In today’s networked world, organizations must provide for the security of their
information assets. For healthcare organizations, this is especially important, because security
breaches can have negative effects on patient outcomes and healthcare quality (Ponemon
Institute, 2016). Healthcare organizations that deal with patient data include health plans,
healthcare clearinghouses, and healthcare providers (e.g., hospitals) that electronically transmit
health information. Hereafter, the term healthcare organizations is used to refer to these entities
in aggregate. The Health Insurance Portability and Accountability Act of the United States
(HIPAA) regulates protected health information (PHI) about patient healthcare, health status, and
payment for healthcare, requiring that such information is treated with special care. For the
purpose of the present study, the terms patient data, medical records, and patient information
refer interchangeably to PHI as defined by HIPAA.
Patients whose medical records are stolen from healthcare organizations may be treated
inappropriately, lose access to health insurance benefits, or encounter difficulty in employment
owing to false entries in their medical records (Agaku, Adisa, Ayo-Yusuf, & Connolly, 2014).
Additionally, lost or stolen healthcare records result in up to $7 billion in losses to the healthcare
industry annually (Agaku et al., 2014). Therefore, there is an urgent need for strong information
security strategy in the healthcare industry to prevent against costly cyberattacks.
Troublingly, cyberattacks are increasingly common in healthcare, with an increase of
1
320% from 2015 to 2016 (Gammons, 2017). One reason for this increase is that patient health
data is worth a premium on the black market, yielding greater profits for cybercriminals than
other types of stolen data (Ablon & Libicki, 2015). Understanding the gaps in security that make
successful cyberattacks possible is key to updating security policies to reverse this trend.
Although there are many types of cyberattacks, social engineering, or behavioral
intrusion whereby hackers manipulate employees’ behavior in order to obtain privileged
information (Ahmad, Maynard, & Park, 2014; Crossler et al., 2013), may be the main cause of a
data breach in healthcare organizations (Ponemon Institute, 2016). However, end-users in
healthcare organizations (e.g., hospitals, private practices), including healthcare practitioners
(e.g., doctors, nurses, technicians) and administrators (e.g., billing professionals, records
keepers), lack an appropriate level of social engineering awareness, so they may be unable to
recognize social engineering attacks, resulting in a data breach (HIMSS, 2016; Junger, Montoya,
& Overink, 2017).
Social engineering is a particularly troubling issue because it is one of the most difficult
types of security threats to prevent (Indrajit, 2017). Whereas other types of attacks are
preventable using firewalls and other software- and hardware-based techniques, preventing
social engineering requires attention to the human element, including an understanding of the
factors that correlate with end-user awareness of social engineering (Indrajit, 2017; Nishani &
Biba, 2016). Recent research has identified security awareness as an important factor in
organizational information security (Narain Singh, Gupta, & Ojha, 2014). An emerging research
trend has demonstrated that end-users’ security awareness and intention to resist social
engineering can be predicted with factors such as organizational culture, end-user awareness
training, and security self-efficacy (Decker, 2008; Hauser, 2017; Holbert, 2013; Rocha Flores &
2
Ekstedt, 2016). Additionally, there is an extensive body of research on the role and importance of
security awareness in preventing social engineering attacks (Medlin, Cazier, & Foulk, 2008;
Mishra, Caputo, Leone, Kohun, & Draus, 2014). However, none of these studies focused on
factors that predict social engineering awareness among end-users in the healthcare industry. The
lucrative market for private health information on the black market has made it imperative to
investigate the factors that influence to the level of social engineering awareness among
healthcare end-users, as PHI is especially attractive to cybercriminals, who can yield greater
profits for this type of stolen data than other types of stolen data (Ablon & Libicki, 2015). While
researchers know that social engineering awareness is important in healthcare, they still lack
robust information on the factors that influence it. This lack of information is limiting
practitioners’ ability to improve their level of social engineering awareness by addressing its
antecedents. Also, because the structure and culture of a healthcare organization is always
changing, and the methods of cybersecurity attackers are always improving, it is important to
know the awareness level of end-users.
An understanding of the factors influencing social engineering awareness in the
healthcare industry could help information technology professionals and healthcare managers
take action to prevent social engineering attacks by focusing on the individual and organizational
elements that are statistically important to security awareness. Therefore, the aim of this
quantitative, regression study is to identify antecedents to social engineering awareness in the
healthcare industry by examining the organizational security factors (i.e. transformational
leadership and information security culture), information security awareness factors (i.e., general
information security awareness and information security policy awareness), and individual
security factors (i.e., end-users’ self-efficacy, attitude, and normative beliefs) that predict social
3
engineering awareness in healthcare organizations.
This chapter introduces the study and proceeds as follows. The first study contains a brief
background of the study. Next is a statement of the business technical problem and purpose of
the study, followed by a list of the research questions and hypotheses. The chapter also contains
descriptions of the rationale, theoretical framework, and significance of the study. Next, a section
on the definition of terms provides the meanings of keywords and concepts used in the study.
This is followed by a description of the assumptions and limitations of the study. A summary,
presenting the organization of the remainder of the study, concludes the chapter.
Background
The importance of information technology cannot be overstated in a world of networked
assets. In many industries, such as the healthcare sector, most valuable assets are increasingly
moving to consisting of data only; which is being stored, moving in transit, or used throughout
the internet or throughout a cloud infrastructure. This is creating an increased burden on those
responsible for protecting non-physical assets that may not be entirely in their control. The
dependency has increased steadily throughout the years and has led the industry to be susceptible
to having their information systems compromised and valuable data being stolen, or patient
information abused (Ponemon Institute, 2016).
Healthcare organizations have been using electronic medical records for over 20 years,
but recent developments in Internet-based storage and networking have emerged as a challenge
to the security and privacy of electronic health records (Mishra et al., 2014). While maintaining
medical information in an electronic form offers a multitude of benefits, private health
information stored online could be at risk to the evolving technological threat of cyberattacks
(Conteh & Schmick, 2016). As technology becomes increasingly indispensable in healthcare,
4
security awareness is crucial in healthcare to protect private health information and minimize
fraud (Knight & Saxby, 2014).
Cyberattacks on healthcare organizations grew 320% from 2015 to 2016 (Gammons,
2017). The healthcare industry has become a major target for hackers for several reasons: (a) the
information is sensitive in nature, (b) information stolen from hospitals is harder to track, and (c)
the healthcare industry has been slow to adopt cybersecurity measures (Loughlin et al., 2014). A
study by the Healthcare Information and Management Systems Society (HIMSS) revealed that
approximately 85% of healthcare organizations view the protection of electronic information as a
business and information technology priority (HIMSS, 2016). This is not surprising, given the
increasing threat of cyberattacks and the financial cost that organizations can incur from security
breaches. As healthcare information technology evolves, patients are becoming more aware that
their sensitive health information is at risk (Choi, Kim, & Park, 2015).
The general problem of interest to researchers is that cybercriminals can take private
health information and sell it for high prices on the dark web. Stolen medical records sell for 10
to 20 times more than any other type of data (Ablon & Libicki, 2015). According to an even
more shocking estimate, criminals can make $50 on medical records for every $1 they would
make on credit card information (Lowes, 2014). The lucrative market for private health
information is especially attractive to cybercriminals. This problem occurs in healthcare settings
including hospitals and private practices, and it affects patients and healthcare industry
stakeholders (e.g., employees, executives).
Healthcare organizations, regardless of size, have become dependent on information
technology to gain and maintain a competitive edge (Hyatt, 2015). A component of that
competitive edge is the security posture of the organizational computing infrastructure, which
5
contributes to maintaining the confidentiality, integrity, and availability of patients’ personal
health information (Holtfreter & Harrington, 2015). As cybercriminals search for more profitable
targets, healthcare organizations and the personal health information that they hold have been
targeted. Cybercriminals are attracted by the wealth of patient information that healthcare
organizations hold because it has more lasting value than other types of information (Kamoun &
Nicho, 2014). Attacks on healthcare information systems have rapidly increased in recent years,
by one estimate 125% faster than attacks on other types of data (Ponemon Institute, 2016).
Cybercriminals are continuously looking for ways to infiltrate healthcare systems.
Attackers often choose the path of least resistance to compromise systems, and the weakest link
in information security continues to be the end users (Abawajy, 2014). Interconnectivity and
information sharing across healthcare organizations make it easier for criminals to access private
health information (Warfield, 2012). There are several types of healthcare cyberattacks: (a)
ransomware, involving malicious software that locks files until the organization pays a ransom to
unlock the information (Richardson & North, 2017); (b) stolen private health information,
involving hacking of medical records, which is the most common type of attack (Mearian, 2016);
(c) insurance fraud, involving the use of personal data to file fake claims and the collect
reimbursement for nonexistent services (Clough, 2015); and (d) social engineering, or targeting
healthcare employees with methods such as phishing to infect the health system with malware
(Junger et al., 2017). Social engineering is a particularly troubling issue for the healthcare
industry because healthcare employees are naturally trusting, and they have a desire to be helpful
(HIMSS, 2016).
The current best solution to the problem is for information security managers to
implement plans to identify, assess, and mitigate the evolving risk of cyberattacks on health
6
information. Technical solutions such as artificial intelligence and machine learning have great
potential to help mitigate cyberattacks (Nishani & Biba, 2016), but these new technologies will
not remove the need to focus on the human factor since end users are recognized as the most
important element in information protection (Indrajit, 2017). Regardless of the level of
sophistication in information system protection, it is virtually impossible to protect information
assets unless the human element is adequately addressed. In healthcare settings, focusing on the
human factor to protect client data involves hiring and training a knowledgeable workforce and
developing a culture or security, in which employees are aware of the value of their
organizations’ data and actively work to reduce the risk of data breaches (Ponemon Institute,
2016). There are multiple methods of addressing the human factor, and scholars do not yet
clearly understand which of these ways is the best and most efficient.
Cyberattacks have significant negative consequences for healthcare organizations.
Healthcare organizations have seen damages of more than $20 billion per year from attacks
(Holtfreter & Harrington, 2015). More than 69% of chief information security officers from the
healthcare industry have a concern about how to educate end users of their organizations to avoid
attacks (Ponemon Institute, 2016).
Organizations can protect their information assets by implementing a security awareness
program (Wolf, Haworth, & Pietron, 2011). A security awareness program refers to a program
designed to influence user behavior to promote the protection of the organization’s information
assets (Rocha Flores & Ekstedt, 2016). Such programs often focus on social engineering, which
allows an attacker to exploit an organization’s employees by preying on their weakness and
having them perform an action that benefits the attacker (Rocha Flores & Ekstedt, 2016).
Employees’ level of social engineering awareness is important in determining whether they were
7
able to resist this type of attack.
There are organizational, information security awareness, and individual security factors
that can shape a person’s level of social engineering awareness (Decker, 2008; Holbert, 2013;
Rocha Flores & Ekstedt, 2016). Organizational factors are internal factors, which are factors
present within an employee’s organization, such as leadership and organizational culture
(Decker, 2008; Holbert, 2013; Hyatt, 2015; Rocha Flores & Ekstedt, 2016). Individual factors
are inherent factors related to individual employees; for example, self-efficacy describes whether
employees feel that they are capable of recognizing and resisting social engineering attacks
(Decker, 2008; Holbert, 2013; Rocha Flores & Ekstedt, 2016). There are also external factors,
which are factors external to an organization; these can include social media or news outlets.
External factors take into account how forces outside an organization can influence an
employee’s ability to recognize a social engineering attack (Decker, 2008; Holbert, 2013; Rocha
Flores & Ekstedt, 2016). Together, these types of factors may determine how an employee reacts
to a social engineering attack within an organization.
The present study addressed the issue of antecedent factors to social engineering
awareness in healthcare organizations using the theory of planned behavior. This theory is
relevant to the study because it describes how individuals’ attitudes, subjective norms, and
perceptions of behavioral control influence their motivation and intention to act in particular
ways. The present study uses security attitude, subjective norms, and security self-efficacy (i.e.,
the perception of behavioral control with respect to security) as variables, so the theory of
planned behavior is a fit for the present study. Other researchers investigating security awareness
have used the theory of planned behavior (Ifinedo, 2014; Safa et al., 2015), because it follows
logically from questions addressing end-users’ intention to resist social engineering and other
8
cyberattacks. While previous research focused on security awareness from an organizational
view, this study focused on security awareness from an individual view. The ultimate goal of
understanding the factors antecedent to security awareness is to empower end-users with the
intention to resist social engineering, so the theory of planned behavior is relevant in the present
context.
Business Technical Problem
There is a problem with data breaches from social engineering attacks among healthcare
organizations that electronically transmit health information in the United States (HIMSS, 2016).
Although healthcare leaders implement programs to reduce attacks (Ponemon Institute, 2016;
Rocha Flores & Ekstedt, 2016; Wolf et al., 2011), the number of attacks grew 320% from 2015
to 2016 (Gammons, 2017; Ponemon Institute, 2016). Previous studies have been conducted to
gauge the extent to which organizational security factors, information security awareness factors,
and individual security factors influence social engineering awareness (Rocha Flores & Ekstedt,
2016; Holbert, 2013; Decker, 2008). These studies focused on the organizational view of social
engineering awareness, not the individual view. Also, these studies did not focus specifically on
the healthcare industry, which is a high target area. Cybercriminals are using various social
engineering methods to attack healthcare end-users, which are causing financial and reputational
losses for the healthcare industry and their clients. More than 78% of security practitioners
believed that a major cause of concern for data breaches are social engineering attacks
(Ponemon, 2016). This problem has negatively impacted the healthcare industry because attacks
are costing healthcare organizations up to $7 billion per year (Agaku et al., 2014). The problem
has also negatively impacted patients because patients whose medical records are stolen from
healthcare organizations may be treated inappropriately, lose access to insurance benefits, or
9
encounter employment difficulty owing to false entries in their medical records (Agaku et al.,
2014).
Research Purpose
The purpose of this quantitative multiple regression study is to determine whether
organizational security factors, information security awareness factors and individual security
factors predict the level of social engineering awareness among healthcare end-users in
healthcare organizations in the continental United States. There is an ongoing lack of
understanding of what factors can raise a healthcare end-user level of social engineering
awareness, thus preventing a potential social engineering attack. The results of this study are
expected to contribute to the knowledge area of security awareness and social engineering
awareness within the healthcare industry by informing healthcare information technology leaders
on what to look for when understand the level of social engineering awareness among their
employees and how to develop of an efficient and effective information security awareness
program to combat the ever-present threat of cyberattacks.
Research Questions
The research questions of this study are:
RQ1: To what extent, if at all, do organizational security factors (i.e., transformational
leadership and information security culture) predict the level of social engineering awareness
among healthcare end-users?
RQ2: To what extent, if at all, do information security awareness factors (i.e., general
information security awareness and information security policy awareness) predict the level of
social engineering awareness among healthcare end-users?
RQ3: To what extent, if at all, do individual security factors (i.e., end-users’ self-
10
efficacy, attitude, and normative beliefs) predict the level of social engineering awareness of
healthcare end-users?
Rationale
This quantitative multiple regression study furthered the studies conducted by Decker
(2008), Holbert (2013), and Rocha Flores and Ekstedt (2016). Decker analyzed internal, external,
and inherent factors to security awareness of end users in institutions of higher learning. Holbert
used Decker’s four factors to determine which had the greatest influence on the security
awareness level of end users. Rocha Flores and Ekstedt investigated how organizational and
individual factors shaped employees’ behavioral intention to resist social engineering within
various industries. This study used Rocha Flores and Ekstedt’s research instrument, which draws
on the theory of planned behavior to identify individual factors (i.e., self-efficacy, attitude, and
normative beliefs), organizational factors (i.e., transformational leadership and information
security culture), and security awareness factors (i.e., general information security awareness and
information security policy awareness) related to security behaviors. The focus of this study was
on the level of social engineering awareness, and the industry of focus was healthcare. This is
important because other researchers have studied social engineering awareness in other settings,
such as institutions of higher learning (Hauser, 2017) or the energy sector (Rocha Flores &
Ekstedt, 2016) and even other countries but have not specifically studied the healthcare industry.
The specific focus of this study was to determine which security factor or factors have the
greatest input on the level of social engineering awareness of a healthcare end-user. Too many
security awareness programs are designed to meet a compliance requirement and do not take into
account the concept of educating the user to fully recognize when they are being social
engineered. Many end-users do not learn or retain information the same way, so healthcare
11
organizations must think about the most efficient way their end-users retain awareness
information and be motivated to protect their organizational assets.
Studying the healthcare industry specifically is relevant because of the type of
information that can be gained from a successful attack by intruders. As stated earlier, PHI is
very valuable and can be detrimental for those affected if the information is violated. Effects of a
successful attack can be felt both financially and reputationally by the affected healthcare
organization and their affected client (Agaku et al., 2014; HIMSS, 2016). While other business
information assets are just as valuable, PHI is more valuable on the black market, which can lead
to an extra incentive from cybercriminals to take advantage of unsuspecting healthcare end-users
with social engineering attacks. Even though many healthcare end-users are highly educated
professionals, they can still be susceptible to high engineered phishing attacks, due to their nature
of work.
Theoretical Framework
Transformational Leadership Theory
Bass (1998) developed the theory of transformational leadership in the 1980s.
Transformational leadership is a leadership style that, according to the theory, can be
distinguished from transactional leadership. Whereas transactional leaders use systems of reward
and punishment to motivate subordinates to perform specific tasks, transformational leaders use
techniques like inspiration, individualized treatment, and intellectual stimulation to motivate
subordinates (Barling, Slater, & Kelloway, 2000). Transformational leadership theory is relevant
to the present study because transformational leadership is one of the organizational factors that
served as a predictor variable in the study.
The core assumption of transformational leadership theory is that leaders can motivate
12
subordinates to perform beyond their own expectations by generating buy-in to the goals and
values of the organization as a whole or the smaller team within which they work (Miner, 2015).
In so doing, employees transcend their own self-interest to work for the good of a greater whole,
rather than for a contingent reward like a paycheck or a promotion (Miner, 2015). In the 1990s,
Avolio and Bass (1995) expanded the transformational leadership theory to emphasize the
difference between individual-level transformational leadership (i.e., the behaviors of individual
leaders) and organization-level transformational leadership (i.e., the culture that promotes
selfless commitment to organizational goals). Because the theory supports the view that
organizational and individual factors comprise a unified whole, it is especially relevant to the
present study, which attempts to understand the organizational and individual factors that predict
security awareness. In the context of information security, researchers have identified an
important role of transformational leadership in employees’ intention to resist social engineering
(Rocha Flores & Ekstedt, 2016) and in the effectiveness of security countermeasures (Humaidi &
Balakrishnan, 2015). Owing to its logical connection to the independent variable and to existing
findings on its importance in information security, transformational leadership theory is an
important component of the theoretical framework for the present study.
Organizational Security Culture
Theoretical work exists describing the role of organizational culture in information
security. Schein’s seminal work on organizational culture established a definition of
organizational culture as “the system of shared beliefs and values that guides the behaviors of its
members to maintain suitable patterns of social systems to survive in the dynamic environment”
(Lim, Chang, Ahmad, & Maynard, 2012, p. 298). Organizational culture is important to business
scholarship in many industries and research topics, but recent theoretical work has begun to
13
identify a particular type of organizational culture that is important to security. Specifically, an
organizational culture that places value on security is important to ensure that employee behavior
aligns with security requirements. A key theoretical work in this vein that provides the
framework for the present study is that of Lim et al. (2012).
The theoretical framework of Lim et al. (2012) is particularly relevant to the present
study because the authors argue that an organizational security culture is important at both the
individual and organizational levels. Not only does organizational security culture influence the
behavior of employees (i.e., the individual level), it also enables the implementation of security
at the organizational level, because the organization’s long-term plan and shared security values
facilitate new and improved security practices (Lim et al., 2012). This is relevant to this present
study because the study asks about both organizational and individual factors that influence
security awareness. The Lim et al. (2012) framework supports this research aim by focusing on
organizational culture as an antecedent to security behaviors.
Theory of Planned Behavior
Ajzen (2011) developed the theory of planned behavior, which describes how
individuals’ attitudes, subjective norms (or normative beliefs), and perceptions of behavioral
control (or self-efficacy) influence their motivation and intention to act in particular ways. This
theory aligns with the present study, which asks about the extent to which individual factors of
self-efficacy regarding resisting social engineering, attitude toward resisting social engineering,
and normative beliefs about resisting social engineering predict security awareness in healthcare
organizations.
According to the theory of planned behavior, an individual’s attitude consists of his or
her tendency to evaluate things either positively or negatively. For example, information security
14
attitude refers to an individual tendency to feel either positively or negatively toward information
security (Safa et al., 2015). Subjective norms refer to an individual’s beliefs about what is
important to his or her peers and superiors (Ifinedo, 2014). For example, if an individual believes
that society expects him or her to behave in a certain way, the individual is more likely to behave
in that way, according to the theory of planned behavior. Behavioral control refers to the extent
to which individuals believe they, rather than someone else, have the power to accomplish
particular tasks. For research purposes, behavioral control is often equated with self-efficacy or
the extent to which an individual believes he or she is capable of accomplishing a task (Ifinedo,
2014). For example, according to the theory of Planned Behavior, people who believe they are
capable of becoming aware of information security are more likely to intend to pursue behavior
consistent with that goal.
Many researchers have used the theory of planned behavior to investigate information
security at the organization level (Ifinedo, 2014; Lebek et al., 2014; Safa et al., 2015), and these
studies have largely confirmed its constructs. Researchers have used other theories in
information security research, including the protection motivation theory and the general
deterrence theory (Crossler et al., 2013). Additionally, some researchers have used the theory of
Reasoned Action, which predates the theory of planned behavior (Siponen, Mahmood, &
Pahnila, 2014). However, the central constructs of these theories are similar to those of the
theory of planned behavior (Lebek et al., 2013). Because the theory of planned behavior has been
so widely used, and because evidence has so widely confirmed its applicability to information
security research, the theory of planned behavior is appropriate for use in this study.
Additionally, the theory of planned behavior addresses the same individual factors that this study
treated as predictor variables, making it a logical choice as a theoretical framework.
15
Significance
Contribution to Researchers
The research objective of this study was to examine the relationships between
organizational security factors, information security awareness factors, and individual security
factors and the level of social engineering awareness of healthcare end-users. Although there
have been prior security awareness and social engineering awareness studies (Decker, 2008;
Hauser, 2017; Holbert, 2013; Rocha Flores & Ekstedt, 2016; Medlin, Cazier, & Foulk, 2008;
Mishra, Caputo, Leone, Kohun, & Draus, 2014), the relationship between the organizational
security factors, information security awareness factors, and individual security factors of
healthcare end-users are always changing, so continuous investigation is needed. Researchers
have agreed that the combination of organizational security factors, information security
awareness factors, and individual security factors elements exists (Decker, 2008; Hauser, 2017;
Holbert, 2013; Rocha Flores & Ekstedt, 2016), however, an investigation into this combination
involving healthcare end-users is needed due to the criticality to support healthcare information
systems (HIMSS, 2016).
The results of this study helped to fill the gap in the literature by explaining the level of
social engineering awareness of healthcare end-users by empirically validating the theory of
planned behavior and by determining whether the level of social engineering awareness was the
outcome of the combination of organizational security factors, information security awareness
factors, and individual security factors of healthcare end-users. In addition, a reduction in the gap
of knowledge for social engineering awareness from an individual level perspective, in contrast
to the organizational perspective was gained.
Finally, the research is of significance to researchers in the field of information security
16
as it addresses a particular security concern (i.e., social engineering attacks) in a particular
industry (i.e., healthcare), adding to the granularity of detail with which the research community
understands information security.
Contribution to Practitioners
This study sought to inform and influence healthcare organization management by
demonstrating the importance of understanding the level of social engineering awareness among
their employees. Continuous cyberattacks against their most important asset require management
to develop and redefine strategies for security awareness and in particular social engineering.
This study was meaningful to the community of healthcare organizations because it identified
factors that may predict a high level of social engineering awareness. With knowledge of these
factors and their predictive value for security awareness, healthcare stakeholders were
empowered to develop and promote new initiatives that were more effective and efficient in
preventing social engineering attacks by increasing end-user security awareness. The research
problem is of significance to healthcare information security professionals and managers because
such professionals are tasked with vouchsafing the private health data that is entrusted to them.
The problem is also significant to executives of healthcare organizations because data breaches
result in significant financial losses to the organizations, which may be tasked by shareholders
(in the case of private companies) or taxpayers (in the case of public organizations) to maximize
cost-effectiveness and minimize unnecessary losses.
Definition of Terms
The major concepts in this study are social engineering, social engineering awareness,
and information security awareness. These concepts and other important terms are defined in the
below statements, based on their use in this study.
17
Attitude is the degree to which information security behavior is positively valued
(Decker, 2008).
Cyberattack is an offensive type of attack that targets computer information systems
through malicious acts from an anonymous source that steals, alters, or destroys a specified
target system (Ilves, 2016).
End-user is an individual who uses a computer system and computer applications for
their daily work (Bhatnagar, Madden, & Levy, 2016).
General information security awareness is an employee individual perception of their
own awareness of the general information security phenomena (Rocha Flores & Ekstedt, 2016).
Individual security factors are inherent security factors that relate to an individual
employee (Rocha Flores & Ekstedt, 2016).
Information security is the protection of an information system that uses, stores, and
transmits information (von Solms & van Niekerk, 2013).
Information security awareness factors are internal security factors that relate to an
individual knowledge of an organization’s security policies (Decker, 2008).
Information security culture is an employee individual perception of shared beliefs and
values among colleagues in their work environment (Decker, 2008).
Information security policy awareness is an employee individual perception of their own
cognizance of the actual information security policies in their organization (Rocha Flores &
Ekstedt, 2016).
Level of social engineering awareness is an employee intention to resist a social
engineering attack (Rocha Flores & Ekstedt 2016).
Normative beliefs are an employee perceived social pressure about their social
18
engineering security behavior caused by behavioral expectations of managers or colleagues
(Rocha Flores & Ekstedt, 2016).
Organizational security factors are internal security factors which are present within an
employee’s organization (Decker, 2008).
Security awareness is the level of comprehension that users have about the importance of
information security best practices (Abawajy, 2014).
Security awareness program is a program designed to influence a user’s behavior toward
the protection of the organization’s information assets (Rocha Flores & Ekstedt, 2016).
Self-efficacy is an employee judgment of personal skills, knowledge, or competency
about their level of social engineering awareness (Rocha Flores & Ekstedt, 2016).
Social engineering is the art of getting users to compromise information systems
(Krombholz, Hobel, Huber, & Weippl, 2015).
Transformational leadership is a leader action to generate awareness and motivate
employees to change their information security behaviors (Decker, 2008).
Assumptions and Limitations
Assumptions
This study involved several assumptions. The first assumption is that each participant is a
healthcare end-user, defined as an employee involved in using information technology systems
that give the employee access to PHI that is protected under HIPAA. The second assumption is
that all participants have full knowledge of their organization’s security awareness program, so
they can accurately answer the survey questions. The third assumption is that the participants
were truthful in their responses and did not manipulate their answers to hide their true beliefs.
There are also assumptions related to the statistical tests that were conducted with this study: (a)
19
there is a linear relationship between variables, (b) that the residuals are normally distributed, (c)
there was no multicollinearity between variables, (d) there was homoscedasticity across
variables, (e) the data does not have any outliers, and (f) the residuals (errors) were normally
distributed.
Limitations
Several limitations were present in this study. The first limitation of the study is the use
of closed-ended, scale questionnaire items, without the use of open-ended questions;
participants’ responses lacked detail on participants’ perspectives. This weakness is inherent in
quantitative research, according to Steckler, McLeroy, Goodman, Bird, & McCormick (1992).
The second limitation of the study is that it was only available over the Internet, so it did not
include participants that do not have Internet access, and little was known about participants’
characteristics. According to Wright (2005), these are inherent disadvantages of online survey
research. The third limitation of this study is that the sample was not generalizable beyond the
population from which it was drawn, largely owing to the sampling issues inherent in online
survey research (Wright, 2005).
Organization for Remainder of Study
This chapter provided an overview of the study, the purpose of which is to determine if
there are any correlations between organizational and individual security factors and the level of
social engineering awareness of healthcare end-users. The researcher explained the significance
of the study, with emphasis on the potential positive effect of understanding the factors that
contribute to social engineering awareness.
The remaining chapters presented the following: Chapter 2 presented a thorough review
of professional and academic literature related to the research topic from a historical and
20
contemporary point of view. Chapter 3 discussed the research design and methodology, along
with a discussion of the research instrument, data collection and analysis methods, reliability and
validity of the selected instruments, and ethical considerations. Chapter 4 presented data relating
to the study results. Chapter 5 presented discussions, implications, and recommendations.
21
CHAPTER 2. LITERATURE REVIEW
Introduction
The purpose of this study is to determine whether organizational and individual factors of
the healthcare end-user predict the level of social engineering awareness of the healthcare end-
users in the continental United States. This chapter contains a review of existing theoretical and
empirical literature related to the research topic. The goal of this review is to provide an
overview of the literature on security awareness programs and social engineering awareness
programs. The chapter proceeds as follows. First, the researcher describes the literature search
strategy. Next is a review of literature related to organizational information security, including
types of information security, information security in the healthcare industry, and types of
information security breaches, with a focus on social engineering. In the following section, the
researcher presents a discussion of internal factors that influence organizational security, divided
into individual and organizational factors. There is a separate discussion for each factor pertinent
to the study, and links are drawn among the factors within each of the subsections. Next, a brief
section describes the existing literature on the importance of security awareness training for
preventing security breaches, followed by a section considering the research method for the
present study. Finally, there is a discussion of the theory of planned behavior, its development,
and its strengths and weaknesses. A summary concludes the chapter.
Research Strategy
This chapter contains a review of research studies and scholarly content related to
security awareness generally, social engineering specifically, and the factors that influence end-
user awareness of security and social engineering. The researcher used the following databases to
search for relevant articles: ProQuest, Academic Search Premiere, ProScience, Google Scholar,
22
and Academic One File. Using these databases, the researcher searched for articles using the
following search terms, alone and in combination: behavioral intent, behavioral intention, cyber-
attacks, employee behavior, healthcare, information security, information security attitude,
information security awareness, information security breaches, information security culture,
information technology, normative beliefs, organizational culture, organizational information
security, organizational security factors, self-efficacy, social engineering, theory of planned
behavior, and transformational leadership.
Search results were narrowed to include only articles published since 2013. The purpose
