Employee Perspective on Information Security Related Human Error in Healthcare: Proactive Use of IS-CHEC in Questionnaire Form

The objective of the research was to establish data relating to underlying causes of human error which are the most common cause of information security incidents within a private sector healthcare organization. A survey questionnaire was designed to proactively apply the IS-CHEC information security human reliability analysis (HRA) technique. The IS-CHEC technique questionnaire identified the most likely core human error causes that could result in incidents, their likelihood, the most likely tasks that could be affected, suggested remedial and preventative measures, systems or processes that would be likely to be affected by human error and established the levels of risk exposure. The survey was operational from 15th November 2018 to 15th December 2018. It achieved a response rate of 65% which equated to 485 of 749 people targeted by the research. The research found that, in the case of this particular participating organization, the application of the IS-CHEC technique through a questionnaire added beneficial value as an enhancement to a standard approach of holistic risk assessment. The research confirmed that the IS-CHEC in questionnaire form can be successfully applied within a private sector healthcare organization and also that a distributed approach for information security human error assessment can be successfully undertaken in order to add beneficial value. The results of this paper indicate, from the questionnaire responses supplied by employees, that organizational focus on its people and their working environment can improve information security posture and reduce the likelihood of associated information security incidents through a reduction in human error.

[1]  Ying-Mei Wang,et al.  Risk Assessment of Human Error in Information Security , 2006, 2006 International Conference on Machine Learning and Cybernetics.

[2]  Carl Colwill,et al.  Human factors in information security: The insider threat - Who can you trust these days? , 2009, Inf. Secur. Tech. Rep..

[3]  Erdem Uçar,et al.  The positive outcomes of information security awareness training in companies - A case study , 2009, Inf. Secur. Tech. Rep..

[4]  Lizzie Coles-Kemp,et al.  Information security management: An entangled research challenge , 2009, Inf. Secur. Tech. Rep..

[5]  Andrew Jones How do you make information security user friendly? , 2009, Inf. Secur. Tech. Rep..

[6]  Kirstie Hawkey,et al.  An integrated view of human, organizational, and technological challenges of IT security management , 2009, Inf. Manag. Comput. Secur..

[7]  David Lacey Understanding and transforming organizational security culture , 2010, Inf. Manag. Comput. Secur..

[8]  M. G. Lee Securing the human to protect the system: Human factors in cyber security , 2012 .

[9]  Guy Bunker Technology is not enough: Taking a holistic view for information assurance , 2012, Inf. Secur. Tech. Rep..

[10]  N. R. Samaranayake,et al.  Technology-related medication errors in a tertiary hospital: A 5-year analysis of reported medication incidents , 2012, Int. J. Medical Informatics.

[11]  Malcolm Robert Pattinson,et al.  Determining employee awareness using the Human Aspects of Information Security Questionnaire (HAIS-Q) , 2014, Comput. Secur..

[12]  Jiao Li,et al.  Research on the calculation method of information security risk assessment considering human reliability , 2014, 2014 10th International Conference on Reliability, Maintainability and Safety (ICRMS).

[13]  Alexander Hals,et al.  Well Integrity Assessment: Challenges related to Human and Organizational Factors - The case study of Veslefrikk , 2015 .

[14]  A. J. Widdowson,et al.  CHEAT, an approach to incorporating human factors in cyber security assessments , 2015 .

[15]  Barbara Hauer,et al.  Data and Information Leakage Prevention Within the Scope of Information Security , 2015, IEEE Access.

[16]  Nico Martins,et al.  Improving the information security culture through monitoring and implementation actions illustrated through a case study , 2015, Comput. Secur..

[17]  Shahper Vodanovich,et al.  Evolvement of Information Security Research on Employees' Behavior: A Systematic Review and Future Direction , 2015, 2015 48th Hawaii International Conference on System Sciences.

[18]  Kari Saarelainen,et al.  Quality and human errors in IT service infrastructures — Human error based root causes of incidents and their categorization , 2015, 2015 11th International Conference on Innovations in Information Technology (IIT).

[19]  Jeremy C. Williams,et al.  Consolidation of the Error Producing Conditions Used in the Human Error Assessment and Reduction Technique (Heart) , 2015 .

