The challenges of the human factor in policy implementation: The case of cybersecurity in hospitals

(1)

THE CHALLENGES OF THE HUMAN

FACTOR IN POLICY

IMPLEMENTATION: THE CASE OF

CYBER SECURITY IN HOSPITALS

THESIS MSC CRISIS AND SECURITY MANAGEMENT

S1926616 | LINDE GROOTSWAGERS

SUPERVISOR: DR. J. REIJLING | SECOND READER: DR. IR. V. NICULESCU-DINCA

Leiden University - Faculty of Governance and Global Affairs

(2)

Acknowledgements

Through this acknowledgement I like to express my very great appreciation to all the people putting time and effort in assisting me with my research. I would like to offer my special thanks to all the people who were willing to be part of my research in the form of an interview or as a valuable source for information. My special thanks are extended to Sven Hagedorn in particular for offering his unconditional help establishing the sources necessary. Assistance provided by Lilian Grootswagers in proofreading was greatly appreciated. Advice given by my supervisor J. Reijling has been a great help in establishing the work presented here. Finally, I would give special thanks to V. Niculescu-Dinca for taking the time to second read this research.

(3)

Abstract

Society is becoming more digitalised. From day-to-day services to company infrastructures, more services and machinery are being connected to the internet. Such innovation offers great opportunities for industries to develop, however it comes hand in hand with significant risks. A sector which is increasingly exposed such risks is the health care sector and in particular hospitals. The interconnectivity of hospitals has significantly increased over the past few years, establishing new vulnerabilities and threats. Hospitals have proven that it is an easy and valuable target for cyberattacks. Within the spectrum of cyber security and cyber resilience research has outlined that often the human factor is the most challenging factor in maintaining a cyber secure environment. Therefore, the research focuses on establishing to what extend existing policies on cyber security in Dutch hospitals do support the human factor as an essential element and, if there are discrepancies, how they can be explained. Results indicate that human factor is not a very essential element within the policies of hospitals which can be dedicated to the fact that hospitals act according to strategy more focussed on implementing technical measures to establish a cyber secure environment.

(4)

List of Figures

Figure 1 Composite Behavioural Compliance Theoretical Framework (Aurigemma, 2013)

Figure 2 Results Content Analysis on Presence of Hospitals, the Human Factor, and the Human Factor in Hospitals in the perspective of the Dutch Government.

Figure 3 Results Interviews Hospital Employees and Behavioural Intent concerning Cyber Security Policy and Protocol

(7)

List of Tables

Table 1 Coding Scheme for Content Analysis Annual Reports on Cyber Security perception of the Netherlands

Table 2 Coding Scheme Interviews based on the Theoretical Framework of Security Policy Behavioural Compliance

(8)

Acronyms

CIA triangle Confidentiality, integrity and availability triangle DoD Department of Defence

EPR Electronic Patient Records GDT General Deterrence Theory

ICT Information and Communication Technology IoT Internet of Things

ISMS Information Security Management System ISO International Standards for Security Management ISP Information and Security Policy

IT Information Technology

NEN Nederlands Normalisatie Instituut (Dutch Standardization Institute)

NVZ Nederlandse Vereniging van Ziekenhuizen (Association of Dutch Hospitals) PBC Perceived Behavioural Control

PMT Protection Motivation Theory RCT Rational Choice Theory SBT Social Bond Theory

TPB Theory of Planned Behaviour USB Universal Serial Bus

(9)

Chapter 1: Introduction

Society is becoming more digitalised. From day-to-day services to company infrastructures, more services and machinery are being connected to the internet. Such innovation offers great opportunities for industries to develop, however it comes hand in hand with significant risks. As experts have pointed out: every computer system can in some way be comprised (NCSC, 2016; Symantec, 2014). Such experts emphasise the importance of organisations being cyber secure and resilient. Especially in the case of organisations connected to critical infrastructure, where a cyberattack could do significant societal harm. An example of such an organisation is a hospital. Healthcare is continuously evolving, especially in the field of devices and digitising patient records. The interconnectivity of hospitals has significantly increased over the past few years; however, it has proven that such an organisation is also an easy and valuable target for cyberattacks (Arndt, 2018; Abelstein & Goldstein, 2015; Bell & Ebert, 2015; Nationaal Cyber Security Centrum, 2016).

In May 2017 an extensive ransomware attack, also known as the WannaCry virus, affected sixteen hospitals in the United Kingdom. Phone lines were down, emails were inaccessible, patient records could not be opened, schedules were lost, and the connection between the computers and medical equipment was distorted (Gayle, Topping, Sample, Marsh & Dodd, 2017). The virus, built around a vulnerability in Windows software, took the computer hostage showing the message files would only be unlocked when 300 dollars’ worth of bitcoins were transferred to a certain account. Microsoft had developed a patch to tackle the vulnerability in April 2014, however even after alerts from the NHS Digital and an official warning from the Department of Health and the Cabinet Office the IT departments of the affected hospitals did not act accordingly (BBC, 2017). The choice to not install the update and act on the alerts, left the unpatched software of the affected hospitals vulnerable. The virus perfectly demonstrates that hospitals are interesting targets for cyber criminals and that human error can lead to a cyberattack succeeding. The case indicates hospitals can also be affected even though they are not specifically targeted, as the organisation is becoming more digitalised. Hospitals are becoming more dependent on working software to function properly, such as to open patient records and for regular or surgical equipment to work. It mainly offers an indicative example of how human error can be fatal in the sphere of cyber security, and how important the human factor is in making a company cyber resilient and secure.