of this limitation was to emphasize recent literature. As a result, this chapter heavily emphasizes
recent findings in the field of information security. However, when recent articles contained
citations leading to seminal works, or when no recent articles did not contain results for
particular topics, the researcher included older articles in the review.
Organizational Information Security
Information security is an increasingly important issue in organizations because
organizations have assets and resources that exist only in the form of digital information,
whether stored locally on computer servers or remotely using cloud-based storage (Crossler et
al., 2013; Narain Singh, Gupta, & Ojha, 2014). Information and technologies are essential to
business success because they represent sources of market knowledge and innovation, and these
are key to an organization's competitive advantage (Ahmad et al., 2014). Therefore, if an
organization suffers a breach to the security of its information, it could lose its competitive edge,
resulting in significant negative consequences.
Security breaches can negatively affect businesses, even when data is not lost. For
example, denial of service attacks can disrupt an organization's internet connectivity and e-mail
23
access, leading to costly downtime and loss of productivity (Ahmad et al., 2014). Therefore,
ensuring information security is essential if businesses are to avoid losses from security breaches.
Information assets are vulnerable to a variety of threats, including hacking, denial of
service attacks, and behavioral intrusion such as social engineering (Crossler et al., 2013).
Because technologies change rapidly, organizations must constantly adapt and respond,
modifying their information security management in ways that prevent emerging types of
security breaches (Burns, Posey, Courtney, Roberts, & Nanayakkara, 2017; Crossler et al., 2013;
Narain Singh et al., 2014). Such responses constitute information security management.
In most organizations, information security management practices focus on implementing
technological tools, such as firewalls and denial of service detection, in an attempt to prevent
information security breaches (Crossler et al., 2013). Ahmad et al. (2014) reported that 60% of
organizations use "information security countermeasures, including anti-virus software,
firewalls, anti-spy software, virtual private networks (VPN's), vulnerability/patch management,
encryption of data in transit, and intrusion detection systems" (p. 358). Although it is vital for
organizations to implement such technologies, these efforts are not enough, because security
breaches continue to occur, even increasing in frequency.
As Crossler et al. (2013) pointed out, scholars have long recognized that “the individual
user within an organization,” or the end user, “is a predominant weakness in properly securing
information assets” (p. 90). Narain Singh et al. (2014) echoed this sentiment, stating that
information security management is not merely, or even primarily, a technical issue, but that “the
management and behavioral aspects are also of pivotal importance but are often overlooked by
organizations” (p. 644). Empirical evidence supports the argument that managers take one-sided
approaches to information security management. In a qualitative, focus-group study with security
24
managers from eight organizations, Ahmad et al. (2014) found that security managers took an
ad-hoc approach to implement security strategies, and they focused on maintaining access to data
(e.g., by preventing denial of service attacks), ignoring the risks to business and competitiveness.
The strategies that Ahmad et al. (2014) surveyed were mostly externally oriented, neglecting the
behaviors of technology end-users within the organizations. This literature suggests that there is
a need for further investigation into how information security strategies affect the information
behaviors and outcomes within organizations.
Types of Information Security Strategies
Scholars who have recognized the importance of the human element to protecting
organizational data define information security management as a multifaceted discipline
involving a range of approaches to protecting organizational assets and privacy (Narain Singh et
al., 2014). In their synthesis of literature, Ahmad et al. (2014) identified nine strategies that
organizations use to secure their informational assets: (a) prevention strategies focus on
protecting data, for example by prohibiting unauthorized access to data, (b) deterrence strategies
focus on influencing people in a way that discourages them from trying to breach the
organization’s security, (c) surveillance strategies focus on monitoring information security, for
example using tools that attempt to detect denial of service attacks, (d) detection strategies
attempt to identify behavior that might result in security breaches, (e) response strategies focus
on repairing damage or reinstating security after breaches or attacks have occurred, (f) deception
strategies focus on leading attackers down the wrong path, protecting valuable assets by
attracting attackers toward less valuable assets, (g) perimeter defense strategies focus on
regulating incoming and outgoing information, reducing the number of points vulnerable to
attack, (h) compartmentalization strategies focus on dividing valuable information assets into
25
smaller sections and securing those sections separately, such that a majority of information will
remain secure, even if one of the sections is breached, and (i) layering strategies focus on using
multiple strategies to secure assets, so that the full complement of strategies will work together,
and the failure of a single strategy will not be catastrophic.
These nine strategies can apply to security efforts broadly, including physical security,
but Ahmad et al. (2014) argued that all nine are relevant to information security at the
organizational level. In their qualitative study, they found that all the strategies except deception
were in use in at least some of the organizations they studied. However, managers’
understanding of and ability to effectively implement these strategies was lacking (Ahmad et al.,
2014). Additionally, managers did not effectively combine strategies into multifaceted
information security programs.
For the present study, some of the nine approaches to information security are more
relevant than others. For example, prevention strategies can include both technological tactics
(e.g., firewalls) and behavioral tactics (e.g., non-disclosure agreements). However, detection
strategies are generally technology-based and externally facing, so they do not address the
human element to security organizational data assets. This conceptual issue represents a
limitation of existing taxonomies of prevention strategies. Nevertheless, implementation of
externally-facing security measures may be related to employees' security awareness and
behavior. One of the goals of the present study is to determine whether internal and external
factors of information security correlate with employees' security awareness. A later section of
this chapter contains a review of literature related to these internal and external factors.
From a business perspective, there are also various strategies for information security
investment. According to Huang, Behara, and Goo (2014), organizational information security
26
investment decisions consist of three dimensions. First, organizations must decide how much to
invest in information security. Second, they must decide on what technologies, tools, or
measures to invest. Third, they must make implementation decisions about how to make
information security measures effective (Huang et al., 2014). In their cost-benefit analysis of
healthcare organizations’ information security investment, Huang et al. (2014) concluded that for
information assets where breaches would potentially be very costly, investing in security is
valuable from a business standpoint. However, they argued that healthcare organizations rarely
consider the intrinsic benefits of information security investment, focusing only on risk
reduction, and thereby potentially missing the benefits of enhanced security (Huang et al., 2014).
This suggests that organizations, especially healthcare organizations, could benefit from further
information security investment. A weakness of this theoretical work is that it does not present
outcome results from the empirical literature, indicating a need for further empirical research on
the impact of investment and various prevention strategies on actual security outcomes. The next
section focuses on information security issues specific to the healthcare industry.
Information Security in the Healthcare Industry
In the healthcare industry, information security breaches are costly. According to one
estimate, lost or stolen healthcare records result in up to $7 billion in losses to the healthcare
industry annually (Agaku et al., 2014). Unlike in other industries, however, information security
is not only a matter of protecting valuable business assets, but also a question of patient safety
and regulatory requirement. Breaches in healthcare information security can lead to identity
theft, causing dire financial and medical consequences for patients whose identities are stolen.
Agaku et al. (2014) pointed out that “victims of medical identity theft may receive inappropriate
medical treatment (including potentially harmful medication), exhaust their health insurance
27
benefits, or fail pre-employment medical screening examinations because of the presence of
bogus health conditions in their health records” (p. 374). Therefore, it is important from a patient
safety perspective to prevent security breaches in healthcare organizations.
From a regulatory perspective, the Health Insurance Portability and Accountability Act
(HIPAA) requires that healthcare organizations take proactive measures to protect patient health
information (Kwon & Johnson, 2014). Additionally, the Health Information Technology for
Economic and Clinical Health (HITECH) Act of 2009, which incentivizes hospitals for
implementing healthcare technologies like electronic medical records, stipulates that healthcare
organizations must attest that they have implemented security provisions (Kwon & Johnson,
2014). Therefore, information security is an especially relevant topic in the healthcare industry.
Breaches in healthcare information security can occur in many ways. Difficult-to-secure
applications and technologies, such as mobile devices and cloud-based storage, are vulnerable to
unauthorized access such as hacking. Additionally, healthcare providers often exchange sensitive
healthcare information to facilitate care provision (Agaku et al., 2014). For example, a clinic may
send protected information to an insurance provider via e-mail in order to expedite insurance
claim processing. In such an example, not only is the information subject to interception by
thieves if not adequately secured, but it is also vulnerable to misuse by employees who are
authorized to access the data.
Despite the existence of legislation requiring that healthcare organizations secure patient
health data, there are still concerns in the industry regarding the safety of electronic health
information. Agaku et al. (2014) conducted a survey study to assess perceptions of healthcare
data security among nearly 4,000 U.S. adults and to determine whether such perceptions affected
their tendency to disclose sensitive information to healthcare providers. The results indicated that
28
around two-thirds of participants were concerned about the potential for security breaches when
they transferred their health information by fax or electronically (Agaku et al., 2014).
Furthermore, patients who felt that they had little or no control of their medical records were
42% more likely than others to withhold health information due to security concerns (Agaku et
al., 2014). These results underscore the importance of information security to patient health
outcomes; if patients are concerned about data security and withhold information, healthcare
providers may have a limited ability to provide adequate care, because they do not have all the
information they need.
In another important empirical study, Angst, Block, D'Arcy, and Kelley (2017)
investigated the effect of information security investments on data breaches in healthcare
organizations. They hypothesized that, in organizations where information security strategies are
closely linked to actions (as opposed to merely symbolic, e.g., unenforced policies), security
investment would be more effective regarding reducing the number of data breaches over time.
By analyzing data from 5,000 hospitals in the United States, they found that, contrary to their
hypothesis, investment in symbolic security measures (i.e., those without concrete links to
action, whether internal or external to the organization) led to an increase in the likelihood of
security breach. Simply investing in information security was not enough to reduce data
breaches. Rather, the researchers found that decreased likelihood of data breaches was associated
with institutional factors, and they concluded that institutional factors influence how healthcare
organizations invest in information security in ways that are meaningful for security outcomes
(Angst et al., 2017). Although this research is not conclusive, because additional studies and
replications have not yet occurred to validate the result, the finding suggests that there is a need
to understand how institutional factors influence information security. In this study, the
29
researcher addressed this need by examining the extent to which institutional and personal
factors influence security awareness among end-users in healthcare organizations.
The population of interest in the study is end-users in healthcare organizations (e.g.,
hospitals, private practices), including healthcare practitioners (e.g., doctors, nurses, technicians)
and administrators (e.g., billing professionals, records keepers). By addressing this population,
the present study fills an important gap in existing research. As evidenced in this section, the
majority of recent research on security awareness in healthcare has focused only on management
practices, organizational security policies, and other top-down approaches. For example, Angst
et al. (2017) focused on security policies and data breaches, not the individual human element.
Mishra, Draus, Goreva, and Caputo (2016) conducted a study focusing on social engineering in
healthcare settings, but their survey sample consisted of students in healthcare programs, so their
results are likely not applicable to understanding user behavior in real-world healthcare settings.
Social Engineering and Other Breach Types
There are many types of security breaches to which organizations might fall victim to,
including hacking, denial of service attacks, and behavioral intrusion such as social engineering
(Ahmad et al., 2014; Crossler et al., 2013). The greatest percentage of data breaches can be
attributed to policy violations or negligence among employees or contractors (Soomro et al.,
2016). In the United States, there are hundreds of data breaches annually, resulting in millions of
lost or stolen records, and affected firms incur tens of millions of dollars in costs from the
breaches (Soomro et al., 2016), indicating the urgency of addressing this issue.
Behavioral intrusion, whereby hackers manipulate employees’ behavior in order to obtain
privileged information, is particularly dangerous because it exploits individuals’ security
behavior, which is known to be the weakest link in organizational information security (Rocha
30
Flores & Ekstedt, 2016). This type of breach occurs when employees click on malicious e-mail
links, inadvertently download malicious software onto their computers, reveal their passwords
over the phone, and fall victim to phishing scams. All such behavioral data breaches fall into the
category of social engineering.
In a survey of cyber-attack types, Raiyn (2014) defined several types. Notably, in remote
to local user attacks, an attacker outside the organization gains access to a remote organizational
computer by exploiting technological vulnerabilities in the system (also called hacking);
similarly, in user to root attacks, an attacker with access to an organizational account (within the
organization), exploits upstream vulnerabilities to gain access to higher level privileged
information. These types of attacks frequently occur in sequence. An attacker, having gained
access to a user account, can then use the user account access to gather and leak data. This
dangerous attack pattern can begin with social engineering (Raiyn, 2014). If an attacker can get
access to a user account via phishing or another social engineering strategy, the attacker can
often proceed from there to wreak havoc for the information security of the organization.
Such attack pathways are called advanced persistent threats (Krombholz et al., 2015).
According to Krombholz et al. (2015), social engineering is the most dangerous form of a
security breach because even the most technologically secure systems are vulnerable. Further,
social engineering can be automated, for example by creating a mass e-mailing system to phish
for passwords throughout even very large organizations. High-profile organizations like Google,
The New York Times, PayPal, and Facebook have fallen victim to social engineering
(Krombholz et al., 2015). Therefore, there is an increased interest in understanding the causes of
social engineering success and preventing employees from falling victim to such attacks.
Krombholz et al. (2015) defined five social engineering approaches: (a) physical
31
approaches rely on gathering information from a physical, rather than virtual, environment.
Examples include taking notice of passwords written on sticky notes, often after having
legitimately gained access to an employee’s office space, and dumpster diving, (b) social
approaches rely on persuading individuals to give away privileged information, often after
developing a relationship with the victim to enhance trust. Attackers usually engage in this type
of behavior over the phone, (c) in reverse social engineering approaches, attackers secretly
sabotage victims’ computer systems and then advertise their services to help fix the problems. In
the process of fixing the computer system, the attackers will ask for passwords or ask victims to
install malicious software, claiming that these measures are required for the fix, (d) technical
approaches involve searching the internet for data that users have previously made available in
public forums like social media. According to Soomro, Shah, and Ahmed (2016), social media is
fundamentally incompatible with organizations’ information security interests, and (e) socio-
technical approaches combine elements of social and technical approaches. This category
includes e-mail phishing as well as the more sophisticated technique of spear-phishing, whereby
attackers target phishing messages directly to individuals after gathering data on those
individuals via the internet (Krombholz et al., 2015).
Although this list covers a wide range of malicious behavior and potential data breaches,
it is not necessarily exhaustive. Therefore, as a construct for research, social engineering is
perhaps best understood using Rocha Flores’ and Ekstedt’s (2016) broader definition of an attack
in which organizational end users knowingly or unknowingly perform actions that benefit
attackers.
Existing Research on Social Engineering Awareness
In recent years, research on social engineering awareness has largely emphasized linking
32
the variable to other variables or testing interventions to improve social engineering awareness.
However, it is reasonable first to review a small number of studies that have directly addressed
the state of social engineering awareness in various settings. A qualitative study conducted in
Sweden found that, although managers at production companies had a good awareness of social
engineering, they had divergent views on the potential impact of social engineering attacks
(Svanlund, Kronberg, & Jeppsson, 2015). One potential explanation for this finding could be that
managers have different educational backgrounds.
The idea that managers have different educational backgrounds finds support in Hauser’s
(2017) study, which addressed social engineering awareness in higher education settings. The
results of Hauser’s study showed that faculty and students in information technology programs
were aware of social engineering, but business students and faculty lacked awareness. This
finding is relevant to the present study because it suggests that organizations whose managers
have not received specific training in information technology may not have the knowledge
necessary to institute information security cultures.
In addition to educational backgrounds, linguistic backgrounds could play a role in social
engineering awareness, as Drevin, Kruger, Bell, and Steyn (2017) found in their study, based in
South Africa. The study took place at a group of hospitals, and the researchers’ goal was to
assess the level of security awareness among healthcare employees. They gave participants a
vocabulary test to determine whether they were familiar with words and concepts related to
security awareness. They found that there were significant differences across business functions,
supporting the Hauser (2017) study and that there were differences across language groups. This
finding suggests that social engineering awareness could be language specific. Although the
present study does not address the role of participants’ native language, the finding is still
33
relevant because it underscores the extent to which individual factors play a role in information
security outcomes.
Turning to research on the importance of intervention to improving social engineering
awareness, Alkhamis and Renaud (2016) found that, after watching a training video, employees
in Saudi Arabia were able to pass a social engineering awareness quiz. Similarly, Bullée,
Montoya, Pieters, Junger, and Hartel (2015a) conducted a study in which they first administered
an intervention to half of a group of employees working in an office setting. After the
intervention, the researchers staged a security attack, using a prewritten script to try to convince
employees to voluntarily hand their office keys to the people posing as offenders. They found a
striking difference in how employees responded to the threat: 62.5% of employees who did not
receive the intervention fell victim to the social engineering attack, compared with only 37% of
those who received the training (Bullée et al., 2015a). From this study, it is possible to draw two
important conclusions. First, without the appropriate training, employees may show an alarming
lack of social engineering awareness, evidenced by the fact that more than half of respondents
gave their keys to an attacker in the Bullée et al. (2015a) study. Second, intervention appeared to
be highly effective in preventing the attack.
Although research like the Bullée et al. (2015a) study is useful for identifying the
potential benefit of interventions for increasing social engineering awareness, not all scholars are
in favor of such research. For example, Mouton, Malan, Kimppa, and Venter (2015) raised
concerns about the ethics in social engineering research. They identified studies in which
researchers stage social engineering attacks as a potential ethical concern, with the possibility to
cause harm to research participants. Therefore, it is important for researchers to ensure that they
follow proper ethical measures when they research this topic. Chapter 3 contains a discussion of
34
the ethical considerations of the present study.
In a theoretical article, Bullée, Montoya, Pieters, Junger, and Hartel (2015b) made the
case that research on social engineering attacks can be beneficial to practitioners in preventing
social engineering attacks. The authors suggested that, by using regression analysis data from
social sciences research, practitioners can incorporate the complexities of the human element
into their models for understanding and preventing social engineering attacks. Korpela (2015)
made a similar argument in an article describing methods for subjecting existing research data to
data analytics in order to better prevent cyber security attacks. These arguments suggest that
there may be significant practical benefit from research on social engineering, in part
overcoming ethical concerns.
Another study by Junger et al. (2017) raises further questions about the efficacy of certain
types of interventions. They found that, among a sample of shoppers in the Netherlands, the
majority of participants provided personal information to staged attackers, even after receiving
priming questions and a warning about social engineering attacks. Just under half of the
participants (43.5%) provided their bank account details, with much higher percentages for other
types of information, including e-mail addresses and purchase history (Junger et al., 2017). This
alarming result underscores the need for further research into ways of improving social
engineering awareness in society broadly.
Rocha Flores and Ekstedt (2016) conducted one of the most important recent works in
this field. They studied information security awareness, rather than social engineering awareness
per se, but their large sample of 4,296 employees at multiple organizations in Sweden makes
their study one of the most robust to date. The results showed that participants attitude toward
social engineering and their self-efficacy concerning social engineering were significantly
35
predictive of information security awareness (Rocha Flores & Ekstedt, 2016). This study is
especially important to the present research because this present study uses variables and a
theoretical framework similar to those that Rocha Flores and Ekstedt used.
Turning the category of studies that examine the relationships between social engineering
awareness and other variables, Rocha Flores, Antonson, and Ekstedt (2015), in a study prior to
the one described above, collected data from information security executives and employees at
24 different organizations, with the goal of determining whether there was a relationship between
social engineering awareness and how the organizations governed information security. They
found that organizations with explicit information security departments or committees had
significantly better awareness among their employees (Rocha Flores et al., 2015). This suggests
that, in addition to intervention and employee training, organizations can build social engineering
awareness into their structure.
The studies reviewed in this section are the primary research works on social engineering
awareness from the past half-decade. Although earlier research exists, the vast majority of
current work is theoretical, providing information on types of social engineering attacks and
prevention strategies. Technology and social engineering strategies change rapidly, so do these
taxonomies (Gardner & Thomas, 2014; Mann, 2017). Therefore, there is a gap in existing
research related to social engineering awareness, particularly about the factors that influence
such awareness. The present study addresses this gap.
Security Factors
Factors that influence information security outcomes in organizations are numerous.
Existing research has attempted to identify factors related to organizational security, but results
are heterogeneous, and no standardized, generally agreed upon set of factors exists (Narain Singh
36
et al., 2014). However organizational security factors can be classified into external and internal
categories.
External factors are “external in nature, i.e., organizations do not have any control over
them, but have to comply or act according to them” (Narain Singh et al., 2014). Examples of
external security factors include the current level of information technology, changing security
risks from outside the organization (e.g., hacking and social engineering strategies), legislation
and regulation, and characteristics of the market and competitors (Narain Singh et al., 2014).
Internal factors are “factors that organizations have to control and manage internally,
such as business issues, IT infrastructure, strategic vision, and aligning IT with [the] company’s
strategy” (Narain Singh et al., 2014, p. 649). Decker (2008) indicated that internal factors include
security policies, end-user awareness training, and management. Harris (2010) identified that
organizational security policies are the pillar for protecting data and security awareness training
is the instrument to instruct end users about security policies. Therefore, the internal factors that
contribute to organizational security interact with and mutually reinforce one another.
Internal factors can be further categorized into organizational and individual factors.
These two types of internal factors constitute the dependent variables in the study. Therefore, this
section focuses on internal factors. Broadly speaking, the existing research on organizational
factors (transformational leadership and information security culture) and individual factors
(self-efficacy, attitude, and normative beliefs) support the research questions for the present
study, because research demonstrates that these factors are relevant to organizational security
outcomes (e.g., Rocha Flores & Ekstedt, 2016). However, literature focusing on social
engineering awareness, and literature focusing on healthcare settings, is limited. The remainder
of this section reviews existing research related to the research topic to demonstrate this gap and
37
justify the need to ask the research questions of the present study.
There are two types of internal factors: individual factors and organizational factors
(Rocha Flores & Ekstedt, 2016). Individual factors are those that pertain to end users and vary
from person to people, such as information security awareness and self-efficacy. Organizational
factors, by contrast, are factors about management and to the organization as a whole, such as
leadership and organizational culture. To date, few studies have explicitly conceptualized
security factors in this way. Instead, many researchers focus on one or the other of organizational
or individual factors, failing to consider their interactions. This is a problem because
organizations make investments in organizational and individual factors, for example by training
employees and enacting culture change, without a clear understanding of how these factors
interact and to what extent they influence actual security behaviors and outcomes (Rocha Flores
& Ekstedt, 2016).
For example, one way in which organizations can invest in information security is to hire
new employees with security credentials or to invest in training existing employees with
credentials (Merkow & Breithaupt, 2014). Many information security credentials exist that
generally apply and to specific industries. In the healthcare industry, the Healthcare Information
Security and Privacy Practitioner (HCISPP) credential ensure that practitioners have an
understanding of data protection as it applies specifically to healthcare information (Merkow &
Breithaupt, 2014). This is an example of an organizational factor (investment) that influences
individual factors (credentials and knowledge). This study addressed the gap in the literature by
examining organizational and individual security factors.
Individual Factors
Internal factors include employee behaviors and internal policies that regulate or attempt
38
to regulate employee behaviors. This is important because, in the words of Burns et al. (2017),
“interactions among individuals and their environments at the micro-level form the overall
security posture at the macro-level” (p. 509). Indeed, researchers have long recognized that
employee behaviors, including employees’ adherence (or lack thereof) to security policies, are
one of the most important factors in organizational information security (Lebek et al., 2013;
Siponen et al., 2014).
Siponen et al. (2014) conducted an empirical study on employee adherence. Their
objective was to develop a model explaining employees' security adherence behavior. Using a
sample of 669 employees at four organizations in Finland, the researchers used structural
equation modeling to determine the extent to which each of the following individual factors
influenced the intent to comply with security policies: perceived severity of security threats,
perceived vulnerability to security threats, perceived efficacy of organizational responses to
security threats, security adherence self-efficacy, attitude, normative beliefs, and rewards
(Siponen et al., 2014). Their results indicated perceived severity, self-efficacy, perceived
vulnerability, attitude, and normative beliefs positively influenced intention to comply.
Importantly, the researchers also tested whether the intention to comply with security policies
correlated to actual compliance with security policies. Although compliance was self-reported
and could, therefore, be subject to social desirability bias, this result nevertheless suggests that
understanding and influencing behavioral intentions can enable organizations to improve
outcomes.
Rocha Flores and Ekstedt (2016) conducted another important study of organizational
and individual security factors. They followed a rigorous mixed method process to develop a
research instrument measuring seven factors. At the organizational level, the measured
39
transformational leadership and organizational security culture. At the individual level, they
measured information security awareness, security attitude, security self-efficacy, security
normative beliefs, and intention to resist social engineering. The researchers defined all
individual factors, except for security awareness, as intrinsic factors, or factors specific to each
and not determined by factors outside the individual (Rocha Flores & Ekstedt, 2016). After
developing and validating their research instrument, Rocha Flores and Ekstedt surveyed 4,296
employees of diverse organizations in Sweden to examine how the organizational and individual
factors interacted to influence employees' intention to resist social engineering.
The Rocha Flores and Ekstedt (2016) study, although not without flaws (described in the
next paragraph), was rigorous, and the results appear to be highly conclusive. The findings
revealed that attitude toward resisting social engineering was positively associated with intention
to resist social engineering. Self-efficacy and normative beliefs were also associated with
intention to resist, but with weaker coefficients. At the organizational level, the researchers found
that employee-perceived transformational leadership was associated with employee-perceived
security culture and employees’ information security awareness. A significant positive link
between transformational leadership and attitude toward resisting social engineering was fully
mediated by information security culture (Rocha Flores & Ekstedt, 2016), suggesting that
transformational leaders tend to enact organizational security cultures, and employees develop
more positive attitudes toward resisting social engineering as a result.
Although Rocha Flores and Ekstedt (2016) revealed important insights for organizational
security culture, one of the major limitations of their study is that it took place entirely in
Sweden. Therefore, the interactions between organizational and individual security factors
cannot be extended to other countries, and it remains unknown how organizational and
40
individual factors interact in other settings. Therefore, this study drew on their research,
employing their rigorously developed survey instrument, to test the influence of organizational
and individual factors on employee security awareness in the United States. Because this study
used the same variables as those used in the Rocha Flores and Ekstedt study, the remainder of
this section reviews literature related to the individual factors in that study.
Information security awareness. Information security awareness is "An employee's
perception of both his/her general knowledge about information security and his/her cognizance
of the information security policy" (Rocha Flores & Ekstedt, 2016, p. 31). Several researchers
have identified the need for robust security awareness to protect organizational information
assets (Ciampa, 2009; Narain Singh et al., 2014; Siponen et al., 2014). Lack of information
security awareness is one of the roots of user mistakes that lead to costly security breaches (Safa
et al., 2015). Therefore, it is essential that organizations understand how to improve information
security awareness by understanding the factors that predict it.
In a quantitative study among 500 Australian employees, Parsons, McCormac,
Butavicius, Pattinson, and Jerram (2014) found that knowledge of policy and procedures
influenced employees’ attitudes toward information security. Based on the results of their
analysis, the researchers concluded that training intended to improve awareness should focus not
only on policies and facts but also on the importance of information security behaviors, in order
to influence employees’ attitudes (Parsons et al., 2014). This result is important for the present
study because it elucidates the importance of awareness and supports the need to understand the
factors that influence awareness.
Lebek et al. (2013) conducted a review of the literature related to employee security
awareness and its relationship to security behavior. The researchers sought to determine which
41
were the dominant theories used to study employee security awareness and behavior. Although
the results identified 54 different theories used in 113 published works, Lebek et al. found that
there were four key theories used in the majority of literature: the theory of planned behavior (the
conceptual framework for this present study), the goal disruption theory, the protection
motivation theory, and the technology acceptance model. As the authors pointed out, there is
considerable evidence of alignment among the core constructs of these four models, indicating a
consensus that information security awareness and behavior are goals- and motivation-driven.
There are many ways of improving information security awareness among employees,
although research into the relative effectiveness of these various methods is lacking (Abawajy,
2014). Security awareness training methods include text-based training (e.g., information
delivered to employees in e-mails and handouts), game-based training, and video-based training.
In one study of these three methods, Abawajy (2014) found that it was most effective to combine
delivery methods, rather than using only one.
One problem in the existing literature is the failure to distinguish among user-caused
security breaches that stem from different motivations. According to Crossler et al. (2013),
security awareness training may not be effective in reducing security breaches that result from
employees purposely striving to do harm to the organization or seeking personal benefit. Despite
this limitation of existing research, the studies reviewed here reveal that security awareness is a
key factor in improving security outcomes organization-wide. However, not enough research
exists about the antecedents to security awareness at the individual and organizational levels.
Therefore, in the present study, the researcher examines security awareness as the independent
variable.
Attitude. According to Rocha Flores and Ekstedt (2016), attitude is “The degree to
42
which the performance of the information security behavior is positively valued” (p. 31).
Existing research has shown that attitude is important in predicting security policy compliance.
For example, Safa et al. (2015) identified several factors statistically related to employees’
attitude toward compliance. These included information security knowledge sharing,
collaboration, commitment, and personal norms. Safa et al. (2015) analyzed several factors, such
as collaboration and commitment, that other researchers have not explored in detail or at all,
making it difficult to draw conclusions about the importance of those factors in general.
However, the study also included factors like norms and information security knowledge, which
are similar to the factors studied elsewhere (e.g., Rocha Flores & Ekstedt, 2016; Siponen et al.,
2014). Additionally, Safa et al. (2015) confirmed the findings of Rocha Flores and Ekstedt
(2016) by revealing that employees’ attitude toward information security associated positively
with behavioral intention to comply with security policies.
As mentioned above, Siponen et al. (2014) found that attitude positively related to
intention to comply with security policies in their sample of Finish employees. Rocha Flores and
Ekstedt (2016) found a similar result when considering intention to resist social engineering as
the outcome variable. Again, Parsons et al. (2014) found that attitude toward security policy and