[20]  Amanda Jane Widdowson,et al.  CHEAT: An updated approach for incorporating human factors in cyber-security assessments , 2016 .

[21]  Leandros A. Maglaras,et al.  Human behaviour as an aspect of cybersecurity assurance , 2016, Secur. Commun. Networks.

[22]  J. Doug Tygar,et al.  The Effect of Organisational Culture on Employee Security Behaviour: A Qualitative Study , 2016, HAISA.

[23]  Malcolm Robert Pattinson,et al.  The Human Aspects of Information Security Questionnaire (HAIS-Q): Two further validation studies , 2017, Comput. Secur..

[24]  Alfred Graham,et al.  Human Aspects of Information Security , 2017 .

[25]  Tong-Il Jang,et al.  Anticipating human errors from periodic big survey data in nuclear power plants , 2017, 2017 IEEE International Conference on Big Data (Big Data).

[26]  Peter Mayer,et al.  Reliable Behavioural Factors in the Information Security Context , 2017, ARES.

[27]  Liezel Cilliers Exploring information assurance to support electronic health record systems , 2017, 2017 IST-Africa Week Conference (IST-Africa).

[28]  Stephen Flowerday,et al.  Contemplating human-centred security & privacy research: Suggesting future directions , 2017, J. Inf. Secur. Appl..

[29]  Daejin Kim,et al.  Why not comply with information security? An empirical approach for the causes of non-compliance , 2017, Online Inf. Rev..

[30]  Mark Button,et al.  Cyber security breaches survey 2017: main report , 2017 .

[31]  Craig Valli,et al.  Risk Analysis of Cloud Sourcing in Healthcare and Public Health Industry , 2018, IEEE Access.

[32]  Bennett I. Bertenthal,et al.  Statistical Models for Predicting Threat Detection From Human Behavior , 2018, Front. Psychol..

[33]  Jyri Rajamäki,et al.  Cybersecurity education and training in hospitals: Proactive resilience educational framework (Prosilience EF) , 2018, 2018 IEEE Global Engineering Education Conference (EDUCON).

[34]  Karen Singh Lifting the lid on root cause analysis: A document analysis , 2018 .

[35]  Stanislav Mamonov,et al.  The impact of information security threat awareness on privacy-protective behaviors , 2018, Comput. Hum. Behav..

[36]  Shiho Taniuchi,et al.  Training Cyber Security Exercise Facilitator: Behavior Modeling Based on Human Error , 2018, Advances in Intelligent Systems and Computing.

[37]  Helge Janicke,et al.  Analysis of Published Public Sector Information Security Incidents and Breaches to establish the Proportions of Human Error , 2018, HAISA.

[38]  Vinh N. Dang,et al.  Understanding human performance in sociotechnical systems – Steps towards a generic framework , 2017, Safety Science.

[39]  Stewart Kowalski,et al.  Beyond Training and Awareness: From Security Culture to Security Risk Management , 2018, STPIS@CAiSE.

[40]  Hyun Gook Kang,et al.  Input-Domain Software Testing for Failure Probability Estimation of Safety-Critical Applications in Consideration of Past Input Sequence , 2018, IEEE Access.

[41]  Vanderhaegen Frederic,et al.  The amazing human factors and their dissonances for autonomous Cyber-Physical&Human Systems , 2018, 2018 IEEE Industrial Cyber-Physical Systems (ICPS).

[42]  Leandros A. Maglaras,et al.  HEART-IS: A novel technique for evaluating human error-related information security incidents , 2019, Comput. Secur..

[43]  Kelly O. Finnerty,et al.  Cyber Security Breaches Survey 2020 , 2019 .

[44]  Rafael M. Gasca,et al.  Automatic Verification and Diagnosis of Security Risk Assessments in Business Process Models , 2019, IEEE Access.

[45]  Helge Janicke,et al.  Published incidents and their proportions of human error , 2019, Inf. Comput. Secur..

[46]  Helge Janicke,et al.  Exploring the role of work identity and work locus of control in information security awareness , 2019, Comput. Secur..

[47]  Leandros A. Maglaras,et al.  Evaluating information security core human error causes (IS-CHEC) technique in public sector and comparison with the private sector , 2019, Int. J. Medical Informatics.