(10)

The vulnerabilities of such a critical infrastructure have moved themselves upon the political agenda as well. The WannaCry virus did not only stir up the debate within the United Kingdom, the political field in other countries was triggered as well. The Netherlands is an example of this. The Dutch government issued several warnings concerning the WannaCry virus especially focussed on hospitals (Budding, 2017). It is of specific concern to the Dutch government to establish a strong cyber security safety net, as reports show that the Netherlands has one of the most ICT-intensive economies in the world (Verhagen, 2016; Munnichs, Kouw & Kool, 2017). Since than the issue has developed further upon the agenda. Within the risk report on cyber security economy of 2017, issued by the Dutch Ministry of Security and Justice, hospitals were extensively mentioned, highlighting the strengths and weaknesses of the current systems and organisational structures. The report identified that only 56% of Dutch hospitals meet the norm of information security, and the number of hospitals officially certified on the topic of information security is even lower with 21%. Especially data breaches are a serious concern for organisations with a decentralized administrative data flow such as hospitals (CPB, 2017). An example is a large data leak at the Antoni van Leeuwenhoek hospital, where a hard drive with personal and medical dossiers of up to 800 patients was stolen from a researcher’s car (Brink, 2016). Sixty percent of the questioned hospitals stated to have been hit by some sort of ransom software over the last three years (CPB, 2017). The Authority of Personal Data already concluded in 2016 that patient portals of hospitals are lacking sufficient security. These concerning numbers have alarmed the Dutch government to establish supporting policy for hospitals in the field of creating and maintaining a cyber secure environment.

Within the spectrum of cyber security and cyber resilience research has outlined that often the human factor is the most challenging factor in maintaining a cyber secure environment (Bowen, Devarajan & Stolfo, 2011; Halevi, Lewis, & Memon, 2013; Kraemer, Carayon, & Clem, 2009; Solms & Niekerk, 2013). This factor is described as the weakest link in the chain when it comes to the cyber security of a company, organisation and government (Abawaij, 2014; Blyth, Koppel & Smith, 2013; Pomenon Institute, 2012; Workman, 2007). A distinct example is the hack on Google in 2010. A Google employee disregarded company protocol and cyber counter-measures by clicking a link in a phishing mail which led to a website which downloaded malware on the employee’s computer (Leyden, 2010). IBM (2015) indicates in their Cyber Security Intelligence Index that around 95% of information security incidents are due to human error. The Pomenon Institute (2012) marks the employee as the main cause for security leaks, due to negligence or

(11)

malicious behaviour. Even though the technological development of security has been significantly strengthened over the years, it is still developed and handled by people. This human vulnerability is marked throughout research as the weakest link within the field and has led to annual losses of billions of dollars (Workman, 2007). However, a true calculation of the cost and effect of the human factor is hard to measure as it is assumed only a fraction of breaches and security incidents is reported or discovered (Whiteman, 2003).

Reports indicate that within the health sector there is a serious lack of understanding about the cyber domain and its risks and threats, and there are not enough security measures in place to overcome these risks and threats (Munnichs, Kouw & Kool, 2017). The human factor offers a serious challenge, as the government is trying to implement certain norms and policy in order to support the health care sector, and especially hospitals. Presented reports and literature outline there is often an inconsistency between guidelines and policy developed by the government and other organisations. The top down approach seems not to be effective for establishing a cyber secure environment within Dutch hospitals as the employees often are not educated to the extend necessary to prevail cyber security and cyber resilience within the organisation (CPB, 2017; Munnichs, Kouw & Kool, 2017; Verhagen, 2016).

The human factor connected to cyber security within the implementation of policy and guidelines offers an interesting relationship. It is an upcoming topic on the academic research agenda. Current work is mainly focussing on information security, this research is expanding on this notion by tackling the broader concept of cyber security. Furthermore, the focus on hospitals has increased since the spread of the WannaCry virus. It is of key importance that policies are thoroughly implemented within this sector, as the sector is very appealing to hackers due to its excessive data collection and its relatively weak prevention technologies compared to other industries (Love, 2018; Pieters, 2017). Therefore, the research builds on the following research question: To what extend do existing policies on cyber security in Dutch hospitals support the human factor as an essential element and how can discrepancies be explained? To answer this question the research focuses on the concepts of cyber security, cyber resilience and information security, which are often intertwined. A theoretical framework is established on the basis of established academic literature focussing on the challenges of the human factor which arise while implementing policy. The Security Policy Compliance Framework outlined by Aurigemma (2013) stands at the basis, creating a concrete and tested framework to analyse the human factor in relation to the compliance of people to cyber security policy. Data is collected in a qualitative manner by

(12)

conducting interviews and analysing policy papers. The research evolves around the sector of Dutch hospitals.

The thesis is structured as follows. First, the established academic field is outlined, and relevant literature is analysed focussing on the concepts of cyber security, cyber resilience and information security. Second, the methodology is set out. Third, the collected data via interviews and policy document analysis is analysed in relation to the outlined theory. Finally, a reflection on the study and study results from a policy and scientific standpoint is offered, leading to recommendations on policy and future research.

(13)

Chapter 2: Theoretical Framework

2.1 The Human Factor and Policy Implementation concerning Cyber Security

2.1.1 The Human Factor concerning Cyber Security

The digitalization process within industries is accelerating over the years along with the security measures and technologies to protect it. New security protocols and measures are installed annually, however companies often overlook the fact that human error is the most common cause for data breaches and hacks (Ifinedo, 2012; Kraemer, Carayon & Clem, 2009; Sotira, 2018). Even though the innovation in ICT is increasing every day, the process of development and security still very much involves humans. Cyber security is not only about the technical protection and security but even more about the human hand handling these techniques, using the systems, and following the established rules and regulations (Bowen, Devaraian & Stolfo, 2012). This development is one of the main causes that hackers are especially aiming to target people to establish a base for a breach or hack (Safa, Solms & Furnell, 2015). Furthermore, as humans are often the closest to the information hackers want to acquire, it makes them an interesting target. It is even argued that hackers are currently spending more time on exploring the human challenges of cyber security than the technical aspects (Adams & Sasse, 1999; Ashenden, 2008).

Research has identified the effect the human factor can have on security, the factor is of key influence on the success of our efforts to secure and protect the companies, services, data and online systems (Metalidou, et al., 2014; Orchesky, 2003). Therefore, humans have been more often classified as a security threat or vulnerability instead of a strength (Solms & Niekerk, 2013). Ignorance, belief and behaviour, and lack of knowledge, awareness and motivation are the main incentives for the cyber vulnerability of the human factor (Metalidou, et al., 2014). Examples are, for instance, the use of easy passwords, sticking your username and password on your desktop, sharing your credentials with colleagues, opening mails and downloading unwanted attachments or open infected links, downloading software from the internet, plugging in unknown USB’s, and so on (Safa, Solms & Furnell, 2015; Safa, Solms & Futcher, 2016). A survey conducted by Cisco Systems revealed that even employees who were aware of the security risks that come with working with a remote station, still would show risky behaviour that significantly endangered the company’s system (Panko, 2004). Moreover, a test involving a phishing mail that was designed to look suspicious, showed that still 37% clicked on the link provided in the mail (Kruger, Drevin & Steyn, 2007). In a real-life situation this would mean that over one third of the company’s

(14)

computers would have been infected with malicious malware. These tests and examples show that human intentional or unintentional behaviour is one of the main causes of cyber vulnerabilities.