procedures accounted for 72% of the variation in self-reported compliance behaviors among
Australian employees. Similarly, Ifinedo (2014) found a statistically significant positive
relationship between attitudes toward compliance and actual compliance with information
security policies. Together, these studies strongly suggest that attitude is important to
organizational security outcomes. The literature search did not reveal any studies that failed to
find significant links between attitude and other information security–related variables, further
underscoring its importance.
43
Although the research reviewed here shows that security awareness can influence
security attitude among employees, few researchers have posited the reverse causal relationship.
Readers should note that, of the results reviewed here, none can be used to make direct causal
claims, because all of the statistical analyses used correlation analysis, which does not
necessarily imply causation. Therefore, it is possible that security attitude leads to an increase in
security awareness since positive attitudes could motivate employees to seek and retain more
information about security policies and practices. This logic motivates the hypothesis of the
study, but, to this researcher’s knowledge, no existing studies have theorized the relationship in
this direction.
Self-efficacy. In general terms, the concept of self-efficacy refers to one’s belief in one’s
ability to succeed or accomplish a given task by mobilizing one’s own capacities and resources
(Schwarzer, 2014). The psychologist Albert Bandura developed the notion of self-efficacy as a
part of his social cognitive theory, and researchers have applied the notion in many fields and
disciplines as a way of explaining many types of behavior (Schwarzer, 2014). Domain-specific
self-efficacy can predict domain-specific performance because, when individuals believe they
can accomplish a task, they are more likely to persevere with the task in the face of problems,
less likely to become frustrated, and more likely to exert effort to cope with the difficulties they
encounter (Safa et al., 2015; Schwarzer, 2014).
In the context of social engineering, Rocha Flores and Ekstedt (2016) defined social
engineering as “An employee’s judgment of personal skills, knowledge, or competency about of
resisting social engineering” (p. 31). Safa et al. (2015) offered a definition of information
security self-efficacy, which is slightly broader than the Rocha Flores and Ekstedt (2016)
definition: “a belief in [one’s own] ability to protect information and system from unauthorized
44
disclosure, loss, modiﬁcation, destruction, and lack of availability” (p. 70). In the Rocha Flores
and Ekstedt study, self-efficacy positively related to intention to resist social engineering, and
this relationship was statistically significant, but the effect size was small, with a path coefficient
of only 0.09. This indicates that, although self-efficacy had an effect, it was a much weaker
effect than observed for the other variables in their study.
Interestingly, Siponen et al. (2014) revealed an almost identical result to that reported in
the Rocha Flores and Ekstedt (2016) report. They found that, although self-efficacy was
positively related to intention to comply, and although the relationship was significant at the p <
.01 level, the effect size was only 0.087, almost exactly the same as the effect size that Rocha
Flores and Ekstedt observed. These two findings mutually reinforce one another and suggest that
it may not be productive for organizations to emphasize self-efficacy in security awareness
training. Nevertheless, as Crossler et al. (2013) pointed out, many organizations indeed focus on
promoting self-efficacy in their security training interventions.
By contrast, a study by Safa et al. (2015) revealed that information security–related self-
efficacy influenced security behavior more strongly. Their study consisted of a structural
equation model based on survey responses from 212 information technology professionals (of
which about half worked in information security roles specifically) in Malaysia. The researchers
hypothesized that a high degree of self-efficacy would positively influence behaviors because it
would lead to increased coping efforts, persistence, and self-regulation (i.e., ability to manage
stress and other negative effects) in the face of problems. The coefficient of the resulting path
between self-efficacy and behavior was 0.617 (Safa et al., 2015). One potential explanation of
the difference between this result and results in similar studies is that all of the participants in the
Safa et al. (2015) study were information technology professionals. It is possible that self-
45
efficacy is a greater determinant of technology-related behavior among employees whose work
deals with technology explicitly.
Although Ifinedo (2014) did not examine self-efficacy specifically, the researcher tested
the related constructs of locus of control, self-perceived capabilities, and self-perceived
competence related to information security. The results revealed a significant, positive
relationship between each of these constructs and information security policy compliance.
Together, the results reviewed here suggest that self-efficacy, while important to security
outcomes, may not be as important as other factors. Nevertheless, the conflicting evidence
suggests that more research is warranted to definitively reveal the nature and extent of the
connection between self-efficacy and security behaviors. To this researcher’s knowledge, no
studies yet exist examining the predictive value of self-efficacy on security awareness.
Normative beliefs. According to Rocha Flores and Ekstedt (2016), normative beliefs
refer to "an employee's perceived social pressure about his/her social engineering security
behavior caused by behavioral expectations of such important referents as executives,
colleagues, and managers" (p. 31). Siponen et al. (2014) noted that peers and superiors could
influence normative beliefs, and they also included normative beliefs as a variable in their study.
Normative beliefs are frequently included in behavioral intention studies.
Siponen et al. (2014) found that normative beliefs had a statistically significant, positive
effect on the intention to comply with security policies, with a moderate effect size (β = 0.327).
In the Rocha Flores and Ekstedt study, there was also a positive relationship between normative
beliefs and intention to resist social engineering, but the effect size was quite small (β = 0.08),
indicating that employees’ attitude is more important to their security behavior intentions. One
explanation for this discrepancy in findings might be that the two studies used slightly different
46
outcome variables. Siponen et al. (2014) studied intention to comply with security policies,
which might be strongly related to normative beliefs because it inherently involves
organizational superiors, who have put the policies in place and who may monitor employees’
compliance. By contrast, Rocha Flores and Ekstedt examined intention to resist social
engineering, which, while potentially indirectly tied to the security policy (e.g., if security
policies explicitly require social engineering resistance), examines a security-related, rather than
a compliance-related, behavior. Therefore, normative beliefs might be more likely to influence
compliance behavior than security behavior.
Ifinedo (2014) also included normative beliefs (called subjective norms in that study) in a
study of information security policy compliance. Using partial least squares analysis, they found
that normative beliefs significantly positively related to both the attitude toward compliance and
the intention to comply. Both effect sizes were small, but the effect on attitude approached
moderate (β = 0.25). Attitude toward compliance, which the researchers modeled in the
mediating between multiple individual variables and intent to comply, strongly influenced intent
to comply (β = 0.63; p < .001), suggesting that, if normative beliefs are important to security
behaviors, it is because they influence employees’ attitudes.
One mechanism by which normative beliefs might influence security behavior is the
perception that security policies are mandatory. The mandatory nature of security policies relates
to policy compliance. In a study of 320 employees’ reactions to a new information security
policy memo, Lowry and Moody (2015) found that the more employees perceived the new
policy as mandatory, the stronger was their intent to comply with the policy (β = 0.420). Narain
Singh et al. (2014) confirmed this finding in their review and factor analysis, which found that
information security regulation is important to information security management across
47
organizations. This suggests that employees' perceptions of management expectations can
influence their security behavioral intent. Although the literature search for this review did not
yield any studies examining the effect of normative beliefs on security awareness, previous
findings on normative beliefs' effect on attitude suggest that employees may be more motivated
to seek out and retain security-related knowledge if they perceive an organizational norm in
favor of doing so. This may be especially true in cases where an information security policy
mandates were maintaining security awareness, for example through mandated training.
Behavioral intention. Behavioral intention is the degree to which an individual intends
to engage in a certain behavior in the future. In the context of information security and social
engineering, it refers to “an employee’s intention to resist social engineering” (Rocha Flores &
Ekstedt, 2016, p. 32). Behavioral intention is central to several theories of behavior and
motivation, including the theory of planned behavior, which serves as the theoretical framework
for this study.
In information security research, behavioral intention relates to employees’ intent to
engage in security behavior. The term security behavior is a new term in our connected society.
Guo, Yuan, Archer, and Connelly (2011) defined a security behavior as the behaviors engaged in
by employees who voluntarily bypass organizational information systems security policies with
the intention of benefiting the performance of their work. Herath and Rao (2009) suggested that
security behavior could be determined or defined by the attitude, subjective norms, and
behavioral control of users. Aytes and Connolly (2004) defined security behavior as user’s
intentions based on their perception about the usefulness of good security behavior and the
negative consequences of not demonstrating these behaviors and that these behaviors can be
categorized as intentional, malicious, mistakenly, or beneficial.
48
A majority of studies that focus on end-user factors related to information security use
behavioral intention as an outcome variable. However, the type of behavior tested varies widely
from study to study. Rocha Flores and Ekstedt (2016) studied intent to resist social engineering,
whereas several other research teams have studied intent to comply with security policies
(Ifinedo, 2014; Lowry & Moody, 2015; Safa et al., 2015; Siponen et al., 2014). As mentioned
previously, this subtle difference in behavioral intention variables could influence the outcomes
of information security research. Some factors, like normative beliefs, could have different
effects on intent to comply with policy versus intent to resist social engineering independent of
policy compliance. Which outcome variable is appropriate could depend on the organizational
context and the overall strategy for information security. For example, an organization whose
security strategy strongly emphasizes mandatory policy directives might be interested in
behavioral intent to comply. By contrast, an organization that more strongly emphasizes a
security climate, whereby employees should participate in information security regardless of
policy, might want to influence behavioral intent to resist social engineering.
Although some have argued that behavioral intention, which surveys research can easily
examine, does not necessarily reflect actual behavior, some recent research in information
security suggests that intention and behavior are correlated (Ifinedo, 2014; Rocha Flores, Holm,
Nohlberg, & Ekstedt, 2015; Siponen et al., 2014). Therefore, it is appropriate to include
behavioral intention as a variable for understanding security outcomes as a product of individual
employees’ behavior.
Organizational Factors
In addition to individual factors like the ones described above, there are also
organization-level factors that affect security behaviors and outcomes. In recent years,
49
organizational factors have received less attention than individual factors, owing to a growing
interest in the “human factor”, that is, the role of individual behaviors in security outcomes.
However, organizational factors are still important in determining the overall security posture of
organizations, which can interact with individual factors to yield security outcomes (Burns et al.,
2017). Organizational security culture is one example of an organizational factor, as is
transformational leadership. These two factors are variables in the study, and they also form key
elements of the theoretical framework (described in Chapter 1). Therefore, this section aligns
with the theoretical framework and the research questions of the study.
Organizational factors include any factors that are directly under the organization’s
control but that exist either organization-wide or at the level of management (rather than at the
level of end-user employees). For example, information security policies themselves are a type
of organizational factor. The existence of competent information security policies is an
organizational factor influencing both security outcomes and employees’ security behavior (Safa
et al., 2015).
In an important early study, Kraemer, Carayon, and Clem (2009) conducted two focus
groups, each consisting of five information security experts, to determine the individual and
organizational factors that influence security outcomes and vulnerabilities. The results uncovered
numerous important factors of both types. Among the organizational factors that Kraemer et al.
(2009) listed were lack of management support for information security management,
decentralized security practices, lack of information security ownership and planning, outdated
policies, undocumented or poorly documented policies, policy overload (i.e., too many policies),
inadequate funding for security, poorly allocated funding, technology hardware/software
mismatch, inappropriate technology environments, and lack of user training. Chang and Ho
50
(2006) identified the following additional organizational factors as important to effective
information security management: business managers’ information technology competence,
industry type, and organization size. This early research demonstrates that many elements of an
organization’s security management can influence security outcomes, and organizational security
factors are complex.
In their study, Rocha Flores and Ekstedt (2016) examined two organizational security
factors: transformational leadership and informational security culture. Because this study
followed the Rocha Flores and Ekstedt study and utilized their research instrument, the
remainder of this section focuses on those two variables.
Transformational leadership. Transformational leadership theory is the primary
element of the theoretical framework for this present study. Bass (1998) introduced the concept
of transformational leadership to explain how organizational leaders enact organizational change
by motivating employees to achieve high performance. Transformational leadership is not about
providing concrete direction to employees and organizational departments using a cost-benefit
model. Rather, transformational leaders inspire employees to perform by generating buy-in with
higher order values (Choi, 2016). “Transformational leadership appeals to the moral values of
followers in an attempt to raise their consciousness with regard to ethical issues and mobilize
their energy and resources to reform institutions” (Choi, 2016, p. 638). Researchers have
identified transformational leadership as an important factor in organizational outcomes.
Evidence shows that transformational leadership improves the effective use of
information technology at the organizational level (Lebek et al., 2014). In the context of
information security research, Rocha Flores and Ekstedt (2016) defined transformational
leadership as “a leader’s actions to generate awareness and motivate employees to change their
51
information security behaviors” (p. 31). Owing to the increased focus on individual factors in
security management research, only a few studies have examined the influence of
transformational leadership on information security outcome variables. In the context of
information security, researchers have identified an important role of transformational leadership
in employees’ intention to resist social engineering (Rocha Flores & Ekstedt, 2016) and in the
effectiveness of security countermeasures (Humaidi & Balakrishnan, 2015).
Lebek et al. (2014) conducted a study with the specific goal of determining how
transactional leadership influences employee security behaviors. They collected data from 208
employees across different industries in the United States, and they used structural equation
modeling to analyze the survey responses. Findings revealed that transformational leadership had
a significant direct influence on employees’ participation in information security. They also
found an indirect relationship via organizational climate (Lebek et al., 2014). This indicates that
one way in which transformational leaders lead to improved security outcomes is by influencing
a strong and positive security culture.
Findings from Rocha Flores’ and Ekstedt’s (2016) study strongly confirm the Lebek et al.
(2014) findings related to transformational leadership. Rocha Flores and Ekstedt found a
statistically significant, positive relationship between transformational leadership and security
awareness (β = 0.52). This finding is particularly important for the present study because it
shows that transformational leaders can influence employees’ awareness of security concepts and
policies. Additionally, according to their results, Rocha Flores and Ekstedt concluded that a
positive relationship between transformational leadership and attitude toward resisting social
engineering was, in their sample, mediated by information security culture. Again, this suggests
that leaders have a strong influence on culture, which is the mechanism through which they
52
influence employees’ behavior. The next subsection contains a review of literature related to
security culture.
To develop a deeper understanding of why transformational leadership can lead to
information security effectiveness, Choi (2016) surveyed 180 information security managers in
South Korea to test four aspects of transformational leadership with respect to their influence on
the perceived relevance of information security policy and the enforcement of information
security policy. The aspects were the idealized influence, intellectual stimulation, individualized
consideration, and inspirational motivation. Choi’s results indicated that three of the four factors
significantly positively influenced the outcome variables; intellectual stimulation did not have a
significant influence either on the relevance or enforcement of information security policy.
Effect sizes were moderate but strongly significant (Choi, 2016). This indicates that
transformational leaders can enhance information security outcomes when they act in symbolic
roles to inspire employees at a one-on-one level.
Soomro et al. (2016) conducted a literature review on the role of management in
organizational information security. They found that, in articles published since 2004,
management’s role in information security was the second most widely distributed concept, after
effective policies, awareness, and training. Lack of top management support for information
security initiatives is an often-cited problem in extant research (Narain Singh et al., 2014;
Soomro et al., 2016). However, the importance of management is often framed in terms of
funding and resource allocation for information security investment, or in terms of ensuring
consistency and uniformity in organization-wide security policies. The psychological impact of
leadership on employees’ behaviors is much more rarely discussed. Therefore, the present study
fills a gap in existing literature by contributing further data related to transformational leadership
53
and its influence on employees’ security awareness.
Information security culture. Organizational security culture is also an element of the
theoretical framework for this present study. According to Rocha Flores and Ekstedt (2016),
information security culture is “an employee’s individual perception of shared beliefs and values
among colleagues in the work environment” (p. 32). Harris (2010) stated that security culture
could be outlined as a set of beliefs, principles, or norms that are shared by people within an
organization. Information security culture is an aspect of organizational culture, which “guides
the activities of the organization and its employees by placing constraints upon the activities and
behavior of employees and by prescribing what the organization and its employees must, can, or
cannot do” (AlHogail & Mirza, 2014, p. 2). Although scholars have defined information security
culture in a variety of ways, there is a general consensus that when information security culture
is present, engaging in information security-related activities is a natural part of daily life within
the organization (AlHogail & Mirza, 2014).
Culture plays a crucial role in information security (Kraemer et al., 2009), and there
exists a large body of literature describing security culture and related factors (for a review, see
Narain Singh et al., 2014). Research has found that one of the key factors in ineffective
information security management is a lack of alignment between information security needs and
the overall business strategy (Soomro et al., 2016). Robbins and Judge (2008) identified that
security culture could be utilized as a control mechanism to shape the attitudes and behaviors of
users. North, Perryman, Burns, and North (2010) identified security culture as the theory about
perceptions and posture, which the organization supports in a manner that integrates security
behaviors in users. Lacey (2009) posed that security culture carries weight in the development of
security awareness of a user. Implementing information security culture using appropriate and
54
effective change management principles can lead to organization-wide security gains (AlHogail
& Mirza, 2014). Through information security culture, organizations can ensure that employees
at all levels and in all functions across an organization value security and understand the
organization's approach to information security.
One important study on security culture, by Goo, Yim, and Kim (2014), showed that,
among a sample of 581 end-user employees in South Korea, information security climate had a
strong positive influence on employees’ compliance with information security policies. In
addition, the researchers described the effect of security culture on employees’ normative
commitment. This suggests that security culture can influence normative beliefs about the
importance of security within an organization, which, in turn, influence security behaviors.
Parsons et al. (2015) focused on organizational security culture, seeking to understand its
influence on employees’ security-related decision making. They conducted a survey of 500
employees in Australia, and their results showed that information security culture positively and
significantly influenced employees’ information security decision making. The researchers
concluded that developing information security culture is worthwhile for organizations hoping to
improve security outcomes and minimize risk from social engineering and other threats.
In their study, Rocha Flores and Ekstedt (2016) observed findings supporting those of
Huang et al. (2014). They found that information security culture positively associated with
information security awareness, attitude, and normative beliefs. Additionally, their results
suggested that employees’ attitude to resisting social engineering mediated a positive
relationship between security culture and behavioral intention to resist social engineering. These
results suggest that security culture’s influence on employees’ security behaviors is important but
indirect.
55
To explain the influence of information security culture on human behavior, AlHogail
(2015) developed a framework of security culture. The author described four areas in which
information security culture influences behavior: (a) preparedness, which includes training and
awareness; (b) responsibility, which includes employees’ ownership of and participation in
information security practices; (c) management, which is largely related to policy and direction,
but which could also include transformational leadership, as described in the previous
subsection; and (d) society and regulations, which relates to how factors external to the
organization interact with the organization’s culture (AlHogail, 2015). With respect to the
present study, this framework is relevant because it posits a relationship between information
security culture and employee security awareness, which is one of the hypotheses tested in this
study.
Factors of Security Awareness Level
This theoretical perspective understands information security behaviors as caused by
internal, external, and inherent security factors. Researchers have identified various factors that
affect end-users’ levels of security awareness (Decker, 2008; Holbert, 2013; Rocha Flores &
Ekstedt, 2016), but these studies have focused on only general populations. Studies also provided
validation for looking into the factors that influence end-users’ information security awareness
level (Holbert, 2013). Decker developed a framework that integrated various theoretical
constructs to capture the inherent, internal, and external factors that affect the levels of security
awareness (Decker, 2008). A three-factor measurement model based on Decker’s survey
indicates that inherent factors, internal factors, and external factors extend in their effect to end-
user levels of security awareness. In this study, the focus was on organizational, information
security awareness, and individual factors.
56
Security Awareness Training
Several studies have identified information security training, including security
awareness training, as an important factor in organizational information security (Narain Singh et
al., 2014). According to Lee and Lee (2002), security awareness programs can minimize user
computer abuse. A security awareness program is a key component of an overall security
program. In order for a security awareness program to be successful, it has to focus on the human
component. Lee and Lee (2002) noted that, if a security awareness program is unsuccessful, it is
due to the users’ lack understanding of information security.
Organizations have valuable data that they need to protect from intruders that wish to
access the data. Organizations often invest heavily in data security technologies to protect against
unauthorized access, but often this does not protect the information, owing to user errors (Kim,
2010). Most organizations consider end users to be the weakest link within their security
programs (Okenyi & Owens, 2007). User security violations are most often attributed to poor
security awareness training. Although it is useful to train users to have a robust security
awareness, most organizations fail to invest in such training or fail to conduct training on a
consistent basis.
Some researchers have argued in favor of including security awareness training,
specifically focused on social engineering awareness, in schools. Mohammed and Apeh (2016)
argued that such training is important, not only for students but also for teachers, who can be the
victims of social engineering attacks in the workplace. The researchers implemented a pilot
program to assess their model for improving social engineering awareness in schools and found
that their educational program led to behavior change among the teachers, who had to learn the
material in order to teach it (Mohammed & Apeh, 2016). This study provides another important
57
data point in favor of security awareness training.
Theory of Planned Behavior
As introduced briefly in Chapter 1, the theory of planned behavior constitutes a major
component of the theoretical framework for this study. The theory of planned behavior describes
how individuals’ attitudes, subjective norms (or normative beliefs), and perceptions of
behavioral control (or self-efficacy) influence their motivation and intention to act in particular
ways. This section traces the development of the theory over time and reviews the current state
of the theory.
Ajzen developed the theory of Planned Behavior in 1991, but its precursor, the theory of
reasoned action, was developed by Fishbein in 1967. The TRA emerged as a response to a
growing body of empirical literature showing that people’s attitudes correlate poorly with their
behaviors (Wicker, 1969; Montaño & Kasprzyk, 2015). For example, an individual’s attitude
toward breast cancer does not predict her tendency to get regular mammograms. The major
advance of the TRA was to reframe behavioral prediction in terms of individuals’ intentions, or
attitudes toward the behaviors themselves. Early research showed that intention was a much
better predictor of behavior than attitudes as they had been previously studied (Ajzen &
Fishbein, 1980; Fishbein & Ajzen, 1975).
The development of TRA involved defining the variables that contribute to the intention
to perform certain behaviors. According to Fishbein (1967), behavioral intention is determined
by individuals' attitudes toward performing a behavior and their subjective norms associated with
that behavior. However, the TRA did not account for the degree to which individuals feel they
have control over performing a certain behavior. Even if an individual has a positive attitude
toward behavior and values the behavior as a subjective norm, the individual may not have the
58
intention to perform that behavior if he or she feels unable to do so. To overcome this limitation,
Ajzen's (2011) theory of Planned Behavior added perceived control (consisting of control beliefs
and perceived power), extending the TRA. The inclusion of perceived control is important in
contexts like a business where individuals may feel that regulations or organizational controls
constrain their behavior.
Recently, Montaño and Kasprzyk (2015) proposed a further extension of the TPB, which
they termed the Integrated Behavior Model (IBM). The IBM incorporates the variables from the
TPB and adds a few other factors, notably self-efficacy (an individual's belief that he or she is
able to perform a behavior successfully) and knowledge necessary to perform the behavior.
Another recent development is the reasoned action approach (RAA), which is based on the TPB.
The RAA’s major contribution is to subdivide the three TPB variables into two distinct
subcomponents each, some of which (e.g., capacity as a subcomponent of perceived control)
were not sufficiently elaborated in the TPB. This development has been interesting to researchers
because it retains the fundamental structure of the TPB while overcoming some of the TPB’s
alleged oversimplifications (McEachan et al., 2016). However, the IBM, the RAA, and other
novel theories lack the years of empirical support that the TPB enjoys (Armitage & Conner,
2001). Furthermore, the TPB’s parsimony is a major strength that competing theories have not
been able to match (McEachan et al., 2016).
Despite its popularity, the TPB is not without its limitations. Notably, research evidence
on the variable of subjective norms has been equivocal; Armitage and Conner (2001) suggested
that measurements of subjective norms have lacked rigor, and the research understanding of
subjective norms has been too narrow. Similarly, the TRA variables together account for less
variation in individuals' behaviors than perceived control alone (Armitage & Conner, 2001).
59
Sniehotta, Presseau, and Araújo-Soares (2014) conducted a thorough review of evidence
contradicting the validity and utility of the TPB, to which Ajzen (2015) wrote a rebuttal
defending the complexity and explanatory power of the theory. These questions about the TPB
are not yet resolved.
Nevertheless, recent research in business settings (e.g., Kautonen, van Gelderen, & Fink,
2015) has continued to demonstrate the robust efficacy of the TPB in predicting intention and
subsequent behavior. Furthermore, interventions that follow the TPB framework by focusing in
on changing participants’ intentions also tend to lead to changes in behavior (Webb & Sheeran,
2006). Moreover, several researchers have used the TPB to investigate information security at
the organization level (Ifinedo, 2014; Lebek et al., 2014; Safa et al., 2015), and these studies
have largely confirmed its constructs. In a literature review of 113 studies on information
security awareness and behavior, the TBP/TRA was the most commonly used theoretical
framework (Lebek et al., 2013). Therefore, the TPB is appropriate for the present study and is
adopted as a major component of the theoretical framework.
Research Method
The present study uses a quantitative multiple regression method, which is described in
detail in Chapter 3. This section contains a discussion of the strengths and limitations of this
method in the context of the research topic. Among existing studies investigating factors related
to information security awareness and behavior, quantitative methods are by far the most widely
used (Lebek et al., 2013). One reason for this focus on quantitative methods is because
quantitative research is appropriate for establishing statistical relationships between and among
predefined variables (Creswell & Creswell, 2018). In the quest to discover which factors predict
information security behaviors, quantitative research has enabled scholars to test correlations and
60
their predictive value. Additionally, quantitative methods have enabled researchers and business
stakeholders to measure information security awareness (Kruger & Kearney, 2006), giving them
a way to tangibly understand both the state of security awareness within organizations and the
impact of various interventions.
Lebek et al. (2013) conducted a literature review on the research approaches used to
understand employee information security awareness and behavior. In a total of 113 published
studies, Lebek et al. identified 54 different theories used to research the topic, of which the
TPB/TRA was the most common, used in 27 studies. The next most commonly used theories
were general deterrence theory (17 studies) and protection motivation theory (10 studies). This
indicates that existing research has found the TPB to be a useful framework for studying security
awareness and behavior and that the greatest compatibility and comparability with existing
studies is to be gained by using the TPB as a theoretical framework.
Lebek et al. (2013) also investigated the methods employed in existing studies on the
research topic. They found that, among existing publications that reported empirical research (as
opposed to theoretical pieces and case study, for example), 90% used quantitative methods. The
results of these studies underscored the relevance of the TPB, particularly the perceived control
construct; in 92% of cases where researchers evaluated the relationship between intention to
comply with information security policies or recommendations, on the one hand, and perceived
behavioral control, on the other, the relationships were significant at the 95% level (Lebek et al.,
2013). However, the authors did not report on the use of particular quantitative designs.
The findings of the Lebek et al. (2013) review support the use of quantitative research in
the present study. However, the authors also pointed out some limitations of this common
research approach, which bear discussion. First, the variables of the TPB lend themselves to
61
quantitative research because they are most easily measurable using self-report questionnaires.
However, there are well known methodological issues with self-report research including the
potential for common method variance and social desirability bias (Lebek et al., 2013),
potentially leading to unreliable data. Furthermore, some research indicates that self-reported
behavioral intention may not adequately predict employees’ actual behavior (Workman,
Bommer, & Straub, 2008). However, as Lebek et al. acknowledged, it can be difficult to conduct
observational studies of employees’ security behaviors owing to the sensitive nature of the data,
which organizations may be unwilling to reveal. Therefore, on the whole, quantitative self-report
survey research continues to be a good approach to studying awareness and behavioral intention
related to organizational security. Additionally, owing to a large number of studies that have
used this approach, the present study bearded comparison with the existing body of research
better than it would if it used a novel approach.
Summary
There exists a large body of research on the factors that influence information security
outcomes in organizations. In recent years, researchers have given more attention to the “human”
factors, or the individual characteristics and behaviors of employees, than to organizational
factors like leadership and culture. Individual factors are important because scholars generally
agree that individual end users are the weakest link in organizational information security.
However, individual factors alone do not explain information security outcomes, because
organization-level factors interact with individuals to influence awareness and attitudes, which,
in turn, influence individuals’ behaviors and behavioral intentions. For this reason, it is important
to study both organizational and individual factors when examining information security
outcomes. The study asks whether organizational factors, on the one hand, and individual
62
factors, on the other hand, influence end users’ information security awareness in organizational
settings. The literature reviewed in this chapter reveals that, without security awareness,
employees are less likely to engage in security-promoting behaviors, so it is crucial that
organizations understand how to promote awareness in end users. The remaining chapters
presented the following: Chapter 3 discussed the research design and methodology, along with a
discussion of the research instrument, data collection and analysis methods, reliability and
validity of the selected instruments, and ethical considerations. Chapter 4 presented data relating
to the study results. Chapter 5 presented discussions, implications, and recommendations.
63
CHAPTER 3. METHODOLOGY
Introduction
This chapter includes a description of this study research and data collection process,
including a discussion of the research and methodology design, population and sampling plan,
data collection plan, and data analysis plan. The basis of the research was to gain completed
surveys using a previously validated survey administered to healthcare IT professionals across
the United States. Survey distribution and data collection involved using SurveyMonkey
Audience for access to a panel of healthcare IT professionals. Participation in the survey was
voluntary, and questions at the beginning of the survey ensured no employees who were not
healthcare end-users completed the survey.
This quantitative multiple regression study was an expansion of earlier work by Rocha
Flores and Ekstedt (2016). Rocha Flores and Ekstedt studied the resistance of social engineering
in various industries in Sweden, but the study did not focus specifically on the healthcare
industry. Social engineering in the form of phishing and ransomware attacks have been
successful in evading technical solutions of cybersecurity programs; this has made it critical that
healthcare employees can detect and resist these attacks. In addition to expanding Rocha Flores
and Ekstedt’s study regarding the industry, this study broadens the geographic reach as well by
including the United States as opposed to Sweden.
The annual cost of cybercrime continues to climb, reaching $400 billion in 2015 and is
expected to reach $2.1 trillion by 2019 (Morgan, 2016). Defending against social engineering
attacks with corporate policies, standards, and a sound social engineering awareness program are
critical areas of focus for senior management of organizations.
64
Design and Methodology
The design of this study was to evaluate an existing theory, the theory of planned
behavior, as it relates to specific research questions using empirical analysis methods. Out of the
four philosophical worldviews, theory verification through empirical measurement is most
appropriately done by using a positivist/postpositivist research approach (Creswell & Creswell,
2018). With this worldview, applying the quantitative method is most appropriate. Within a
positivist/postpositivist way of thinking, the purpose of the research is to identify relationships
between variables by reducing them into a framework in which it can be tested. In this method,
the theory is simplified into a research question that a researcher can predict based on a given
theory and test through a set of hypotheses.
Quantitative methods require researchers to collect data using surveys or archival or
historical means. With quantitative research, researchers can use existing instruments for their
study (Cooper & Schindler, 2014). The researcher determined that the quantitative method would
be the best fit for this study. Quantitative research seeks to answer a question based on (a)
problem identification, (b) question formulation, and (c) hypothesis formulation (Cooper &
Schindler, 2014). The questions posed seek to determine a relationship between predictor
variables (organizational, security awareness, and individual factors) and one criterion variable
(level of social engineering awareness of healthcare end-users) and to answer the research
question posed earlier in the study. Therefore, a quantitative method is appropriate because it
allows a researcher to define the research question and its related hypotheses clearly. Subjectivity
is minimized with quantitative methods (Creswell & Creswell, 2018).
Regression design assesses the relationships between two or more variables (Creswell &
Creswell, 2018). The advantage of using a regression design is that the researcher can test
65
relationships between and among variables. Additionally, the researcher can make predictions
based on the results. The disadvantage of using this design is that the researcher cannot draw
causal inferences about the relationships (Cooper & Schindler, 2014). The regression design is
appropriate based on the research questions of this study. The researcher is interested in
determining the extent to which the predictor variables (organizational security factors,
information security awareness security factors, individual security factors) may predict the
criterion variable (level of security awareness). A theoretical model is shown in Figure 1 on how
these factors may predict the level of social engineering awareness. Various findings within
academic literature have identified the variables in this study with security awareness and
security issues in general (Decker, 2008; Holbert, 2013; and Rocha Flores & Ekstedt, 2016). The
benefit of using the regression design is that it is capable of demonstrating whether the predictor
variables predict or influence the criterion variable (Creswell & Creswell, 2018).
Quantitative research begins with a set of hypotheses that are either strengthened or
weakened through evaluation. Researchers collect data by using surveys to refine or change
claims made based on existing theory. As evidence collected in research is never absolute and
perfect, quantitative research does not provide a final position for the presented hypotheses but
rather indicates whether the research results fail to reject them. Instead of providing a precise
measure of relationships between variables, quantitative research involves an attempt to explain
a relationship in the form of a hypothetical question.
In reviewing past research on the subject of human behavior within the context of
information security awareness and social engineering, most research involves using a
quantitative, non-experimental method. This research used Rocha Flores and Ekstedt’s (2016)
research instrument but did not follow their data analysis method, which was structural equation
66
modeling. The results from the study, therefore, helped expand on Rocha Flores and Ekstedt’s
findings and explain identified relationships in a different context and using a different research
design. In doing so, practitioners were able to assess if any difference indeed exists in the way
healthcare IT professionals respond to awareness programs and thus whether programs should be
customized for different audiences. For researchers, a direct focus on healthcare IT professional
population provided insight into areas for future research when selecting a sample.
Population and Sampling
The population of this study was healthcare end-users from the healthcare industry
located within the continental United States. The sample frame for the study consisted of
members of SurveyMonkey Audience who are professionals in the healthcare industry between
the ages of 21-65. The study did not consider members of SurveyMonkey Audience that were
not in the healthcare industry. The participants were a random sample from the sample frame.
The sample size used was determined by G*Power 3.1, A priori analysis to compute the
required sample size with a focus on multiple linear regression: fixed model, R2 deviation from
zero. The input parameters of effect size f2 = .15, a err prob = .05, power = 0.95, and the number
of predictors = 2 which comes to a minimum sample size of 107 for this study, but with a survey
study, a sample size over the minimum is always the goal. The sample size was 118. The margin
of error for tolerance in this study was a confidence interval of +/- 5% and a confidence interval
of 95%. Previous research studies used a confidence interval of 95%, which provides support
that this is a supported method (Creswell & Creswell, 2018). The standard error (SE) for the
study was 0.02%.
This study considered previous research about the return rate of online survey
respondents, which tends to be equal to or lower than traditional survey formats (Evans &
67
Mathur, 2005). The geographical location of this study was the continental United States, but the
actual location within the United States varied, as participants resided across the country, based
on the participant’s actual location.
To participate in the study, a participant had to be a healthcare end-user and had to be
between the ages of 21 and 65. A healthcare end-user is a healthcare employee involved in using
a healthcare information technology system which gives the healthcare employee access to PHI.
These end-users are the prime targets for cyberattackers since they have direct access to PHI
through their daily job functions. This study did not include any participants that were not
healthcare end-users. Participants were contacted via a recruitment e-mail asking them to
participate in the study from SurveyMonkey Audience. The period of recruitment and
participation of participants remained open until the minimum number of responses were
collected. The recruitment e-mail contained a brief overview of the purpose of the study and an
invitation link. From there, the participants were guided to a secure survey website to accept the
consent form and complete the survey. The consent form contained information relating to the
intent and purpose of the study, information ensuring the participant that his or her identity and
confidentiality would not be compromised throughout this process, and a statement that the
participant was under no pressure to complete the survey. The information gained from the
participants was coded, so no identifying information from the participant is known, as such, it
would be impossible for the researcher to remove a participant response if a participant contacts
the researcher asking to remove. The participant had opportunities at the beginning of the survey,
throughout the survey and at the end of the survey to decide not to participate in the survey by
closing the web browser containing the survey.
68
Setting
The research of this study took place through online surveys distributed to healthcare
professionals through SurveyMonkey Audience, as such, no specific workplace setting should
influence the outcome of this study. The advantage of the online nature of this survey allowed
the participant to take the survey in an environment that is comfortable to them. Another
advantage of this setting is the low cost of data collection. Finally, the participant was willing to
share information more freely due to there being no interviewer. There are disadvantages to the
use of online-survey, such as limited participant availability, but the use of SurveyMonkey
Audience should mitigate that risk. SurveyMonkey Audience uses survey panels of their own
created over time (SurveyMonkey Audience, 2018). Also, SurveyMonkey Audience seeks
individuals through social media systems to join their panels (SurveyMonkey Audience, 2018).
The surveys are sent out by e-mail with only a description of the survey length included in the e-
mail to avoid topic selection bias.
Data Collection
As the various methods of issuing surveys have their advantages and disadvantages, often
the deciding factor comes down to the cost, collection time, and the response rate of the survey
(Deutskens, de Ruyter, & Wetzels, 2006). Web-based data collection is used frequently because
of its “low costs, flexible format, and fast response” (Granello & Wheaton, 2004, p. 387).
Data was collected through a composite online survey instrument. A Likert-type scale
was used to capture the respondents' level of agreement with each statement, ranging from 0
(strongly disagree) to 10 (strongly agree). Only the respondent ID and the level of agreement for
each survey question was captured and stored. The survey was administered electronically using
the survey tool called SurveyMonkey. SurveyMonkey is an online survey company that
69
provides, customizable surveys (SurveyMonkey Audience, 2018). For each participant response,
SurveyMonkey can ensure that each response collected are: (a) anonymous and (b) coded. To
ensure responses are anonymous, SurveyMonkey has an option called Anonymous Responses,
turning this option on ensured each participant response is not trackable and identifiable
information is not stored (SurveyMonkey Audience, 2018). This option was used to ensure
anonymity for the participant within the survey, web links and email invitations. To ensure
responses are coded, each response collected with SurveyMonkey contained a respondent ID,
which is unique to the response and not the respondent (SurveyMonkey Audience, 2018). This is
to ensure that in no way a response can be traced back to a respondent. With this, a researcher
can only see the respondent ID within the exported data. The collected data was exported from
SurveyMonkey in excel spreadsheet format, from which the information was uploaded into IBM
SPSS Statistics for analysis.
IBM SPSS Statistics is one of the software packages that was used for descriptive and
statistical analysis of the data that was being gathered. IBM SPSS Statistics is widely used in
social science research and can be used to analyze the distribution of variables of this study
(George & Mallery, 2017). It can also be used for multivariate analysis methods, such as
regression, correlation, or analysis of variance (George & Mallery, 2017).
Only the researcher had access to the SurveyMonkey Audience survey tool. The e-mail to
the participants included an introduction, description of the study, its purpose, a URL link to the
web survey, and notification that it would remain confidential and anonymous. The period of
recruitment and participation of participants remained open until the minimum number of
responses are collected. At the survey website, participants were notified again that they would
remain anonymous and their responses would remain confidential, and by accepting a consent
70
form and completing the survey that they provided their informed consent.
IRB Process
Before collecting data, the researcher received the required approval for data collection
from the Capella University Institutional Review Board (IRB). The required ethical training
modules on Human Subjects Research through the Collaborative Institutional Training Initiative
(CITI) must be completed and the required IRB items submitted, including: (a) IRB application,
(b) consent form, (c) CITI Ethical Certificate, (d) permission to use existing survey instrument,
and (e) the survey instrument.
Informed Consent
Survey Monkey Audience was be used to solicit prospective participants for this study.
An e-mail invitation contained a letter of consent that outlined the purpose of the research and
allowed potential participants the opportunity to decline the invitation. Participants indicated
their willingness to partake in the study by clicking a link that took them to the survey. By
clicking the link, participants agreed to accept all risks associated with the survey.
Participation was voluntary and confidential. Volunteer participants were notified about
the confidential and anonymous nature of the study and were asked to acknowledge that they
have read and understood these conditions and agreed to them before completing the survey. If
the prospective participants are not interested in the survey, they can disregard the e-mail
invitation with no further involvement.
Confidentiality
The researcher informed prospective participants of the anonymity and confidentiality of
their responses. The responses were anonymous in that there was not a way to connect
identifying information with survey responses through the methods mentioned in the data
71
collection section. The respondents were not asked to give any names or code numbers. The
researcher stored all research information, records, and electronic and paper data in a private,
secure storage area that only the researcher had access to. After seven years, the researcher will
destroy the data using third-party Department of Defense approved deletion software.
Instrumentation
The data collection instrument was composed of four pre-existing, closed-ended
composite scales consisting of quantitative scaled questions and a demographic section. The
demographic section captured the age and gender of the participant. The instrument included
four scales. These scales are: (a) organizational structure scale, (b) information security
awareness scale, (c) intrinsic beliefs scale, and (d) the intention to resist scale (Rocha Flores &
Ekstedt, 2016).
The first scale is a list of 12 questions that comprised the analysis of organizational
security, which is a one-dimensional construct with composite indicators (items): (a)
transformational leadership (TL) and (b) information security culture (ISC). Each item uses
Likert-type scales of 0 (strongly disagree) to 10 (strongly agree) (Rocha Flores & Ekstedt, 2016).
Items scores were summed for an overall index. No anchors were given for other scale points.
The scores ranged from 0 to 120.
The second scale consisted of six questions that comprised the analysis of information
security awareness, which is a one-dimensional construct with composite indicators (items): (a)
general information security awareness (GISA) and (b) information security policy awareness
(ISPA) (Rocha Flores & Ekstedt, 2016). Each item uses Likert-type scales of 0 (strongly
disagree) to 10 (strongly agree) (Rocha Flores & Ekstedt, 2016). Items scores were summed for
an overall index. No anchors were given for other scale points. The scores ranged from 0 to 60.
72
The third scale consisted of 17 items that comprised the analysis of intrinsic beliefs,
which measures a one-dimensional construct with composite indicators (items): (a) self-efficacy
(SE), (b) attitude (A), and (c) normative beliefs (NB) (Rocha Flores & Ekstedt, 2016). Each item
uses Likert-type scales of 0 (strongly disagree) to 10 (strongly agree) (Rocha Flores & Ekstedt,
2016). No anchors were given for other scale points. Items scores were summed for an overall
index. The scores ranged from 0 to 170.
The fourth scale consisted of 5 items that comprised the analysis of intention to resist,
which measures a one-dimensional construct with composite indicators (items): level of social
engineering awareness (LSEA) (Rocha Flores & Ekstedt, 2016). Each item uses Likert-type
scales of 0 (strongly disagree) to 10 (strongly agree) (Rocha Flores & Ekstedt, 2016). No anchors
were given for other scale points. Items scores were summed for an overall index. The scores
ranged from 0 to 50.
The scales identified for this study was adopted from Rocha Flores and Ekstedt (2016).
These scales tie in with the theoretical framework, described in Figure 1 and the research
questions of the study as it is the researcher goal to determine if organizational security factors,
information security awareness factors, and individual security factors predict the level of
security awareness. The scales used multiple-item measures, which increase accuracy and
consistency when measuring the variables. Measuring the variables with Likert-type scales
facilitates standardizing and quantifying the relative effects (Wikman, 2006). There is an
ongoing debate as to the ordinal versus interval nature of the Likert-type scales, but several
studies explained that when using multiple Likert-type questions, interval assumptions are
appropriate (Awang, Afthanorhan, & Mamat, 2016; Carifio & Perla, 2008). Also, when the
responses to the scales are summed the result or sum is looked at as a continuous variable. No
73
modification of the existing scales was done to adjust for this study.
Previous reliability and validity values for these scales are indicative of adequate
numbers. For the organizational structure variable, the reliability and validity measures were CR
= 0.957 and AVE = 0.816 for transformational leadership and CR = 0.911 and AVE = 0.594 for
information security culture (Rocha Flores & Ekstedt, 2016). For the information security
awareness variable, the reliability and validity measures were CR = 0.922 and AVE = 0.855 for
general information security awareness (Rocha Flores & Ekstedt, 2016). For information security
policy awareness, the reliability and validity measures were CR = 0.918 and AVE = 0.736 and
the standardized coefficients were between 0.64 and 0.64 (Rocha Flores & Ekstedt, 2016). For
the intrinsic beliefs variable, the reliability and validity measures were CR = 0.942 and AVE =
0.903 for self-efficacy (SE) (Rocha Flores & Ekstedt, 2016). For attitude (A), the reliability and
validity measures were CR = 0.947 and AVE = 0.817 (Rocha Flores & Ekstedt, 2016). For
normative beliefs, the reliability and validity measures were CR = 0.965 and AVE = 0.873
(Rocha Flores & Ekstedt, 2016).
Hypotheses
The research questions of this study are: (a) To what extent, if at all, do organizational
security factors (i.e., transformational leadership and information security culture) predict the
level of social engineering awareness among healthcare end-users? (b) To what extent, if at all,
do information security awareness factors (i.e., general information security awareness and
information security policy awareness) predict the level of social engineering awareness among
healthcare end-users? and (c) To what extent, if at all, do individual security factors (i.e., end-
users’ self-efficacy, attitude, and normative beliefs) predict the level of social engineering
awareness of healthcare end-users?
74
The model shown below in Figure 1 was constructed because the research questions
asked about the ability of organizational security factors, information security awareness factors,
and individual security factors to predict the level of social engineering awareness. The model
represents that the level of social engineering awareness as an effect of organization security
factors, information security awareness factors and individual security factors.
Figure 1. Research model showing the level of social engineering awareness as an effect of
factors.
The first null and alternative hypotheses are as follows:
H1o: The organizational security factors (i.e., transformational leadership and information
security culture) do not significantly predict the level of social engineering awareness of
healthcare end-users.
H1a: The organizational security factors (i.e., transformational leadership and information
security culture) significantly predict the level of social engineering awareness of healthcare end-
75
users.
The second null and alternative hypotheses are as follows:
H2o: The information security awareness factors (i.e., general information security
awareness and information security policy awareness) do not significantly predict the level of
social engineering awareness of healthcare end-users.
H2a: The information security awareness factors (i.e., general information security
awareness and information security policy awareness) significantly predict the level of social
engineering awareness of healthcare end-users.
The third null and alternative hypotheses are as follows:
H3o: The individual security factors of (i.e., end-users’ self-efficacy, attitude, and
normative beliefs) do not significantly predict the level of social engineering awareness of
H3a: The individual security factors of (i.e., end-users’ self-efficacy, attitude, and
normative beliefs) significantly predict the level of social engineering awareness of healthcare
end-users.
Data Analysis
Data analysis techniques of descriptive statistics and multiple regression analysis was
used in this study. Descriptive statistics were used to analyze the distribution of variables of the
study using IBM SPSS Statistics. Multiple regression was used to learn about the relationship
between the predictor variables and the criterion variable using IBM SPSS Statistics. Multiple
regression allowed the researcher to ask which predictor variables are the best indicator of the
criterion variable.
The multiple regression analysis approach in this study required assumptions of
76
homoscedasticity, normality, and linearity. The IBM SPSS computer program, used for the
multiple regression analyses discussed below, provided the statistical analysis of these
assumptions. If these assumptions are not met, transformations of the raw data were used, where
possible, to ensure adherence to the assumptions.
The assumptions are as follows:
• The criterion variable is measured at the continuous level.
• The predictor variables are measured at the continuous level.
• The observations are independent. The respondents completed the survey independently.
• There is a linear relationship between the criterion variable and each of the predictor
variables. This assumption was verified by constructing the scatterplots of the criterion
variables versus the predictor variable.
• Data shows homoscedasticity (the variances along the line of best fit remain similar as
you move along the line).
• Data does not show multicollinearity. This assumption was verified by examining the
tolerance and Variance Inflation Factor (VIF) values. A tolerance value of .10 or less
indicated multicollinearity and a VIF value of 10 or higher indicated multicollinearity.
• Data does not have any outliers. The Outlier Labeling Rule was used to determine if there
were any outliers in the criterion and predictor variable distributions.
• The residuals (errors) are approximately normally distributed. This was checked by
constructing a histogram with a superimposed normal curve.
Descriptive Statistics
The researcher used descriptive statistics to describe the basic attributes of the
distribution of the data in the form of means, standard deviations, and score ranges. The means
77
and standard deviations summarized the distribution, and the score range showed how much
responses vary. Also, the researcher computed internal consistency reliability coefficients
(Cronbach’s alpha) for all composite scores used in this study.
Multiple Regression Analysis
To analyze the hypothesized relationships, this research used multiple regression
analysis. Multiple regression analysis is used to see if there is a statistically significant
relationship between sets of variables. This type of analysis helps one to understand how the
typical value of the criterion variable changes when any one of the predictor variables is varied,
while the other predictor variables are held fixed. Multiple regression analysis is widely used for
prediction and forecasting and is also used to understand which among the predictor variables are
related to the criterion variable, and to explore the forms of these relationships. Relationships
depicted in regression analysis are, however, associative only, and any cause-effect (causal)
inference is purely subjective.
Statistical tests were conducted to obtain the F statistic, the R2, the adjusted R2, the t
statistic, and the standardized coefficients (Beta coefficients). The F statistic for the model was
used to determine if the combination of the three predictors significantly predicts the criterion
variable. The R2 was used to determine the proportion of variability in the criterion variable that
is explained by the combination of the three predictors. Adjusted R2 would be an estimate for the
population R2 if the model were used on the study population. Adjusted R square gives a
realistic indication of the predictive power of the study model whereas R2 is overoptimistic. The
t statistic for each coefficient was examined to determine which predictors contribute
significantly to the prediction of the criterion. The standardized coefficients (Beta coefficients)
was examined to determine the relative strength of each predictor in the prediction of the
78
criterion variable. Below are the research questions, hypotheses, criterion and predictor
variables, which shows how the criterion and predictor variables relate to the hypotheses and
how the hypotheses relate to the research questions.
Hypotheses:
users.
Variables:
Criterion – the level of social engineering – measured by the intent to resist scale which
consists of 5 items. The scale responses range from 0 - strongly disagree to 10 - strongly agree.
The score is calculated by summing the responses. The score is calculated by summing the
responses. The scores ranged from 0 to 50.
Predictor – organization security factors – measured by the organizational structure scale
which consists of 12 questions. The scale responses range from 0 - strongly disagree to 10 -
strongly agree. The score is calculated by summing the responses. The scores ranged from 0 to
120.
79
Hypothesis:
H20: The information security awareness factors (i.e., general information security
Variables:
Criterion – the level of social engineering – measured by the intent to resist scale which
The score is calculated by summing the responses. The score is calculated by summing the
responses. The scores from ranged from 0 to 50.
Predictor - information security awareness – measured by general information security
awareness and information security policy awareness scale which consist of 6 items. The scale
responses range from 0 - strongly disagree to 10 - strongly agree. The score is calculated by
summing the responses. The score is calculated by summing the responses. The scores from
ranged from 0 to 60.
RQ3: To what extent, if at all, do individual security factors (i.e., end-users’ self-
efficacy, attitude, and normative beliefs) predict the level of social engineering awareness of
healthcare end-users?
Hypotheses:
80
H30: The individual security factors (i.e., end-users’ self-efficacy, attitude, and normative
beliefs) do not significantly predict the level of social engineering awareness of healthcare end-
users.
H3a: The individual security factors of (i.e., end-users’ self-efficacy, attitude, and
end-users.
Variables:
Criterion - the level of social engineering awareness – measured by the intent to resist
scale which consists of 5 items. The scale responses range from 0 - strongly disagree to 10 -
strongly agree. The score is calculated by summing the responses. The scores ranged from 0 to
50.
Predictor – individual security factors – measured by the intrinsic beliefs scale which
The score is calculated by summing the responses. The scores ranged from 0 to 170.
Validity and Reliability
The survey used for this study was adapted from a pre-existing survey developed by
Rocha Flores and Ekstedt (2016). The instruments were drawn from past literature and based on
their nature are not limited to any industry (Rocha Flores & Ekstedt, 2016). The instrument was
pretested on a sample of 200 employees; the results of the pretest resulted in minor corrections to
the wording of the items (Rocha Flores & Ekstedt, 2016). To ensure that the minor wording
corrections completed correctly, the instrument was proofread by a professional translation
company (Rocha Flores & Ekstedt, 2016). All instruments showed adequate reliability and
validity, measured concerning composite reliability (CR) and average variance extracted (AVE).
81
However, these values, along with Cronbach’s alpha internal consistency and the reliability
coefficients were computed again in the study to ensure that validity and reliability are
consistent. The reliability and validity measures are mentioned below.
The CR is similar to Cronbach’s alpha except that the factor loadings are considered,
rather than assuming that each item is equally weighted in forming the latent variable, an
acceptable rating for this is 0.7 (Rocha Flores & Ekstedt, 2016). The AVE is a validity measure
of the amount of observed variance in the items that are attributable to the hypothesized factors;
an acceptable rating is 0.5 (Rocha Flores & Ekstedt, 2016).
For the organizational structure variable, the reliability and validity measures were CR =
0.957 and AVE = 0.816 for transformational leadership and CR = 0.911 and AVE = 0.594 for
information security culture (Rocha Flores & Ekstedt, 2016). For the information security
awareness variable, the reliability and validity measures were CR = 0.922 and AVE = 0.855 for
general information security awareness (Rocha Flores & Ekstedt, 2016). For information security
policy awareness, the reliability and validity measures were CR = 0.918 and AVE = 0.736 and
the standardized coefficients were between 0.64 and 0.64 (Rocha Flores & Ekstedt, 2016). For
the intrinsic beliefs variable, the reliability and validity measures were CR = 0.942 and AVE =
0.903 for self-efficacy (SE) (Rocha Flores & Ekstedt, 2016). For attitude (A), the reliability and
validity measures were CR = 0.947 and AVE = 0.817 (Rocha Flores & Ekstedt, 2016). For
normative beliefs, the reliability and validity measures were CR = 0.965 and AVE = 0.873
(Rocha Flores & Ekstedt, 2016). These values are indicative of adequate reliability and validity.
Ethical Considerations
Before collecting data for the study, the researcher received training and the required
approval from the Capella University Institutional Review Board (IRB). The researcher
82
completed the required ethical training modules and submit the required IRB forms for approval.
No data collection occurred before IRB approval.
Before collecting data, the researcher required participants to provide written, informed
consent. Potential participants received an e-mail invitation containing a letter of consent that
outlined the purpose of the research and the risks and benefits of participation. There are no
direct benefits of participation, and the researcher did not provide any reward or incentive, but
the participants may benefit indirectly through improved security awareness training that may
partly result from the findings of this study. Risks of participation are negligible but may include
some degree of emotional distress if participants have strong emotional reactions to issues
related to security awareness and cybercrime. Participants indicated their consent by clicking a
link that took them to the survey.
The method of solicitation stressed that participation in this study was voluntary and
confidential. Responses were anonymous in that there was not a way to connect a participant to a
specific survey response. The researcher informed participants of their anonymity and
confidentiality in the e-mailed consent letter. Participants did not receive feedback on their
participation in the study, but they did have access to the researcher's contact information and the
contact information of a representative of the researcher's university, and they can contact either
of those people if they are interested in receiving a copy of the published dissertation.
Regarding data collection and analysis, the data was anonymized by the SurveyMonkey
data collection tool, so the researcher did not have access to any personally identifying
information for any of the respondents. The researcher downloaded the anonymous responses
from SurveyMonkey and stored the data on a password-protected hard drive during the data
analysis process. In the final research report, the researcher presented results only in aggregate,
83
not providing the details of any individual response, to further protect participants' anonymity.
After the study concluded, the researcher will keep the raw data on a password-protected hard
drive for seven years, after which the data will be securely erased from the drive.
The researcher does not intend to edit or fabricate data, and the researcher intends to
report all findings, not just those representing positive or significant results. The researcher did
not change the hypotheses of the study to fit the research findings, nor did the researcher avoid
reporting negative findings. This study, including all data, is the result of the researcher’s
original work.
Summary
This chapter summarized the purpose of the study; it then described the research design
and methodology, the target population and sample size, and data collection technique. This
chapter also described the quantitative instrumentation and the data analysis procedures, which
included explaining the justification of using a pre-existing survey. Finally, this chapter
described participant selection criteria, along with a discussion for ensuring data access and
mitigating confidentiality concerns for the study participants. The remaining chapters presented
the following: Chapter 4 presented data relating to the study results. Chapter 5 presented
discussions, implications, and recommendations.
84
CHAPTER 4. RESULTS
Introduction
Chapter 4 includes a presentation of the results of this study, covering demographic
information and multiple linear regression model results. Descriptive statistics were calculated
for each of the demographic questions. The hypotheses were tested using multiple regression
analysis. Multiple regression was used to measure the extent to which individual security factors,
information security awareness factors, and organizational security factors predicted the level of
social engineering awareness among healthcare end-users. The chapter starts by answering the
research questions and hypotheses. The next section discusses the sample, demographics, and
descriptive statistics. Following is a section containing details about the results, including the
multiple regression analysis. The chapter concludes by restating the findings and answers the
research questions.
The goal of this study was to determine the extent to which individual security factors,
information security awareness factors, and organizational security factors predicted level of
social engineering awareness among healthcare end-users. The researcher followed a quantitative
regression approach to test the hypotheses and address the research questions. Assumption
testing was also conducted and showed that the predictor variables did not contain
multicollinearity and the criterion variable closely followed a normal distribution. The results of
the hypothesis testing showed that there was a statistically significant relationship between
individual security factors and level of social engineering awareness among healthcare end-users,
there was a statistically significant relationship between information security awareness factors
and level of social engineering awareness among healthcare end-users, and there was no
statistically significant relationship between organizational security factors and level of social
85
engineering awareness among healthcare end-users.
Data Collection Results
In total, 118 responses were received via SurveyMonkey Audience. The number of
responses was higher than the minimum of 107 required, as indicated by the power analysis. The
participants’ responses were loaded into SPSS to perform the statistical analysis and test the
hypotheses. The respondent data were analyzed by first searching for and addressing any missing
values and outliers. Upon visual inspection of the data, a total of five outliers were eliminated
from the analysis; all five outliers had exceptionally low scores on one or more of the scales. For
the organizational structure scale, three responses scored below 20. For the information security
awareness scale, three responses scored below 20. For the intrinsic beliefs scale, two responses
scored below 50. For the intent to resist scale, three responses scored below 25. After outlier
removal, a final sample of 113 usable responses was retained for analysis.
Instrument Reliability
Cronbach’s alpha is a measure of a scale’s internal consistency and is indicated as a
number between zero and one (Tavakol & Dennick, 2011). Internal consistency measures how
similar the items are within the scale. The survey instrument was based on Rocha Flores and
Ekstedt’s (2016) instrument because it contained scales necessary to collect the data for this
study. The Rocha Flores and Ekstedt instrument contain measurement scales for organizational
security, information security awareness, individual security factors, and level of social
engineering awareness. In this study, the Cronbach alpha scores each scale were as follows:
organizational security (12 items), α = .965; information security awareness (six items), α = .941;
individual security (17 items), α = .973; level of social engineering awareness (five items), α =
.945. These alpha scores indicated a high degree of inter-item reliability. A reliability coefficient
86
of .90 or higher is considered excellent (Yang & Green, 2011). All the scales have reliability
within the excellent range. Table 1 summarizes the instrument reliability results.
Table 1
Reliability for the Predictor and Criterion Variables, N = 113
Variable Reliability
Predictor
Organizational Security .965
Information Security Awareness .941
Individual Security .973
Criterion
Level of Social Engineering Awareness .945
Assumption Testing
Before calculating the multiple regression model to address the research questions and
hypotheses, it was essential to establish whether the data met the statistical assumptions for
multiple regression analysis. Multiple regression analysis assumes that the predictor and criterion
variables are continuous, that observations are independent, that there is a linear relationship
between the criterion variable and the predictor variables, that data show homoscedasticity
(similar variances along the line of best fit), that there are no outliers, that there is no
multicollinearity, and that data are normally distributed.
The criterion variable of the level of social engineering awareness is measured on a
continuous scale as the sum of the response scores for each of the six items. When the responses
are summed, the resulting variable is continuous. The predictor variables are also continuous;
87
each is measured as the continuous sum of the responses for all items within each scale.
Therefore, the assumption of continuous variables is supported.
Multiple regression analysis assumes that observations are independent, with no mutual
influence or dependency. The respondents completed the survey independently and answered the
questions independently. They had no interaction with one another during the process of
completing the survey, and they did not know of one another's identities. Therefore, their
responses could not have had any mutual influence, and the assumption of independent
observations is supported.
The third assumption is that there is a linear relationship between the criterion variable
and each of the predictor variables. This assumption was verified by calculating the correlations
between the criterion variable and the predictor variables. The correlations ranged from .831 to
.620. All the correlations were significant at the .01 level, indicating that there is a linear
relationship between the criterion variable and the predictor variables. Table 2 summarizes the
results of linear relationship testing.
Table 2
Correlations of Criterion Variable (Level of Social Engineering Awareness) with Predictor
Variables, N = 113
Variable r
Organizational Security .620**
Information Security Awareness .819**
Individual Security .831**
**p < .01
The fourth assumption for multiple regression analysis is that data show
88
homoscedasticity (i.e., the variances along the line of best fit remain similar as you move along
the line). To test for homoscedasticity, the standardized residuals were plotted against the
standardized predicted values. A scatterplot centered around the best fit line with variance
approximately random indicates homoscedasticity. Examination of the scatterplot indicated that
there is homoscedasticity, supporting the assumption. Figure 2 shows the homoscedasticity
results.
Figure 2. Scatterplot to check for homoscedasticity (standardized residual by standardized