However, as humans are a key component within the security arena, they have to be protected as well. In order to achieve protection of cyberspace humans have to become an asset or strength instead of a threat or vulnerability. The human factor should be at the centre of cyber security management and policies, as users are the first and last line of defence and their perceptions are important when establishing a cyber secure environment (Metalidou, et al., 2014; Safa, Solms & Futcher, 2016). Research has outlined that aspects such as commitment to an organization and people’s own personal values and norms can have a significant influence on decreasing the impact of human factor (Lee & Kozar, 2005; Ng et al., 2009; Safa, Solms & Furnel, 2015). Such aspects all stand in relation to the main influencer of the impact of the human factor, which is human behaviour. Many researchers come to the same conclusion: the cyber security of an organisation lies in the hands of the behaviour of its employees (Panko, 2009; Siponen, 2005; Stanton, Stam, Mastrangelo & Jolton, 2005; Vroom & Solms, 2004; Workman, 2007). An international survey even noted that almost 40% of IT professionals are placing the threat coming from their own employees over the threat from outsiders (Cisco, 2008). In order to reduce the risk of the human factor organisations should focus on influencing their employee’s behaviour, steering it into a cyber secure direction away from counterproductive behaviour. The topic should be high upon everyone’s agenda as the risk concerning the human factor in the field of cyber security is present regardless of the type or size of a company (Aurigemma, 2013).

2.1.2 The Human Factor in Policy Implementation

Implementation is a very hybrid concept which adapts to cultural and institutional setting (Paudel, 2009). Policy implementation focuses on the goal of having individuals, groups or society as a whole adapt to certain objectives as outlined in an official document (Mazmanian & Sabatier, 1983). Furthermore, more recent theories outline policy implementation as simply how policies are put into effect by the government (Howlett & Ramesh, 2003; O’Toole, 2003). Researchers have outlined different factors which are needed to effectively implement a policy such as; clear specified objectives, statutes’ directives, success indicators, planning, control and specification (Elmore, 1978; Giacchino & Kakabadse, 2003; Hill & Hupe, 2002; Howlett & Ramesh, 2003). The research specifically focuses on the aspect of altering social behaviour through public policy, therefore incorporating the human factor and the human aspect in the success of policy

(15)

Research has indicated that implementing policies concerning security is an effective and efficient approach in changing employee’s behaviour towards security threats and issues (Crossler et al., 2013; Son, 2011). However, other studies argue that security policies are necessary but doubt its effectivity, due to the human factor (Ashenden, 2008; Aurigemma, 2013; Safa, Solms & Furnell, 2015; Safa, Solms & Futcher, 2016; Vance et al., 2012). Even though research has proven that the human factor has a significant influence on the success or failure of securing an organisation, organisations often are still lacking in tackling the problem within their security policies (Ashenden, 2008; Li et al., 2010; Stanton et al., 2005; Webb et al., 2014). When establishing security policy it is important to take into account that besides the identity individuals have within the organisation they also have a personal and social identity, all three effect their eventual behaviour (Ashenden, 2008). Persons often fulfil several roles within an organisation, the one they are paid to fulfil and the one which aligns with their personal and social perceptions, both are shaping the organisational culture and a persons’ willingness to comply with certain policies (Ashenden, 2008). Unfortunately, the human factor is very unpredictable, which creates a major challenge when implementing policy.

The literature builds on multiple theories and aspects in order to analyse behavioural compliance of employees concerning security policies. A returning aspect is the attitude of the employee in relation to behavioural compliance with existing policies. The sharing of knowledge, collaboration, intervention and experience are all affecting the attitude of the employee towards complying behaviour (Safa, Solms & Furnell, 2015). These factors all come from the Involvement Theory. This theory focuses on the level of energy, time and participation someone has had with a certain activity or policy. When a person has spent significant energy, time and participation with items concerning security policy he or she is less likely to show behaviour which deviates from the rules and regulations outlined within the policy (Lee et al., 2004; Safa, Solms & Furnell, 2015). Another theory is the Social Bond Theory (SBT) which argues that if an employee feels a high level of attachment or commitment to the organisation one is less likely to show behaviour of noncompliance towards existing policies (Chapple et al., 2005; Cheng et al., 2013; Hirschi, 1969; Ifinedo, 2014). The main elements focus on the level of attachment to the organisation, the level of involvement concerning the organisation, the level of commitment to the organisation, and someone’s personal norms and values. Another well-established theory in the field is the General Deterrence Theory (GDT). This theory focuses in the basis on the cost-benefit analysis people make when deciding to commit a crime or not. This line of thinking works the same for complying

(16)