predicted values for the level of social engineering awareness).
The fifth assumption is that there are no outliers in the data. The outlier labeling rule
89
(Hoaglin & Iglewicz, 1987) was used to determine whether there were any outliers in the
predictor and criterion variable distributions. The formulas for determining the lower and upper
limits for outliers to the distributions are:
Lower limit = Q1- [(Q3 – Q1)*2.2] (1)
Upper limit = Q3 + [(Q3 – Q1)*2.2] (2)
Values that fell outside of the lower and upper limits were considered outliers. The
minimum value should be higher than the lower limit, and the maximum value should be less
than the upper limit. All the minimum and maximum values for the sample met this criterion.
Therefore, there are no outliers in the sample used for analysis (n = 113). Table 3 summarizes the
results of the outlier analysis.
Table 3
Outlier Labeling Rule Analysis, N = 113
Variable Q1 Q3 Min LL Max UL
Predictors
Organizational Security 80.5 111.0 25.0 13.4 120.0 178.1
Information Security Awareness 45.5 58.5 30.0 16.9 60.0 87.1
Individual Security 89.0 116.5 51.0 28.5 120.0 177.0
Criterion
Level of Social Engineering 40.0 50.0 25.00 18.0 50.0 72.0

Awareness
Note. Q1 = 1st quartile - 25th percentile, Q3 – 3rd quartile – 75th percentile, Min = minimum,
LL = lower limit, Max = maximum, UL = upper limit
Multiple regression analysis also assumes that there is no multicollinearity in the data.
This assumption was verified by examining the tolerance and variance inflation factor (VIF)
90
values. The tolerance value for a predictor variable is calculated as (1-R2). This represents the
proportion of a variance in a predictor variable that is not related to other predictor variables in a
model (O’Brien, 2007). If the tolerance value is .10 or less, multicollinearity is indicated. The
Variance Inflation Factor (VIF) is the reciprocal of the tolerance value. VIF measures how much
the variance of an estimated regression coefficient is increased because of collinearity (O’Brien,
2007). VIF value is calculated as 1/(1-R2). If the VIF value is greater than 10, multicollinearity is
indicated. The tolerance values for all three predictor variables were greater than .10, and the
VIF values for all three predictor variables were less than 10, indicating no multicollinearity.
Table 4 summarizes the results of the multicollinearity test.
Table 4
VIF and Tolerance for the Predictor Variables, N = 113
Predictor variables Tolerance VIF
Organizational Security 0.434 2.304
Information Security Awareness 0.184 5.435
Individual Security 0.189 5.291
Finally, multiple regression analysis assumes that the residuals (errors) are approximately
normally distributed. This was checked by constructing a histogram with a superimposed normal
curve. Figure 3 shows that the distribution of the residuals is approximately normal. Therefore,
the assumption is supported.
91
Figure 3. Histogram with normal curve overlay for the regression residuals.
Descriptive Analysis
The descriptive analysis consists of two sections. In the first section, the demographic
statistics are presented, including those related to gender, age, and education. The second section
contains the descriptive statistics according to each of the study variables.
Demographic Statistics
The target population for this study consisted of healthcare end-users aged 21–65.
Demographic questions on the survey asked about gender, age, and level of education. Table 5
summarizes the demographic statistics for the sample.
92
Table 5
Sample Demographics, N = 113
Variable n %
Gender
Female 97 85.8%
Male 16 14.2%
Age
21 – 29 yrs 13 11.5%
30 – 39 yrs 30 26.5%
40 – 49 yrs 27 23.9%
50 – 59 yrs 33 29.3%
60 – 65 yrs 10 8.8%
Education
High School 35 31.0%
Associate 33 29.2%
Bachelor 24 21.2%
Master 14 12.4%
Doctorate 7 6.2%
For gender, there were 97 female and 16 male participants, which represented 85.8% and
14.2% of the sample, respectively. An analysis of the age groups shows that 11.5% identified
themselves in the 21–29 age group, 26.5% of participants were in the 30–39 age group, 23.9% of
participants were in the 40–49 age group, 29.3% were in the 50–59 age group and 8.8% were in
the 60–65 age group. An analysis of highest level of education shows that 31% of participants
identified themselves as having a high school diploma, 29.2% identified themselves as having an
associate’s degree, 21.2% identified themselves as having a bachelor’s degree, 12.4% identified
themselves as having a master’s degree, and 6.2% identified themselves as having a doctorate.
93
Variable Descriptive Statistics
There were three predictor variables (organizational security, information security
awareness, and individual security) and one criterion variable (level of social engineering
awareness). The descriptive statistics for each variable are summarized in Table 6.
Table 6
Variable Descriptive Statistics, N = 113
Scale M SD Med Min Max
Predictor
Organizational Security 93.0 19.8 94.0 25.0 120.0
Information Security Awareness 50.1 8.7 51.0 30.0 60.0
Individual Security 100.2 18.4 105.0 51.0 120.0
Criterion
Level of Social Engineering 44.3 7.4 49.0 25.0 50.0

Awareness
Organizational security contained 12 questions with a response scale of 0 (strongly
disagree) to 10 (strongly agree). The score was calculated by summing the responses. Possible
scores could range from 0 to 120. For this sample, the scores ranged from 25.0 to 120.0, with a
mean of 93.0 and a standard deviation of 19.8.
The information security awareness scale contained six questions with a response scale of
0 (strongly disagree) to 10 (strongly agree). The score was calculated by summing the responses.
Possible scores could range from 0 to 60. For this sample, the scores ranged from 30.0 to 60.0,
with a mean of 50.1 and a standard deviation of 8.7.
Individual security contained 17 questions with a response scale of 0 (strongly disagree)
94
to 10 (strongly agree). The score was calculated by summing the responses. Possible scores
could range from 0 to 170. For this sample, the scores ranged from 51.0 to 120.0, with a mean of
100.2 and a standard deviation of 18.4.
Level of social engineering awareness contained five questions with a response scale of
0 (strongly disagree) to 10 (strongly agree). The score was calculated by summing the responses.
Possible scores could range from 0 to 50. For this sample, the scores ranged from 25.0 to 50.0,
with a mean of 44.3 and a standard deviation of 7.4.
Multiple Regression Results
Multiple linear regression was utilized to test the research hypotheses and address the
research questions to determine which predictor variables (organizational security, information
security awareness, and individual security) contributed to the prediction of the criterion variable
(level of social engineering awareness). The F statistic for the model was used to determine if the
combination of the three predictors significantly predicted the criterion variable. R2 was used to
determine the proportion of variability in the criterion variable that was explained by the
combination of the three predictors. The t statistic for each coefficient was examined to
determine which predictors contributed significantly to the prediction of the criterion. The
standardized coefficients (β) were examined to determine the relative strength of each predictor
in the prediction of the criterion variable.
The results of the regression analysis are summarized in Table 7.
95
Table 7
Regression Results for Level of Social Engineering Awareness on Predictor Variables, N = 113
Variable B SE B β t p
Organizational Security -0.015 0.029 -0.040 .526 0.600
Information Security Awareness 0.333** 0.100 0.394 3.345 0.001
Individual Security 0.204** 0.047 0.508 4.358 0.000
Note. R2 = .72, adjusted R2 = .71, F (3, 109) = 93.65, p < .001