with established security policy. Within this theory the sanction effect plays a significant role, as this is the cost that can be of influence on whether you decide to do something or not (Straub & Welke, 1998). The Rational Choice Theory (RCT) follows a similar line of argumentation, as it argues that behaviour is determined by weighing the costs and benefits of the different options available. In a security policy perspective, compliance behaviour can be influenced by weighing the effort it will cost you to protect and the cost of this effort (Workman et al, 2008). A person outlines his or her perceived benefit of compliance, cost of compliance, and cost of non-compliance, to make a well-balanced decision to comply or not. The cost benefit analysis is believed to be a good indicator for establishing contributors to attitude (Bulgurcu, 2010; Herath & Rao, 2009a; Workman et al., 2008). Moreover, there is the Protection Motivation Theory (PMT) which is built around two processes. One being the process of threat assessment, and the other being the process of coping appraisal. This theory can be compared with GDT and RCT as here as well the person involved assesses the threat or risks to make a decision on the basis of the fear relation to the action needed. The decision is however based on a different indicator, which is fear, instead of outweighing costs and benefits. When developing the threat assessment people take into account three variables. First, perceived severity, which means a person will change his or her behaviour when his or her perception of the threat is significant. For instance, when someone knows that opening a phishing mail and clicking the link will spread a harmful virus, they are less likely to open it and click the link. Second, perceived vulnerability, which is the perception a person has that he or she can become a victim or encounter a threat (Johnston & Warkentin, 2010; Workman et al., 2008). Third, perceived response efficacy, which focuses on the perception of the employee on the effectiveness of the response outlined in the policy to the threat. When an employee feels the response is insufficient, he or she is less likely to follow protocol. The final theory is the Theory of Planned Behaviour (TPB). This is one of the most prominently used theories when analysing behavioural compliance of security policies. TPB builds on three elements which influence human behaviour: (1) subjective norms, (2) attitude towards the behaviour, and (3) perceived behavioural control (PBC) (Ajzen, 1991). The overall argumentation focuses on a persons’ intentional behaviour which is outlined to be based on a relationship between the favourability of that persons’ beliefs towards security action, the control someone has over those actions, and his or her intention to comply. The more favourable someone is and the more control the person thinks to have, the more likely that someone will comply with the policies implemented (Zhang et al., 2009).

(17)

This research is based on the composed Theory of Planned Behaviour (TPB) as provided by Aurigemma (2013). In his work a new theoretical framework is developed and tested concerning employee behaviour towards ISP compliance. It is a well argumentized mix of the theories outlined above, as all theories offer significant indicators to research the human factor in security policy compliance and show many overlapping concepts. The composed theory addresses the current weaknesses of the already established theories. It is mainly based on the work of Taylor and Todd (1995) concerning TPB in coordination with other theories analysing factors influencing behavioural compliance. Aurigemma (2013) concludes in his work that the framework provided is significant when analysing indicators influencing compliance behaviour of humans. The theoretical framework is further developed at the end of this chapter at the section ‘Policy Behavioural Compliance Theoretical Framework’.

2.2. Concepts

2.2.1 Cyber Security and Cyber Resilience

The research focuses on the concepts of cyber security and cyber resilience. Cyber security and resilience are interconnected, and resilience is needed to achieve cyber security (Conklin & Shoemaker, 2017). As indicated by Conklin and Shoemaker (2017), cyber security focuses more on the unauthorized access of a certain system, the prevention of such attacks, and an effective counter response. In short, cyber security can be defined as the protection of cyberspace in general. This involves online and electronic information, the ICT structures and systems, but also the users who are working within this cyberspace and their personal, societal and national interests and capacities (Solms & Niekerk, 2013). Cyber resilience relates to the security architecture of an organisation. To be cyber resilient the architecture should ensure the continuation of the core operation of the organisation when under attack. It aims to secure the assets that are key to the functioning of the organisation and should never be lost. Academic research often focuses on the resilience of an organisation against cyberattacks in relation to cyber security (Cyber Security Raad, 2018; Bell & Ebert, 2015; Martin, Martin, Hankin, Darzi, & Kinross, 2017; NCSC, 2016; Symantec, 2014a).

Cyber security and cyber resilience are prone within the literature concerning all sorts of organisations. As society and the economy are becoming increasingly digitalised, new risks emerge within the innovated field. Many authors and expert organisations are aiming to identify some sort of characteristics which can be highlighted as necessary for establishing a secure

(18)

environment within an organisation. All agree appropriate measures are needed to establish cyber security and to maintain critical infrastructure safe. However, the mechanisms to do so can differ and emphasis on certain measures depends on situations and climate. A main driver within all works is the importance of the identification of threats and an organisation’s own vulnerabilities (Conklin & Shoemaker, 2017; Martin, Martin, Hankin, Darzi, & Kinross, 2017; Symantec, 2014; Gunnink, 2016). It is important that organisations cooperate to communicate on common threats and software vulnerabilities (Chan, van Not, & Lugo, 2017, Cyber Security Raad, 2018). Another mutual aspect within the literature is the awareness and education among all the levels within the organisation. Board members should have a basic level of knowledge on cyber security and cyber threats, as well as the regular employee within the organisation. All levels need to be aware of the risks and know their own vulnerabilities, as cyberattacks can occur anywhere within the organisation. Especially, because the human factor is one of the main factors which can cause a cyber breach or attack to take place (Bell & Ebert, 2015; Colwill, 2009). Furthermore, the literature also indicates more practical tips and tricks that can be applied to ensure a safe cyber space within the organisations. Examples are for instance, a regular software update, establishing a firewall and internet gateways, detection and responding to known vulnerabilities (Conklin & Shoemaker, 2017; NCSC, 2016; Symantec, 2014; Symantec, 2014a). Another returning aspect is the development of policy and protocol concerning a cyberattack and the prevention of a cyberattack. The literature proposes different approaches and policies needed. A returning concept is the prevention of allowing infected removable media controls into the organisation’s system, such as USB sticks. An organisation should develop policy and strict rules concerning this topic to make sure no one can just walk in and infect the entire system. This indicator relates to education, as the rules and regulations should be clearly communicated to the personnel, which should be educated to assure it is implemented effectively. Furthermore, password policies and user privileges are key policies to look at within an organisation, as they are simple and can reduce risks significantly. Finally, many authors highlight the need for effective incident management (Conklin & Shoemaker, 2017; Martin, Martin, Hankin, Darzi, & Kinross, 2017; NCSC, 2016). Whenever an attack does occur there should be protocol in place on what to do. Such a plan or protocol should indicate the steps which need to be taken in order to overcome or counter the attack. Moreover, a clear communication plan can be key, for internal as well as external communication, such as informing the people effected by the attack, like patients or customers (Cyber Security Raad, 2018; Gunnink, 2016). An organisation needs to take an attack as a lesson and be flexible about changing

(19)

policy in line with the lessons learned. In conclusion, it should be the aim of making an organisation cyber secure and resilient to assure that the critical systems are able to run even during a cyberattack. This is the key message that needs to be taken into account with any measure or step taken.