*p < .05; **p < .01
The model was significant, F (3, 109) = 93.65, p < .001. The combination of the three
predictors (organizational security, information security awareness, individual security)
significantly predicts the criterion variable (level of social engineering awareness). The
combination of the three predictors accounts for 72% of the variability in the level of social
engineering awareness, which is shown with R2= .72 and adjusted R2 = .71.
Organizational security was not significant (t = .526, p = .600) indicating that
organizational security does not contribute significantly to the prediction of the level of social
engineering awareness in the presence of the other two predictors. Information security
awareness was significant, (t = 3.345, p = .001), indicating that information security awareness
contributes significantly to the prediction of the level of social engineering awareness in the
presence of the other two predictors. Individual security was significant, (t = 4.358, p = .000)
indicating that individual security contributes significantly to the prediction of the level of social
engineering awareness in the presence of the other two predictors. The beta coefficients indicated
that individual security was the strongest predictor (β = .508), followed by information security
awareness (β = .394). These values indicate that both variables were strong predictors overall.
96
Analysis of Hypotheses
This study hypothesized that individual security factors, information security awareness
factors, and organizational security factors predict the level of social engineering awareness
among healthcare end-users. A hypothesis testing approach was used to answer the research
questions. The specific research questions and hypotheses are listed below. Also, listed below are
the results of the hypotheses.
users.
For Research Question 1, the null hypothesis was accepted, and the alternative hypothesis
was rejected. The organizational security factors (i.e., transformational leadership and
information security culture) do not significantly predict the level of social engineering
awareness of healthcare end-users.
H2o: The information security awareness factors (i.e., general information security
97
For Research Question 2, the null hypothesis was rejected, and the alternative hypothesis
was accepted. The information security awareness factors (i.e., general information security
RQ3: To what extent, if at all, do individual security factors (i.e., end-users’ self-efficacy,
attitude, and normative beliefs) predict the level of social engineering awareness of healthcare
end-users?
H3o: The individual security factors (i.e., end-users’ self-efficacy, attitude, and normative
beliefs) do not significantly predict the level of social engineering awareness of healthcare end-
users.
H3a: The individual security factors (i.e., end-users’ self-efficacy, attitude, and normative
beliefs) significantly predict the level of social engineering awareness of healthcare end-users.
For Research Question 3, the null hypothesis was rejected, and the alternative hypothesis
was accepted. The individual security factors (i.e., end-users’ self-efficacy, attitude, and
end-users.
Summary
The results of data analysis were presented in Chapter 4. The goal of this study was to
98
determine the extent to which organization security, information security awareness, and
individual security predicted the level of social engineering awareness among healthcare end-
users. The study followed a quantitative survey-based research method. Quantitative data were
collected and analyzed using IBM SPSS. Multiple linear regression was used to test the research
hypotheses. The chapter began with a discussion of the demographic results and descriptive
statistics. One hundred thirteen participants provided the data for the analysis. The instrument
reliability and multiple regression assumptions were delineated. The instrument scales provided a
high degree of reliability, with each scale providing over .90 for Cronbach alpha. Results
indicated that information security awareness and individual factors, but not organizational
factors, significantly predicted the level of information security awareness among healthcare
end-users. Chapter 5 contains a discussion of results and the conclusion of this study. The
chapter also includes the implications of the study and recommendations for future research.
99
CHAPTER 5. CONCLUSIONS
Introduction
The goal of this quantitative regression study was to determine to what extent, if any, do
predict the level of social engineering awareness of healthcare end-users. Participants from
SurveyMonkey Audience were asked to complete an online survey that consisted of
demographic and Likert-type questions related to security factors and social engineering
awareness. One hundred and thirteen healthcare end-users participated in the survey. Chapter 5
presents an overview of the study and the research findings and implications. The objective of
this chapter is to present a discussion of the results of the study and also to discuss the
implications for future research and application to practice. First, the research questions are
evaluated, and the implications of the results are discussed. Next is a discussion of the extent to
which the study fulfilled the research purpose outlined in Chapter 1. The study's contribution to
the business technical problem is addressed next, followed by recommendations for further
research illuminated by the results of this study. A conclusion ends the dissertation.
Evaluation of Research Questions
The purpose of this quantitative multiple regression study was to determine whether
organizational security factors (i.e. transformational leadership and information security culture),
information security awareness factors (i.e., general information security awareness and
information security policy awareness), and individual security factors (i.e., end-users’ self-
efficacy, attitude, and normative beliefs) predict the level of social engineering awareness among
healthcare end-users in healthcare organizations in the continental United States. Based on this
purpose, three research questions were formulated. This section evaluates each of them in light
100
of the research results (presented in Chapter 4). Altogether, this study found that individual
factors and information security awareness factors were more important than organizational
factors in predicting the level of social engineering awareness among healthcare end-users.
Research Question 1: Organizational Security Factors
Research Question 1 asked, “To what extent, if at all, do organizational security factors
(i.e., transformational leadership and information security culture) predict the level of social
engineering awareness among healthcare end-users?” The results indicated that organizational
security factors do not significantly predict the level of social engineering awareness among the
sample of this study. This result was surprising because two of the three components of the
theoretical framework (transformational leadership and organizational security culture) predicted
that organizational factors would be necessary to information security awareness.
According to the transformational leadership theory, organizational leadership should
have an influence on individuals’ behavior within an organization. In the context of information
security, transformational leadership has been found to help predict employees’ intention to
resist social engineering (Rocha Flores & Ekstedt, 2016) and to influence the effectiveness of
security countermeasures (Humaidi & Balakrishnan, 2015). Therefore, it was expected that
transformational leadership (one of the components of the organizational security measure in this
study) would significantly relate to end-users’ social engineering awareness, but this was not the
case.
Similarly, Lim et al. (2012) argued that an organizational security culture is vital in
influencing the behavior of employees. Based on this component of the theoretical framework, it
was expected that information security culture (the second component of the organizational
security measure in this study) would relate to end-users’ social engineering awareness.
101
However, no significance was identified.
The most important possible explanation for this surprising finding in the context of the
present study is that the data on organizational security factors were collected via self-report
from individual employees. These subjective responses may not have accurately reflected the
organizational security settings in which the respondents were employed. For example,
organizations with strong information security cultures at the leader level may not have been
rated as such by employees whose roles provide them little opportunity to interact directly with
the organization's leaders. Nevertheless, the theoretical framework of organizational security
culture and transformational leadership presupposes that employees receive communication and
are initiated into the culture of organizational security. Still, employees with negative attitudes
toward their workplaces or other factors may have been less likely to indicate that their
workplaces had strong organizational security cultures, regardless of the actual cultures in place.
Controlling for attitudes or directly observing organizational security cultures could have
prevented these possible errors; these will be necessary directions for future research.
Research Question 2: Information Security Awareness Factors
Research Question 2 asked, “To what extent, if at all, do information security awareness
factors (i.e., general information security awareness and information security policy awareness)
predict the level of social engineering awareness among healthcare end-users?” The results
indicated that information security awareness factors do significantly predict the level of social
engineering awareness among the sample of this study. This was the expected result, based on
the theoretical framework. Rocha Flores and Ekstedt (2016) found that information security
awareness was related to organizational security and intention to comply with information
security policies. However, the relationship between information security awareness and social
102
engineering awareness has not been previously studied. This finding, therefore, represents a
significant contribution to the existing literature. This is an important result because it indicates
that an overall strong level of security awareness includes awareness of the type of security
breach known as social engineering.
Research Question 3: Individual Security Factors
Research Question 3 asked, “To what extent, if at all, do individual security factors (i.e.,
end-users’ self-efficacy, attitude, and normative beliefs) predict the level of social engineering
awareness of healthcare end-users?" The results indicated that individual security factors
significantly predict the level of social engineering awareness among the sample of this study.
This result supports the results of existing literature showing that the "human factor" is among
the most critical factors to ensuring the integrity of organizational information resources
(Crossler et al., 2013; Narain Singh et al., 2014). It also supports Rocha Flores and Ekstedt
(2016), who found a positive relationship between social engineering resistance and self-efficacy
and attitude toward social engineering.
Additionally, this finding supports the need to invest at the individual level in order to
improve social engineering awareness. Other researchers (e.g., Alkhamis & Renaud, 2016;
Bullée et al., 2015a) have found that individual-level investments like training can significantly
improve organizations’ security by reducing the rate at which employees engage in risky
behavior or fall victim to social engineering attacks.
Finally, this finding strongly supports the theoretical framework of the theory of planned
behavior. The theory of planned behavior posits that attitude, subjective norms, and self-efficacy
about particular behaviors predict users’ intention to engage in that behavior. Previous
researchers have confirmed the theory in studies of organizational information security (Ifinedo,
103
2014; Lebek et al., 2014; Safa et al., 2015). The present study adds another confirmation of the
importance of these constructs in predicting social engineering awareness. Because social
engineering awareness has been found to prevent employees from falling victim to social
engineering attacks (Bullée et al., 2015a), this result suggests that focusing on improving
individuals’ self-efficacy, attitudes, and normative beliefs about social engineering resistance
could improve security outcomes for organizations.
Fulfillment of Research Purpose
The purpose of this study was to determine whether organizational security factors (i.e.
transformational leadership and information security culture), information security awareness
factors (i.e., general information security awareness and information security policy awareness),
and individual security factors (i.e., end-users’ self-efficacy, attitude, and normative beliefs)
predict the level of social engineering awareness among healthcare end-users in healthcare
organizations in the continental United States. The results of multiple regression analysis
(presented in Chapter 4) showed that information security awareness factors and individual
security factors, but not organizational security factors, were statistically significant in predicting
the level of social engineering awareness among the research sample. Because the data met all
assumptions for the analysis and the research questions were answered using the data analysis,
the study can be said to have fulfilled the research purpose.
An additional objective of this study was to contribute to knowledge toward
understanding or resolving the business technical problem. The problem addressed in this study
is the costly and increasing occurrence of data breaches in organizations that electronically
transmit health information in the United States (Agaku et al., 2014; Gammons, 2017; Ponemon
Institute, 2016). Social engineering is a particularly troubling type of security breach because it
104
exploits vulnerabilities in individuals within the organization, and attackers convince internal end
users to provide sensitive data. The present study contributes to this problem by reaffirming the
importance of the human element in preventing such security breaches. Individual security
factors and information security awareness factors were significant in predicting social
engineering awareness. Therefore, in order to address and prevent social engineering breaches in
the healthcare industry, it is crucial for IT managers to focus on improving individual security
factors, particularly self-efficacy, normative beliefs, and attitudes, which together were the
strongest predictors of social engineering awareness in the present study.
Contribution to Business Technical Problem
The business technical problem addressed in this study was the costly and increasing
occurrence of data security breaches in the healthcare industry in the United States (Agaku et al.,
2014; Gammons, 2017; Ponemon Institute, 2016). In order to resolve this problem, IT managers
need a thorough understanding of the factors that promote social engineering awareness and,
thereby, prevent end-users from falling victim to social engineering attacks (Bullée et al., 2015a).
If IT managers know factors related to social engineering awareness, they can invest in
interventions and people strategies that target those factors. As a result, the level of awareness of
social engineering among employees could increase, and, in turn, the prevalence of successful
social engineering attacks could decrease. It is important to prevent social engineering attackers
from finding success with their victims because data breaches cost the healthcare industry up to
$7 billion annually (Agaku et al., 2014).
The results of this study contributed to the general understanding of factors associated
with social engineering awareness. Findings presented in Chapter 4 indicated that the individual
security factors of end-users’ self-efficacy, attitude, and normative beliefs were the strongest
105
predictors of social engineering awareness among the research sample. This new knowledge
contributes to the business technical problem by indicating the importance of focusing on these
individual factors in any attempts to increase social engineering awareness. Researchers should
note that, because this present study was cross-sectional, it is not possible to draw any firm
conclusions regarding causal relationships among the variables. Thus, it is possible that the
association between individual factors and social engineering awareness is not a causal one, and
that improving the former would not necessarily result in an improvement in the latter. However,
the results of this study suggest that focusing on individual factors may be a fruitful direction for
IT managers hoping to improve employees' awareness of social engineering threats.
Conversely, this study did not reveal a statistically significant relationship between social
engineering awareness and the organizational security factors of transformational leadership and
information security culture. This finding supports the opinions of scholars who believe that a
focus on the “human element” is crucial to preventing social engineering attacks (Indrajit, 2017;
Narain Singh et al., 2014; Nishani & Biba, 2016). Although the theoretical framework of this
study suggests that organizational factors are also important, the lack of association in this study
contributes to the business technical problem by reinforcing the importance of interventions and
management techniques targeting the individual level.
Finally, and perhaps most importantly, this study is one of the few existing studies to
focus on social engineering awareness as an outcome variable, and one of the few studies to
focus on the healthcare industry specifically. This is an essential contribution to the business
technical problem because it arms healthcare IT managers with new knowledge pertaining
specifically to healthcare environments. Although it is reasonable to assume that much of the
existing knowledge on data breach prevention applies across industries, there may be differences
106
in the importance of various factors depending on the specific work environment. Thus, by
focusing on social engineering awareness in healthcare specifically, this study provides new
knowledge that can help healthcare IT managers address the costly occurrence of data breaches
in the industry.
Recommendations for Further Research
The results of this study illuminate several critical areas where further research can
benefit scholars and practitioners. First, in its examination of organizational security factors, this
study relied on self-reported data from end-users in the healthcare industry. Although end-users'
perceptions of organizational culture are essential, their reports could be subject to biases and
inaccuracies, which could have influenced the outcomes of this study. Therefore, the researcher
recommends further research utilizing direct observation of organizational security culture by
trained observers, in order to achieve a more objective understanding of how organizational
security factors, including security culture and transformational leadership, could influence
social engineering awareness.
Second, this study assumes, based on existing research (Bullée et al., 2015a), that social
engineering awareness leads to decreased incidence of social engineering attacks. However,
research on the correlation between awareness and attack susceptibility is still in its infancy. It is
possible, therefore, that end-users with strong social engineering awareness could still fall victim
to carefully constructed social engineering attacks. The researcher recommends that, in the
future, researchers focus on actual social engineering attack rates at various organizations,
determining the factors that lead to positive outcomes from data security. Awareness should still
be included as an essential variable in models of data security outcomes, but an emphasis on
outcomes can help elucidate the value of working to improve awareness among employees.
107
Finally, this present study was non-experimental, and the researcher did not test the
efficacy of any interventions or other investments aimed at improving social engineering
awareness. Therefore, it is not known whether investments based on the results of this study
would have the intended effect of improving social engineering awareness among healthcare
end-users. Future longitudinal or experimental research should be conducted to determine
whether, if at all, interventions targeting individual factors and information security awareness
factors (both of which were significantly related to social engineering awareness in the present
study) achieve the desired effect.
Conclusions
In the healthcare industry, data breaches are not only costly from a monetary point of
view but can have detrimental effects on the patients whose sensitive health information is stored
in healthcare databases (Agaku et al., 2014). Stolen healthcare data are worth more on the black
market than other types of stolen information (Ablon & Libicki, 2015). Taken together, these
facts highlight the potentially explosive nature of the problem of information security breaches in
the healthcare industry. It is therefore essential to energetically research the factors that
contribute to preventing data breaches in the industry.
This study represents an attempt to address the research need by investigating whether
organizational security factors (i.e. transformational leadership and information security culture),
information security awareness factors (i.e., general information security awareness and
information security policy awareness), and individual security factors (i.e., end-users’ self-
efficacy, attitude, and normative beliefs) predict the level of social engineering awareness among
healthcare end-users in healthcare organizations in the continental United States. The study was
guided by a theoretical framework consisting of transformational leadership theory,
108
organizational security culture, and the theory of planned behavior. Data from a total of 113
participants, all employed in the healthcare industry, were analyzed to determine the extent to
which each of the antecedent variables predicted social engineering awareness in the sample.
The results of this study indicated that individual factors and information security
awareness factors were both statistically significant predictors of social engineering awareness.
This finding corroborated past research (e.g., Alkhamis & Renaud, 2016; Bullée et al., 2015a;
Crossler et al., 2013; Narain Singh et al., 2014; Rocha Flores & Ekstedt, 2016). However, no
significant association was found between social engineering awareness and organizational
security factors. Although this finding supported the opinions of those who emphasize the
“human factor” in organizational security, it contradicted previous research indicating the
importance of organizational factors (e.g., Humaidi & Balakrishnan, 2015; Lim et al., 2012;
Rocha Flores & Ekstedt, 2016). One potential explanation for this surprising finding is that the
study relied on end-users’ self-reports, rather than direct observation, to assess organizational
security factors.
This study was one of the only existing studies to focus specifically on the healthcare
industry and to use social engineering awareness as an outcome variable. These facts indicate
that the studies contribute to the existing body of knowledge. If healthcare IT managers are to
address the costly and potentially dangerous occurrence of data breaches, especially those owing
to insidious methods like social engineering, they must pay attention to the individual factors
(self-efficacy, normative beliefs, and attitudes) that have routinely shown to promote positive
security outcomes.
109
REFERENCES
Abawajy, J. (2014). User preference of cyber security awareness delivery methods. Behaviour &
Information Technology, 33(3), 236-247. doi:10.1080/0144929X.2012.708787
Ablon, L., & Libicki, M. (2015). Hackers' bazaar: The markets for cybercrime tools and stolen
data. Defense Counsel Journal, 82(2), 143-152. doi:10.12690/0161-8202-82.2.143
Agaku, I. T., Adisa, A. O., Ayo-Yusuf, O. A., & Connolly, G. N. (2014). Concern about security
and privacy, and perceived control over collection and use of health information are
related to withholding of health information from healthcare providers. Journal of the
American Medical Informatics Association, 21(2), 374-378. doi:10.1136/amiajnl-2013-
002079
Ahmad, A., Maynard, S. B., & Park, S. (2014). Information security strategies: Towards an
organizational multi-strategy perspective. Journal of Intelligent Manufacturing, 25(2),
357-370. doi:10.1007/s10845-012-0683-0
Ajzen, I. (2011). The theory of planned behaviour: Reactions and reflections. Psychology &
Health, 26(9), 1113-1127. doi:10.1080/08870446.2011.613995
Ajzen, I. (2015). The theory of planned behaviour is alive and well, and not ready to retire: A
commentary on Sniehotta, Presseau, and Araújo-Soares. Health Psychology Review, 9(2),
131-137. doi:10.1080/17437199.2014.883474
Ajzen, I., & Fishbein, M. (1980). Understanding attitudes and predicting social behavior.
Englewood Cliffs, NJ: Prentice Hall.
AlHogail, A. (2015). Design and validation of information security culture framework.
Computers in Human Behavior, 49(1), 567-575. doi:10.1016/j.chb.2015.03.054
110
AlHogail, A., & Mirza, A. (2014). Information security culture: A definition and a literature
review. 2014 World Congress on Computer Applications and Information Systems
(WCCAIS) (pp. 1-7). IEEE. doi:10.1109/WCCAIS.2014.6916579
Alkhamis, E., & Renaud, K. (2016). The design and evaluation of an interactive social
engineering training programme. In N. Clarke & S. Furnell (Eds.), Proceedings of the
Tenth International Symposium on Human Aspects of Information Security & Assurance
(HAISA 2016) (pp. 125-134). Raleigh, NC: Lulu Press.
Angst, C. M., Block, E. S., D’Arcy, J., & Kelley, K. (2017). When do IT security investments
matter? Accounting for the influence of institutional factors in the context of healthcare
data breaches. MIS Quarterly, 41(3), 893-A8. Retrieved from https://www.misq.org
Armitage, C. J., & Conner, M. (2001). Efficacy of the theory of planned behaviour: A meta‐
analytic review. British Journal of Social Psychology, 40(4), 471-499.
doi:10.1111/etap.12056
Avolio, B. J., & Bass, B. M. (1995). Individual consideration viewed at multiple levels of
analysis: A multi-level framework for examining the diffusion of transformational
leadership. The Leadership Quarterly, 6(2), 199-218. doi:10.1016/1048-9843(95)90035-7
Awang, Z., Afthanorhan, A., & Mamat, M. (2016). The likert scale analysis using parametric
based structural equation modeling (SEM). Computational Methods in Social Sciences,
4(1), 13-21. Retrieved from https://www. http://cmss.univnt.ro/
Aytes, K., & Connolly, T. (2004). Computer security and risky computing practices: A rational
choice perspective. Journal of Organizational and End User Computing, 16(3), 22-40.
Retrieved from https://www.igi-global.com/
111
Barling, J., Slater, F., & Kelloway, E. K. (2000). Transformational leadership and emotional
intelligence: An exploratory study. Leadership & Organization Development Journal,
21(3), 157-161. Retrieved from https://www.emeraldinsight.com/journal/lodj
Bass, B. M. (1998). Transformational leadership: Industrial, military, and educational impact.
Mahwah, NJ: Lawrence Erlbaum Associates.
Bhatnagar, N., Madden, H., & Levy, Y. (2016). Initial empirical testing of potential factors
contributing to patient use of secure medical teleconferencing. The Journal of Computer
Information Systems, 57(1), 89-95. doi:10.1080/08874417.2016.1181504
Bullée, J. W. H., Montoya, L., Pieters, W., Junger, M., & Hartel, P. H. (2015a). The persuasion
and security awareness experiment: reducing the success of social engineering attacks.
Journal of Experimental Criminology, 11(1), 97-115. doi:10.1007/s11292-014-9222-7
Bullée, J. W. H., Montoya, L., Pieters, W., Junger, M., & Hartel, P. H. (2015b). Regression
Nodes: Extending attack trees with data from social sciences. In Socio-Technical Aspects
in Security and Trust (STAST), 2015 Workshop (pp. 17-23). Piscataway, NJ: IEEE.
Burns, A. J., Posey, C., Courtney, J. F., Roberts, T. L., & Nanayakkara, P. (2017).
Organizational information security as a complex adaptive system: Insights from three
agent-based models. Information Systems Frontiers, 509-524. doi:10.1007/s10796-015-
9608-8
Carifio, J., & Perla, R. (2008). Resolving the 50-year debate around using and misusing Likert
scales. Medical Education, 42(12), 1150-1152. doi: 10.1111/j.1365-2923.2008.03172.x
Chang, S., & Ho, C. B. (2006). Organizational factors to the effectiveness of implementing
information security management. Industrial Management & Data Systems, 106(3), 345-
361. doi:10.1108/02635570610653498
112
Choi, D., Kim, D., & Park, S. (2015). A framework for context sensitive risk-based access
control in medical information systems. Computational & Mathematical Methods in
Medicine, 2015, 1-9. doi:10.1155/2015/265132
Choi, M. (2016). Leadership of information security manager on the effectiveness of information
systems security for secure sustainable computing. Sustainability, 8(7), 638-659.
doi:10.3390/su8070638
Ciampa, M. (2009). Network security fundamentals. Boston, MA: Cengage.
Clough, J. (2015). Towards a common identity? The harmonisation of identity theft laws.
Journal of Financial Crime, 22(4), 492-512. doi:10.1108/JFC-11-2014-0056
Conteh, N. Y., & Schmick, P. J. (2016). Cybersecurity: Risks, vulnerabilities and
countermeasures to prevent social engineering attacks. International Journal of Advanced
Computer Research, 6(23), 31-38. doi:10.19101/IJACR.2016.623006
Cooper, D. R., & Schindler, P. S. (2014). Business research methods (12th ed.). Boston, MA:
McGraw-Hill.
Creswell, J. W., & Creswell, J. D. (2018). Research design: Qualitative, quantitative, and mixed
methods approaches (5th ed.). Thousand Oaks, CA: Sage.
Crossler, R. E., Johnston, A. C., Lowry, P. B., Hu, Q., Warkentin, M., & Baskerville, R. (2013).
Future directions for behavioral information security research. Computers & Security, 32,
90-101. doi:10.1016/j.cose.2012.09.010
Decker, L. G. (2008). Factors affecting the security awareness of end-users: A survey analysis
within institutions of higher learning (Doctoral Dissertation). Retrieved from ProQuest
Dissertations and Theses database.
113
Deutskens, E., de Ruyter, K., &Wetzels, M. (2006). An assessment of equivalence between
online and mail surveys in service research. Journal of Service Research, 8(4), 346-355
doi: 10.1177/1094670506286323
Drevin, L., Kruger, H. A., Bell, A. M., & Steyn, T. (2017). A linguistic approach to information
security awareness education in a healthcare environment. In Bishop, M., Futcher, L.,
Miloslavskaya, N., & Theocharidou, M. (Eds.), Information Security Education for a
Global Digital Society: Vol 503. IFIP Advances in Information and Communication
Technology (pp.87-97). doi:10.1007/978-3-319-58553-6_8
Evans, J. R., & Mathur, A. (2005). The value of online surveys. Internet Research, 15(2), 195-
219. doi:10.1108/10662240510590360
Fishbein, M. (1967). A behavior theory approach to the relations between beliefs about an object
and attitude toward the object. New York, NY: Wiley.
Fishbein, M., & Ajzen, I. (1975). Belief, attitude, intention, and behavior: An introduction to
theory and research. Reading, MA: Addison-Wesley.
Gammons, B. (2017, January). 6 must-know cybersecurity statistics for 2017 [Blog post].
Retrieved from https://blog.barkly.com/cyber-security-statistics-2017
Gardner, B., & Thomas, V. (2014). Building an information security awareness program:
Defending against social engineering and technical threats. Amsterdam, Netherlands:
Elsevier.
George, D., & Mallery, P. (2017). IBM SPSS statistics 23 step by step: A simple guide and
reference (14th ed.). New York, NY: Routledge
114
Goo, J., Yim, M. S., Kim, D. J. (2014). A path to successful management of employee security
compliance: An empirical study of information security climate. IEEE Transaction on
Professional Communication, 57(4), 286-308. doi:10.1109/TPC.2014.2374011
Granello, D. H., & Wheaton, J. E. (2004). Online data collection: Strategies for research. Journal
of Counseling and Development, 82(4), 387-393.
Guo, K. H., Yuan, Y., Archer, N. P., Connelly, C. E. (2011). Understanding nonmalicious
security violations in the workplace. A composite behavior model. Journal of
Management Information System, 28(2), 203-236. doi:10.2753/MIS0742-1222280208
Harris, S. (2010). All in One CISSP Exam Guide (5th ed.). Tata McGraw‐Hill Education: Noida,
India.
Hauser, D. M. (2017). Status of social engineering awareness in business organizations and
Colleges/Universities (Doctoral Dissertation). Retrieved from ProQuest Dissertations and
Theses database.
Healthcare Information and Management Systems Society (HIMSS). (2016). 2016 HIMSS
cybersecurity study. Retrieved from http://www.himss.org/sites/himssorg/files/2016-
cybersecurity-report.pdf
Herath, T., & Rao, H. R. (2009). Encouraging information security behaviors in organizations:
Role of penalties, pressures and perceived effectiveness. Decision Support Systems,
47(2), 54–165. doi:10.1057/ejis.2009.6
Hoaglin, D. C., & Iglewicz, B. (1987). Fine-tuning some resistant rules for outlier labeling.
Journal of the American Statistical Association, 82(400), 1147-1149, doi:
10.1080/01621459.1987.10478551
115
Holbert, D. A. (2013). Factors contributing to security awareness of the end user. (Doctoral
dissertation). Retrieved from ProQuest Dissertations and Theses database.
Holtfreter, R. E., & Harrington, A. (2015). Data breach trends in the United States. Journal of
Financial Crime, 22(2), 242-260. Retrieved from
http://www.emeraldinsight.com/journal/jfc
Huang, C. D., Behara, R. S., & Goo, J. (2014). Optimal information security investment in a
Healthcare Information Exchange: An economic analysis. Decision Support Systems, 61,
1-11. doi:10.1016/j.dss.2013.10.011
Humaidi, N., & Balakrishnan, V. (2015). Leadership styles and information security compliance
behavior: The mediator effect of information security awareness. International Journal of
Information and Education Technology, 5(4), 311-318. Retrieved from
http://www.ijiet.org/
Hyatt, J. C. (2015). External, internal, and inherent factors affecting end-user security
awareness within institutions of higher learning (Doctoral dissertation). Retrieved from
ProQuest Dissertations and Theses database.
Ifinedo, P. (2014). Information systems security policy compliance: An empirical study of the
effects of socialisation, influence, and cognition. Information & Management, 51(1), 69-
79. doi:10.1016/j.im.2013.10.001
Ilves, T. H. (2016). The consequences of cyber attacks. Journal of International Affairs, 70(1),
175-178. Retrieved from https://jia.sipa.columbia.edu/
Indrajit, R. E. (2017). Social engineering framework: Understanding the deception approach to
human element of security. International Journal of Computer Science Issues (IJCSI),
14(2), 8-16. doi:10.20943/01201702.816
116
Junger, M., Montoya, L., & Overink, F. J. (2017). Priming and warnings are not effective to
prevent social engineering attacks. Computers in Human Behavior, 66, 75-87.
doi:10.1016/j.chb.2016.09.012
Kamoun, F., & Nicho, M. (2014). Human and organizational factors of healthcare data breaches:
The Swiss cheese model of data breach causation and prevention. International Journal
of Healthcare Information Systems and Informatics, 9, 42-60.
doi:10.4018./ijhisi.201410103
Kautonen, T., Gelderen, M., & Fink, M. (2015). Robustness of the theory of planned behavior in
predicting entrepreneurial intentions and actions. Entrepreneurship Theory and Practice,
39(3), 655-674. doi:10.1111/etap.12056
Kim, P. (2010). Measuring the effectiveness of information security training: A comparative
analysis of computer-based training and instructor-based training (Doctoral
dissertation). Retrieved from ProQuest Dissertations and Theses database.
Knight, A., & Saxby, S. (2014). Identity crisis: Global challenges of identity protection in a
networked world. Computer Law & Security Report, 30(6), 617-632. doi:10.1108/JFC-
11-2014-0056
Korpela, K. (2015). Improving cyber security awareness and training programs with data
analytics. Information Security Journal: A Global Perspective, 24(1-3), 72-77.
doi:10.1080/19393555.2015.1051676
Kraemer, S., Carayon, P., & Clem, J. (2009). Human and organizational factors in computer and
information security: Pathways to vulnerabilities. Computers & Security, 28(7), 509-520.
doi:10.1016/j.cose.2009.04.006
117
Krombholz, K., Hobel, H., Huber, M., & Weippl, E. (2015). Advanced social engineering
attacks. Journal of Information Security and Applications, 22, 113-122. doi:
10.1016/j.jisa.2014.09.005
Kruger, H. A., & Kearney, W. D. (2006). A prototype for assessing information security
awareness. Computers & Security, 25(4), 289-296. doi:10.1016/j.cose.2006.02.008
Kwon, J., & Johnson, M. E. (2014). Meaningful healthcare security: Does “meaningful-use”
attestation improve information security performance? Workshop on the Economics of
Information Security (WEIS), Penn State University. Retrieved from
http://www.econinfosec.org/
Lacey, D. (2009). Understanding and transforming organizational security culture. Information
Management & Computer Security, 18(1), 4-13. doi:10.1108/09685221011035223
Lebek, B., Guhr, N., & Breitner, M. (2014). Transformational leadership and employees’
information security performance: The mediating role of motivation and climate. Paper
presented at the Thirty Fifth International Conference on Information Systems, Auckland,
New Zealand. Retrieved from https://
https://aisel.aisnet.org/icis2014/proceedings/ISSecurity/21/
Lebek, B., Uffen, J., Breitner, M. H., Neumann, M., & Hohler, B. (2013, January). Employees'
information security awareness and behavior: A literature review. 2014 47th Hawaii
International Conference on System Sciences (HICSS), (pp. 2978-2987). IEEE.
doi:10.1109/HICSS.2013.192
Lee, J., & Lee, Y. (2002). A holistic model of computer abuse within organizations. Information
Management & Computer Security, 10(2/3), 57-63. doi:10.110809685220210424104
118
Lim, J. S., Chang, S., Ahmad, A., & Maynard, S. B. (2012). Towards an organizational culture
framework for information security practices. In G. Manish (Ed.), Strategic and Practical
Approaches for Information Security Governance: Technologies and Applied Solutions,
pp. 296-315. Hershey, PA: IGI Global.
Loughlin, S., Fu, K., Gee, T., Gieras, I., Hoyme, K., Rajagopalan, S. R., …Wirth, A. (2014). A
roundtable discussion: Safeguarding information and resources against emerging
cybersecurity threats. Biomedical Instrumentation & Technology, 48, 8-17.
doi:10.2345/0899-8205-48.s1.8
Lowes, R. (2014, April 28). Stolen HER charts sell for $50 each on black market. Retrieved from
http://www.medscape.com/viewarticle/824192
Lowry, P. B., & Moody, G. D. (2015). Proposing the control‐reactance compliance model
(CRCM) to explain opposing motivations to comply with organisational information
security policies. Information Systems Journal, 25(5), 433-463. doi:10.1111/isj.12043
Mann, I. (2017). Hacking the human: Social engineering techniques and security
countermeasures. New York, NY: Routledge.
McEachan, R., Taylor, N., Harrison, R., Lawton, R., Gardner, P., & Conner, M. (2016). Meta-
analysis of the reasoned action approach (RAA) to understanding health behaviors.
Annals of Behavioral Medicine, 50(4), 592-612. doi:10.1007/s12160-016-9798-4
Mearian, L. (2016, June 30). Hackers are coming for your healthcare records – here’s why.
Retrieved from http://www.computerworld.com/article/3090566/healthcare-it/hackers-
are-coming-for-your-healthcare-records-heres-why.html
Medlin, B. D., Cazier, J. A., Foulk, B. P. (2008). Analyzing the vulnerability of U.S. hospitals to
social engineering attacks: How many of your employees would share their password?
119
International Journal of Information Security and Privacy, 2(3), 71-83.
doi:10.4018/jisp.2008070106
Merkow, M. S., & Breithaupt, J. (2014). Information security: Principles and practices. Upper
Saddle River, NJ: Pearson Education.
Miner, J. B. (2015). Organizational behavior 1: Essential theories of motivation and leadership.
Upper Saddle River, NJ: Routledge.
Mishra, S., Caputo, D. J., Leone, G. J., Kohun, F. G., & Draus, P. J. (2014). The role of
awareness and communications in information security management: A health care
information systems perspective. International Journal of Management & Information
Systems (Online), 18(2), 138-139. doi:10.19030/ijmis.v18i2.8495
Mishra, S., Draus, P., Goreva, N., & Caputo, D. J. (2016). A survey of social engineering
vulnerabilities in health care settings. Issues in Information Systems, 17(1), 178-184.
Retrieved from http://www.iacis.org/
Mohammed, S., & Apeh, E. (2016, December). A model for social engineering awareness
program for schools. In Software, Knowledge, Information Management & Applications
(SKIMA), 2016 10th International Conference on (pp. 392-397). IEEE.
doi:10.1109/SKIMA.2016.7916253
Montaño, D. E., & Kasprzyk, D. (2015). Theory of reasoned action, theory of planned behavior,
and the integrated behavioral model. In K. Glanz, B. K. Rimer, & K. Viswanth (Eds.),
Health Behavior: Theory, Research and Practice (pp. 95-124). Hoboken, NJ: John Wiley
& Sons.
120
Morgan, S. (2016, January 17). Cyber crime costs projected to reach $2 trillion by 2019.
Retrieved from https://www.forbes.com/sites/stevemorgan/2016/01/17/cyber-crime-
costs-projected-to-reach-2-trillion-by-2019/#7f0b3b153a91
Mouton, F., Malan, M. M., Kimppa, K. K., & Venter, H. S. (2015). Necessity for ethics in social
engineering research. Computers & Security, 55, 114-127.
doi:10.1016/j.cose.2015.09.001
Narain Singh, A., Gupta, M. P., & Ojha, A. (2014). Identifying factors of “organizational
information security management”. Journal of Enterprise Information Management,
27(5), 644-667. doi:10.1108/JEIM-07-2013-0052
Nishani, L., & Biba, M. (2016). Machine learning for intrusion detection in MANET: A state-of-
the-art survey. Journal of Intelligent Information Systems, 46(2), 391-407.
doi:10.1007/s10844-015-0387-y
North, M., Perryman, D., Burns, S., & North, S. (2010). A comparative study of information
security and ethics awareness in diverse university environments. Consortium for
Computing Sciences in Colleges (JCSC), 25(5), 223-230. Retrieved from
https://www.ccsc.org
O’Brien, R. M. (2007). A caution regarding rules of thumb for variance inflation factors. Quality
& Quantity, 41(5), 673-690. doi:10.1007/s11135-006-9018-6
Okenyi, O. P., & Owens, T. J. (2007). On the anatomy of human hacking. Information Systems
Security, 16(6), 302-314. doi:10.1080/10658980701747237
Parsons, K., McCormac, A., Butavicius, M., Pattinson, M., & Jerram, C. (2014). Determining
employee awareness using the human aspects of information security questionnaire
(HAIS-Q). Computers & Security, 42, 165-176. doi:10.1016/j.cose.2013.12.003
121
Parsons, K. M., Young, E., Butavicius, M. A., McCormac, A., Pattinson, M. R., & Jerram, C.
(2015). The influence of organizational information security culture on information
security decision making. Journal of Cognitive Engineering and Decision Making, 9(2),
117-129. doi:10.1177/1555343415575152
Ponemon Institute. (2016). Sixth annual benchmark study on privacy & security of healthcare
data. Retrieved from http://lpa.idexpertscorp.com/acton/attachment/6200/f-04aa/1/-/-/-/-
Resources%20%20Sixth%20Annual%20Benchmark%20Study%20on%20Privacy%20an
d%20Security%20of%20Healthcare%20Data%20.pdf?sid=TV2:g1ml2lh7d
Raiyn, J. (2014). A survey of cyber attack detection strategies. International Journal of Security
and Its Applications, 8(1), 247-256. doi:10.14257/ijsia.2014.8.1.23
Richardson, R., & North, M. (2017). Ransomware: Evolution, mitigation and prevention.
International Management Review, 13(1), 10-21,101. Retrieved from
http://imrjournal.org
Robbins, S. P., & Judge, T. A. (2008). Organizational behavior (13th ed.). Upper Saddle River,
NJ: Prentice Hall.
Rocha Flores, W., Antonson, E., & Ekstedt, M. (2015). Exploring the link between organizations
behavioral information security governance and employee information security
awareness. In 9th International Symposium on Human Aspects of Information Security &
Assurance. Retrieved from http://www.diva-portal.org
Rocha Flores, W., & Ekstedt, M. (2016). Shaping intention to resist social engineering through
transformational leadership, information security culture and awareness. Computers &
Security, 59, 26-44. doi:10.1016/j.cose.2016.01.004
122
Rocha Flores, W., Holm, H., Nohlberg, M., & Ekstedt, M. (2015). Investigating personal
determinants of phishing and the effect of national culture. Information & Computer
Security, 23(2), 178-199. doi:10.1108/ICS-05-2014-0029
Safa, N. S., Sookhak, M., Von Solms, R., Furnell, S., Ghani, N. A., & Herawan, T. (2015).
Information security conscious care behaviour formation in organizations. Computers &
Security, 53, 65-78. doi:10.1016/j.cose.2015.05.012
Schein, E. H. (1992). Organizational culture and leadership. San Francisco, CA: Jossey-Bass.
Schwarzer, R. (Ed.). (2014). Self-efficacy: Thought control of action. Boston, MA: Taylor &
Francis.
Siponen, M., Mahmood, M. A., & Pahnila, S. (2014). Employees’ adherence to information
security policies: An exploratory field study. Information & Management, 51(2), 217-
224. doi:10.1016/j.im.2013.08.006
Sniehotta, F. F., Presseau, J., & Araújo-Soares, V. (2014). Time to retire the theory of planned
behaviour. Health Psychology Review, 8(1), 1-7. doi:10.1080/17437199.2013.869710
Soomro, Z. A., Shah, M. H., & Ahmed, J. (2016). Information security management needs more
holistic approach: A literature review. International Journal of Information Management,
36(2), 215-225. doi:10.1016/j.ijinfomgt.2015.11.009
Steckler, A., McLeroy, K. R., Goodman, R. M., Bird, S. T., & McCormick, L. (1992). Toward
integrating qualitative and quantitative methods: An introduction. Health Education and
Behavior, 19(1), 1-8. doi:10.1177/109019819201900101
SurveyMonkey Audience. (2018). [SurveyMonkey Audience market research service home
page]. SurveyMonkey, Inc. San Mateo, CA: SurveyMonkey, Inc. Retrieved from
http://www.surveymonkey.com/mp/audience
123
Svanlund, J., Kronberg, B., & Jeppsson, H. (2015). Social Engineering: A study in awareness
and measures. Lund, Sweden: Lund University Press. Retrieved from
http://lup.lub.lu.se/student-papers/record/5474076
Tavakol, M., & Dennick, R. (2011). Making sense of cronbach’s alpha. International Journal of
Medical Education, 2(1), 53-55. doi:10.5116/ijme.4dfb.8dgd
von Solms, R., & van Niekerk, J. (2013). From information security to cyber security. Computer
& Security, 38, 97-102. doi:10.1016/j.cose.2013.04.004
Warfield, D. (2012). Critical Infrastructures: IT Security and Threats from Private Sector
Ownership. Information Security Journal: A Global Perspective, 21(3), 127-136.
doi:10.1080/19393555.2011.652289
Webb, T. L., & Sheeran, P. (2006). Does changing behavioral intentions engender behavior
change? A meta-analysis of the experimental evidence. Psychological Bulletin, 132(2),
249-268. doi:10.1037/0033-2909.132.2.249
Wicker, A. W. (1969). Attitudes vs. actions: The relationship of verbal and overt behavioral
responses to attitude objects. Journal of Social Issues, 25, 41-78. doi:10.1111/j.1540-
4560.1969.tb00619.x
Wikman, A. (2006). Reliability, validity and true values in surveys. Social Indicators Research,
78(1), 85–110. doi:10.1007/s11205-005-5372-3
Wolf, M., Haworth, D., & Pietron, L. (2011). Measuring an information security awareness
program. Review of Business Information Systems (RBIS), 15(3), 9-21. Retrieved from
http://www.cluteintiture.com
124
Workman, M., Bommer, W. H., & Straub, D. (2008). Security lapses and the omission of
information security measures: A threat control model and empirical test. Computers in
human behavior, 24(6), 2799-2816. doi:10.1016/j.chb.2008.04.005
Wright, K. B. (2005). Researching Internet-based populations: Advantages and disadvantages of
online survey research, online questionnaire authoring software packages, and web
survey services. Journal of Computer-Mediated Communication, 10(3), JCMC1034.
doi:10.1111/j.1083-6101.2005.tb00259.x
Yang, Y., & Green, S. B. (2011). Coefficient alpha: A reliability coefficient for the 21st century?
Journal of Psychoeducational Assessment, 29(4), 377-392. doi:10.1177/073428291
125
STATEMENT OF ORIGINAL WORK
Academic Honesty Policy
Capella University’s Academic Honesty Policy (3.01.01) holds learners accountable for the
integrity of work they submit, which includes but is not limited to discussion postings,
assignments, comprehensive exams, and the dissertation or capstone project.
Established in the Policy are the expectations for original work, rationale for the policy,
definition of terms that pertain to academic honesty and original work, and disciplinary
consequences of academic dishonesty. Also stated in the Policy is the expectation that learners
will follow APA rules for citing another person’s ideas or works.
The following standards for original work and definition of plagiarism are discussed in the
Policy:
Learners are expected to be the sole authors of their work and to acknowledge the
authorship of others’ work through proper citation and reference. Use of another person’s
ideas, including another learner’s, without proper reference or citation constitutes
plagiarism and academic dishonesty and is prohibited conduct. (p. 1)
Plagiarism is one example of academic dishonesty. Plagiarism is presenting someone