2.2.2 Information Security

The concepts of cyber and information security are often used interchangeably. Security in both cases is about the protection against vulnerabilities, and the process focuses on establishing, selecting and implementing security controls and policies to reduce existing risks (Farn et al., 2004; Gerber & Solms, 2005). Even though there is extensive overlap, there are some differences as well. Solms and Niekerk (2013) state the main difference is that cyber security offers a greater spectrum and moves beyond the traditional definition of information security by including the human aspect. With cyber security it is not only about the protection of systems and information but also of the people using the cyber domain. Information security does take the human factor into account, however more as a role within the process of security. Cyber security marks the human factor as a potential target and even initiator of a cyberattack, knowingly or unknowingly.

Within the literature information security is mostly outlined via the CIA triangle. This means that the aim is to ensure confidentiality, integrity and availability of information (Solms & Niekerk, 2013). Confidentiality implies that there is a restriction on who has access to information, making sure that information can only be viewed by authorized entities. Integrity focuses on the fact that content of information cannot be altered or corrupted. Finally, availability of information aims to have information present and available when necessary for providing a service. Information can be present in any form, from printed or written paper, to electronic archives, films, recordings, and so on. Information security is often regarded as a process and not a product, of which ICT is only a component. Within the concept ICT is seen as an infrastructure which stores and distributes information, therefore it needs to be secured. Over the years, studies have expanded the concept to more factors that need to be protected as well. Examples are accuracy, authenticity, utility and possession by Whitman and Mattord (2009), or accountability and privacy by Yskout et al. (2008). Furthermore, information security has grown out of only being seen as something technical and IT related but has engaged in a broader business spectrum to the protection of all the information in all shapes and sizes within an organisation (Ashenden, 2008; Somls & Niekerk, 2013). Information security has formed into a real business benefit, expanding from the concept of only protecting confidentiality, integrity and availability. It now also focuses on threat

(20)

environment and managing the risks related to information and the dynamics of the security environment.

This research shall focus more on the expanded notion of cyber security over information security. However, as much of the literature available is still based on the notion of information security and the theoretical framework revolves around this concept, cyber will be used including and acknowledging the notion of information security. Furthermore, information security policies are often the policies in place that also tackle the cyber security spectrum, as not many hospitals have a specific cyber security policy in place. The research adds upon the existing literature by expanding existing theory on information security to the broader concept of cyber security as this concept includes the human factor more extensively in aiming to secure this aspect as well.

2.3 Policy Behavioural Compliance Theoretical Framework

The composed theoretical framework outlines the factors which have an influence on an employee’s behavioural intent to comply with certain policies, in this case cyber and information security policies. Aurigemma (2013) developed and tested the composed framework within his work, validating it by applying it in an organisational context with well-established information security policies at the US Department of Defense (DoD). He concluded the composed framework offered a valid framework to test behavioural compliance. Academics have acknowledged that research into the theory of behavioural compliance can help to establish a better focus within organisations to tackle the risks coming from the human factor, and direct behaviour into the policy direction (Ajzen, 1991; Bulgurcu, 2010; Herath & Rao, 2009; Johnson & Warkentin, 2010; Zhang et al., 2009). Therefore, this research uses the behavioural compliance theory in the form of an established Policy Behavioural Compliance Theoretical Framework to answer if policies of security are tackling the risks of human behaviour within their policy implementation, and if not where the current status is lacking.

The framework is developed around the basis of the Theory of Planned Behaviour (TPB). This theory is most often used in research on behavioural compliance and intent, and it focuses on the link between intent and actual behaviour (Ajzen, 2001; Armitage & Conner, 2001; Zhang et al., 2009). Intention is led by subjective norms, attitude towards the behaviour, and PBC (Ajzen 2002). These aspects are also present in the General Deterrence Theory, the Theory of Reasoned Action and the Protection Motivation Theory. Research has been done on the effectivity of TPB to predict actual behaviour coming from behavioural intent, which concluded it is an effective

(21)

theory to test behavioural intention (Ajzen, 1991; Armitage & Conner, 2002; Blue, 1995; Conner & Sparks, 2005). Decomposing this established theory has the advantage that it is able to present the variety of dimensions within the spectrum of behavioural compliance research and it more clearly highlights factors that impact behavioural intent and compliance of an employee (Aurigemma, 2013).

The composed framework identifies four main factors that have an effect on behavioural intent of employee’s, two out of those four factors are composed of sub-factors that influence the main factor which influences the behaviour (see Figure 1). The first factor, Subjective Norms, focuses on the influence of social pressure. It is argued that as an employee knows that his or her co-workers, peers, managers, and so on expect compliance with implemented policies he or she is more likely to act in accordance with those security policies and actions required. The employee feels the social pressure coming from the others based on their own beliefs and expectations.

The second factor is Behavioural Control which focuses on the unintentional or unwilling aspects which are present in all forms of behaviour (Ajzen, 2002). These aspects are ones that, in a person’s perception, ease or hinder the ability to perform in the correct manner (Aurigemma, 2013). This factor is influenced by two sub factors: self-efficacy and perceived controllability. Self-efficacy comes from the context of the modification of behaviour and refers to the belief people have in their own capabilities (Bandura, 1991). It builds along the lines that when someone is self-confident about their own capabilities and skills to comply with set security policies, they are more likely to act in that manner. However, when they are unsure about their own skill set this has a negative effect on behavioural compliance. Perceived controllability focuses more on the proactive or reactive status of a person’s behaviour. People have to believe that the security action needed is controllable in order to react at all and show behavioural compliance. Both sub-factors show two different aspects of belief and are required to make a trustworthy prediction of behaviour.

The third main factor is Attitude, and especially focused on the attitude towards compliance. The attitude is influenced by a person’s belief that complying or not complying has certain consequences (Bulgurcu, 2010). In order to steer behaviour towards compliance it is favourable to implement consequences when people are not acting along the lines of the established security policy. Studies have argued that attitude is one of the strongest influencers of behavioural compliance (Aurigemma, 2013; Mahon, Cowan & McCarthy, 2006; Nejad, Wertheim & Greenwood, 2005). This main factor consists of six subfactors: Sanction Severity, Probability of Sanction, Cost-Benefit Analysis, Threat Severity, Perceived Vulnerability, and Response

(22)

Efficacy. Firstly, Sanction Severity acts along the lines of the rationale when there is a certain severity to the consequences of non-compliance people are more likely to comply. The severity has a significant impact on behavioural compliance, as people weigh the consequences against the effort of complying. When the sanctions of non-compliance are severe enough, they will almost always outweigh the effort of complying, increasing behavioural compliance. Secondly, the Probability of a Sanction works hand in hand with its severity. A sanction can be incredibly severe, however when people know the chance of getting that sanction is limited, they will still show non-compliance. Therefore, it is important to be consequential with sanctioning and make an effort to track down non-compliant behaviour. Thirdly, the Cost-Benefit Analysis builds around the same rationale as sanctioning, as the people outweigh the costs against the benefits when making up their mind to comply or not. Workman et al. (2008) outlines that employees are likely to weigh the effort of complying with the cost or consequence of not complying when deciding to act in a secure manner. People take into account three perceptions when making up their cost-benefit analysis. First, the benefit of compliance, so what are the favourable outcomes that come from complying. Second, cost of compliance, aiming at the unfavourable effort it will take the employee to act accordingly. Third, and final, the cost of non-compliance, which focuses on the negative consequences coming from not complying. It is important for an organisation to make the positive consequences outweigh the negative to make sure the attitude towards compliance is favourable. Fourthly, Threat Severity follows the rationale of when a threat is perceived as being very severe a person is more likely to act more cautiously. An example is knowing that opening a phishing mail and clicking the link can easily mean your bank account is wiped clear, is making it less likely for you to open such a mail and click or download anything attached. Fifthly, Perceived Vulnerability focuses on how likely someone is feeling that he or she can become a victim of a breach or has to face a threat concerning cyber security. When this feeling is limited people will show more risky behaviour, as they feel they cannot become a victim. Finally, Response Efficacy focuses on the belief of how effective the response prescribed is in the view of the person having to apply it. When they feel it is not effective, they are less likely to follow protocol and implement the action required. All six sub-factors are of importance to the effect of attitude on behavioural intent and compliance.

The fourth main factor is Organisational Commitment which builds on the notion that an employee’s involvement and identification with the organisation they are working for influences their behaviour. When an employee feels highly committed to their company, they are less likely

(23)

to show behaviour of non-compliance, as they feel responsible for the safety of the organisation and feel personally affected when something happens to it. Organisational commitment has been academically proven to be a positive addition when measuring behavioural intent and compliance, therefore it has been included within the framework (Aizen & Albarracin, 2007; Aurigemma, 2013; Conner & Armitage, 1998; Fishbein, 2008).

Figure 1: Composite Behavioural Compliance Theoretical Framework (Aurigemma, 2013)

Actual Behaviour Behavioural intent Behavioural Norms Organisational Commitment Attitude Sanction Severity Probability of Sanction Cost-Benefit Analysis Threat Severity Perceived Vulnerability Response Efficacy Perceived Behavioural Control Self-Efficacy Perceived Controllability

(24)

The study of Aurigemma (2013), however, failed to identify a significant relationship between an employee’s belief to be capable to enforce the policy when this includes enforcing it on other employees as well and their behavioural compliance towards the policy. However, Aurigemma (2013) points out this is a gap in the literature which should be addressed in future research. It is especially important to explore for organisations with an environment of status, such as the military and hospitals, as this can have a significant influence on behavioural compliance. Therefore, this research shall try to identify if there is a relation by means of the method of interviewing. The form of interviewing opens an opportunity to ask personnel about their perception of this relationship as the format of such a conversation can offer more detailed insides than the use of questionnaires done by Aurigemma (2013).

(25)

Chapter 3: Methodology

3.1 Design

The research is an explanatory design, focussing on the top down approach of the risks of cyber security outlined by the government to hospitals and how the risk analysis is perceived in the workplace. The main focus is on the challenge of the human factor when it comes to cyber security. The research method consists of interviews and the analysis of reports and research presented by the Dutch government. The aim of the research is to outline what challenges are experienced concerning the human factor when making a hospital cyber secure and how the government’s view on the situation is implemented on the hospital employee level. Furthermore, the research aims to identify if the human factor is taken into account when developing a cyber secure and resilient environment, as extensive academic research has shown that the human factor is of utmost importance for the success of security management to work and even for cyber security in general.

The case of hospitals was chosen because of the fact that hospitals have been digitalising during the past decade, which has brought the industry great innovation in the area of providing health care, however it has also made them vulnerable. Research has shown that hospitals are becoming more prone targets of cyberattacks and the organisations often do not know how to effectively coop with its vulnerabilities (Chan, van Not, & Lugo, 2017; Coventry & Branley, 2018; Nationaal Cyber Security Centrum, 2016). Even though, it is not yet categorised as critical infrastructure in the Netherlands, scholars and experts in the field have indicated that hospitals actually are part of that category and should be treated in that way (Chan, van Not, & Lugo, 2017; European Commission, 2004). However, applying European Guidelines, the Dutch Government decided this year to not appoint hospitals to the critical infrastructure list, it was a close call. However, hospitals are probably, as the European Guidelines are expanding, making the list in the upcoming years (Eerste Kamer der Staten-General, 2018). Furthermore, the Dutch Government does acknowledge that the Health Sector is a vulnerable sector and should be kept under close watch especially concerning Cyber Security issues. Hospitals are concerned with lives of human beings. When a cyberattack would bring down the power or the computer system, patient lives are at stake. But even the slightest attack which would only concern swopping certain medical records, can cause significant damage when staying unnoticed. The list of negative events related to an effective cyberattack is of a significant length.

(26)

The research is executed by analysing the collected data by applying the composed theoretical framework on Security Policy Behavioural Compliance as outlined by Aurigemma (2013). The main focus revolves around establishing to what extend the threat assessment of the government is implemented and worked with by the employees of the hospital. This directly shows to what extend the human factor is taken into account when it comes to establishing a cyber secure environment within the hospital sphere. The characteristics outlined by the theory are tested with the data to see to what extent they are present and where the discrepancies are.