else’s ideas or work as your own. Plagiarism also includes copying verbatim or
rephrasing ideas without properly acknowledging the source by author, date, and
publication medium. (p. 2)
Capella University’s Research Misconduct Policy (3.03.06) holds learners accountable for research
integrity. What constitutes research misconduct is discussed in the Policy:
Research misconduct includes but is not limited to falsification, fabrication, plagiarism,
misappropriation, or other practices that seriously deviate from those that are commonly
accepted within the academic community for proposing, conducting, or reviewing
research, or in reporting research results. (p. 1)
Learners failing to abide by these policies are subject to consequences, including but not limited to
dismissal or revocation of the degree.
126
Statement of Original Work and Signature
I have read, understood, and abided by Capella University’s Academic Honesty Policy (3.01.01)
and Research Misconduct Policy (3.03.06), including Policy Statements, Rationale, and
Definitions.
I attest that this dissertation or capstone project is my own work. Where I have used the ideas or
words of others, I have paraphrased, summarized, or used direct quotes following the guidelines
set forth in the APA Publication Manual.
Learner name
and date Jerry Alsay January 10, 2019
Mentor name
and school Oludotun Oni School of Business and Technology
127

A Quantitative Regression Stud

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

A Quantitative Regression Stud

Uploaded by

Copyright:

Available Formats

A QUANTITATIVE REGRESSION STUDY OF THE EFFECT OF SECURITY

FACTORS ON THE SOCIAL ENGINEERING AWARENESS LEVEL OF

OLUDOTUN ONI, PhD, Faculty Mentor and Chair

ALFREDO DOMINGUEZ, PhD, Committee Member

SUSAN FEREBEE, PhD, Committee Member

Tonia Teasley, JD, Interim Dean, School of Business and Technology

A Dissertation Presented in Partial Fulfillment

Of the Requirements for the Degree

Doctor of Information Technology

awareness factors and not on organization security factors.

Without their support, I would have not succeeded.

List of Tables ....................................................................................................... viii

List of Figures ........................................................................................................ ix

CHAPTER 1. INTRODUCTION ........................................................................................1

Business Technical Problem ....................................................................................9

Research Purpose ...................................................................................................10

Research Questions ................................................................................................10

Theoretical Framework ..........................................................................................12

Assumptions and Limitations ................................................................................19

Organization for Remainder of Study ....................................................................20

CHAPTER 2. LITERATURE REVIEW ...........................................................................22

Organizational Information Security .....................................................................23

Security Factors .....................................................................................................36

Security Awareness Training .................................................................................57

Theory of Planned Behavior ..................................................................................58

CHAPTER 3. METHODOLOGY .....................................................................................64

Design and Methodology .......................................................................................65

Population and Sampling .......................................................................................67

Data Collection ......................................................................................................69

Data Analysis .........................................................................................................76

Validity and Reliability ..........................................................................................81

Ethical Considerations ...........................................................................................82

CHAPTER 4. RESULTS ...................................................................................................85

Data Collection Results..........................................................................................86

Descriptive Analysis ..............................................................................................92

Multiple Regression Results ..................................................................................95

CHAPTER 5. CONCLUSIONS ......................................................................................100

Fulfillment of Research Purpose..........................................................................104

Contribution to Business Technical Problem ......................................................105

Recommendations for Further Research ..............................................................107

STATEMENT OF ORIGINAL WORK ..........................................................................126

Table 1. Reliability for the Predictor and Criterion Variables, N = 113...........................87

Table 2. Correlations of Criterion Variable (Level of Social Engineering Awareness) with

Predictor Variables, N = 113 ..............................................................................89

Table 3. Outlier Labeling Rule Analysis, N = 113 ...........................................................91

Table 5. Sample Demographics, N = 113 .........................................................................94

Table 6. Variable Descriptive Statistics, N = 113 ............................................................95

Figure 1. Research model showing level of social engineering awareness as an effect of

organizational security factors, information security awareness factors, and individual

security factors ....................................................................................................75

Figure 2. Scatterplot to check for homoscedasticity (standardized residual by unstandardized

predicted values for level of social engineering awareness)...............................90

refer interchangeably to PHI as defined by HIPAA.

inappropriately, lose access to health insurance benefits, or encounter difficulty in employment

security strategy in the healthcare industry to prevent against costly cyberattacks.

Troublingly, cyberattacks are increasingly common in healthcare, with an increase of

Although there are many types of cyberattacks, social engineering, or behavioral

intrusion whereby hackers manipulate employees’ behavior in order to obtain privileged

data breach in healthcare organizations (Ponemon Institute, 2016). However, end-users in

healthcare organizations (e.g., hospitals, private practices), including healthcare practitioners

& Overink, 2017).

know the awareness level of end-users.

An understanding of the factors influencing social engineering awareness in the