3.1.1 The Case: Dutch Hospitals and Cyber Security

The hospitals within the Netherlands are part of the Dutch Health Care System which consists of a significant diversity of organisations which all play a different role within the system. All identifiable organisations can be subcategorised into 7 groups; so-called gatekeepers, insurers, administrative offices, data processors, research institutes, supervisors and health care providers. Hospitals are identified within the group of health care providers. The structure of the system obliges all players involved to exchange significant amounts of data, as it is necessary for services such as receiving insurance and receiving the right and best care. Besides the exchange of data between the different groups, groups also communicate internally among similar organisations. In order to provide healthcare as a service communication and sharing of data is key.

Organisational Structure

The Netherlands has 120 hospitals which provide general healthcare, this number excludes psychiatric hospitals, one-day-treatment facilities, and hospitals with only outpatient clinics, which account for another 134 (Volksgezondheidenzorg.info, 2018). The organizational structure can differ between hospitals, however there is a common one which applies to most cases. Within this structure specialists are not employed directly by the hospital itself but are members of a cooperation which is paid by the hospital to gain the service of the medical specialists. The hospital negotiates with the cooperation necessary to attain certain services and prices for these services (Schut & Van de Ven, 2005). Other medical personnel, however, such as nursing staff, basic doctors, and doctors in training, often are directly employed by the hospital itself.

In 2006 the health care system in the Netherlands changed significantly. It is moved from being in public hands to the private company sphere. The not-for-profit insurers changed to private insurers or had to merge with existing private organisations. The private organisations, however,

(27)

add supplemental insurance. As the health care market was now privatized insurers were likely to define the price of medical treatments which had become subject to market forces. This in return had a significant influence on the position of hospitals and their ability to provide certain treatments. Insurers now decided how many treatments of a certain kind a hospital can provide funded from insurance money. Furthermore, because of such tariffs insurance companies, and with them the consumers in general, were able to compare hospitals on performance and running a cost benefit analysis to determine how ‘healthy’ a hospital was. This had great influence on whether an insurance company would offer a hospital a contract to supply medical treatments and provided the insurers with a stronger negotiation position (Maarse & Ter Meulen, 2006). Since 2006 hospitals have to be competitive in order to maintain their positions, which means achieving cost reductions to remain interesting for insurers (Boone et al., 2010; Nederlandse Zorgautoriteit, 2011). Additional to the cost reduction incentive, hospitals have moved to becoming more specialised, as focussing on their strong points offers a stronger competitive position in certain areas of the market. Since this shift in the system the overall organisation of the health care system became even more complex.

Rules & Regulations

The complex structure of the overall system and hospitals in particular as well, makes it rational to state that this can be marked as a vulnerability. Because of the many actors involved in order to let the sector function properly communication and sharing of information happens on a daily basis. In order to tackle the vulnerabilities this structure encounters a set of rules and regulations is presented on international and national level. The current rules and regulations mostly are concerned with information security, and not directly with cyber security. However, as digitalisation is becoming more prominent cyber security is incorporated more indirectly within existing rules and regulations.

First, on an international level there are the International Standards for Security Management (ISO). These outline multiple standards on how to have proper information security. The standards are very diverse from setting requirements for systems used for security to outline best practice cases on how to implement the requirements effectively. All standards range between ISO27000 and ISO27799. The main ISO’s concerning the health care sector are ISO27001, ISO27002 and ISO27799. ISO27001 and ISO27002 outline general standards which apply to all organisations, and ISO27799 focuses specifically on the health care sector and how ISO27002 can

(28)

be implemented in practice. ISO27001 outlines the requirements which are necessary for an information security management system (ISMS). Such a system consists of multiple aspects such as policies, protocols, procedures, and so on. The system allows companies and organisations to monitor and evaluate their own information security system based on the perception of risks. The standard outlines a certain system consisting of four phases: plan, do, check, and act. It all depends on a system of checks and balances. ISO27002 marks the code of practice for information security management. It focuses on describing security controls which are implemented within other organisations and which deemed to be effective. The standard advices when you implement best practice controls and adapt those to your organisations’ risk assessment you are able to work within a secure environment. ISO27799 focuses specifically on the healthcare sector and the implementation of security controls within this sector. It is an adapted version of ISO27002 to the specific situation concerning organisation related to health.

Second, on the national level, the Dutch government and the Dutch Standardization Institute (NEN) outlined some similar rules. The most applicable ones are NEN7510, NEN7511, NEN7512 and NEN7513. The current version of NEN7510 has been in place since 2011 and is based upon ISO27001 and ISO27799. It obliges every healthcare organisation to have a risk assessment in order to adapt the management system accordingly. NEN7511 was published in 2005 distinguishing between the different type of sizes of health care organisations and the different types of management which are necessary. Thirdly, NEN7512 was published which focussed on regulating the exchange of data between the different parties involved. It classifies information to a certain category and security measures should adapt in line with what is necessary for the category. The standard is developed in order to have a basis for trust when exchanging sensitive data. Finally, NEN7513 started to develop in 2011 and establishes the system that records the actions happening at the electronic patient file. It logs every action made within the system, which allows to retrieve who entered and made changes within a certain file. Since 2016 the healthcare sector has increasingly cooperated to realize a health-CERT, which focusses more actively on the implementation of NEN7510, NEN7512, and NEN7513 which together aim to help to create more control within the area of information security.

Third, additional to the standards the Association of Dutch Hospitals (NVZ) published another method of information security management, as the NVZ deemed the established standards too strict. NVZ published a system where a hospital can be marked 1 to 4 in order to test information security in the field of Policy and Organisation, Employees, Physical space and

(29)

Equipment, Continuity, and Identification/Authentication/Authorization. The system is based on only selected standards, but however does require a risk analysis of the hospital.

Digitalisation in Dutch Hospitals

Over the years there has been a significant increase of technology when it comes to the use and protection of information in the healthcare sector. A typical example is the newly incorporated Electronic Patient Records (EPR) over the years increasingly incorporated by many hospitals. Together with the fact that it is becoming more normalized that data is shared in between departments within the hospital but also between hospitals through digital systems, digitalisation is playing a significant role within the sector. Moreover, the government even obliged all healthcare providers to start working with electronic medication prescription systems. These developments also expose new risks and vulnerabilities, which requires different standards to protect the current information and the system. After some research by the Dutch Healthcare Inspectorate, which presented mainly disappointing results, Dutch hospitals have come with an action plan (College Bescherming Persoonsgegevens & Inspectie voor de Gezondheidszorg, 2008). With as a main aim to outsource the audits of hospital information systems in order to check and improve where necessary. The audits of 2010 portrayed a worrying situation as only 41 out of 92 hospitals scored sufficient for their information security management (Wirken, 2012). Further research by the Inspectorate revealed that more than half of the hospitals was unable to comply to the standards of the NVZ, leaving their information security vulnerable (Wirken, 2012). For a sector working through an operational chain where loads of information are shared via digitals means, and where the expectation is that the continuity of the organisations are dependent upon these systems it is of utmost importance to make sure that these systems are secure.

Cyber Threats in the Dutch Hospital Sphere

Research and statements from hospitals have highlighted different cyber threats which are common within the hospital sphere in the Netherlands. The most significant threats identified are for instance; ransomware attacks, hacks, social engineering via phone, phishing mails, and malware infections via so-called drive-by downloads (CPB, 2017; CSBN, 2016; CSBN, 2017). The category of ransomware attacks has grown to become more prominent on the agenda over the years (CSBN, 2016; CSBN, 2017). This type of threat is becoming more popular under cybercriminals, with the main aim to have a financial benefit as a hospital will pay the ransom

(30)

more easily because of the dependency on their digital systems. Within the Netherlands 25 of the 60 questioned hospitals admitted having experienced a ransomware attack in the past three years (CPB, 2017). The consequences were significant as there was no access to medical data, and multiple departments within the hospitals had to be closed in order to not put any lives in danger. The government has identified a significant increase during the recent years of nationwide phishing operations based on data leaks coming from ransomware attacks executed on hospitals (CSBN, 2016).

Another external threat can be identified as a consequence from the so-called Internet of Things (IoT). Innovation is of key importance when it comes to the sector in which hospitals operate, however this innovation within for instance medical equipment and information systems opens a new vulnerability. In order to smoothen certain processes and to ease day to day work more equipment and systems are interlinked via digital means. The vulnerability comes from this digital connection more equipment and systems are having, better known as the Internet of Things. Hospitals are dependent upon external manufacturers for their equipment and systems. It often remains unclear how secure such imported items are. Manufacturers, for instance, have to be able to maintain and update their product via digital means. In order to provide this service, they install a digital access point, these access points are a main vulnerability and often an easy way in for cybercriminals and hackers (CSBN, 2016; CSBN, 2017). To increase its technical resilience the healthcare sector has developed the health-CERT. This focuses on organisations taking technical measures to decrease its vulnerabilities. Examples are, blocking the access to private-webmail or a safe system of sharing information or even a collective training focussing in how to identify and cope with cyber threats.

Besides external threats, more often internal threats or vulnerabilities are a prominent category within hospital cyber security. Even though organized crime is still seen as the largest threat, internal employees or the so-called human factor is marked as a significant vulnerability as they often leak information, deliberately or not. In 2016 human error and carelessness were identified as the two main vulnerabilities within the health care sector in the arena of cyber security (CSBN, 2016). The sector even admitted that data leaks happen on a day-to-day basis, however not always coming from a malignant source or done purposely (CSBN, 2016). Besides the human factor being a vulnerability itself, it is also a group which is targeted more often. Phishing mails, for instance, are becoming more sophisticated and often even more personal. Hackers and cybercriminals only need one employee to click a certain link or download a certain file to be able

(31)

to enter the system, this makes the human factor even more interesting as it is a large group which is not always on edge for these threats. The health sector reported an increase in 2016 in social engineering or other methods to getting employee credentials to enter certain systems. This development marked by a risk analysis of the Dutch government, identifies that the human factor is, besides the regular technical flaws, the most important vulnerability. Because even though in the technical field a hospital can be completely up to date, when an employee clicks on a certain link or downloads an infected file the malignant hacker or criminal still enters the system.

In conclusion, the healthcare sector and specifically hospitals are an interesting case to analyse the human factor within cyber security and its management. As often humans are marked as vulnerable within reports. Additionally, the Netherlands makes it even more interesting as the countries’ digital infrastructure is one of the world’s best in place. Furthermore, the complex structure of the Dutch health care sector and the role of the hospitals makes the Dutch case an interesting case to analyse in relation to cyber security due to the many parties involved and the different influencers on hospital policy. Moreover, even though the healthcare sector has a primary goal the health of the population, they are also of substantial economic importance. The expenses of the health sector account for 14% of the gross domestic product. Moreover, the sector simultaneously influences the prosperity and wellbeing of the population. Therefore, it is of utmost importance that this sector focuses on cyber security especially when it comes to its share in creating and communicating large sets of personal data.

3.2 Data-Collection

In order to collect the relevant data to answer the research question, the research focuses on several data sources. The first method of data collection is the conduction of interviews with carefully selected people within the health sector. The interviews are distributed among two categories. First, at least one policy official or a person within some sort of leadership position related to any Dutch hospital. These people can be a head or a member of the ICT department, of the Quality and Safety department or of a general health department within a hospital. Such people can shed light in what way the topic is on the agenda of the hospital and how security policy and protocols are incorporated at the level of the employees. Furthermore, such interviews can outline what challenges arise when it comes to tackling cyber security issues on the work floor, and on what level of knowledge is present at such leadership positions. Second, at least two interviews

(32)

with a regular employee. The aim is to especially interview people from the nursing staff, who’s main task is to take care of the patients. However, hospitals are diverse organisations and the human factor concerning someone from administration or working in the kitchen can be as important. Such an interview provides an inside within the execution and implementation of policy in a practical sense. These interviews are especially important as they offer a unique inside in the perception and behaviour of people, it creates a concrete basis to test for the factors outlined in the theoretical framework. Furthermore, as the research focuses on the human factor it is of key importance to incorporate the perspective of those people who it concerns. These interviews form the basis of the research, as the employees are the main facets in implementing a cyber secure environment. The questions focus on how cyber security policy is implemented and where they are experiencing discrepancies. The interviews are used to establish the level of knowledge and to outline the situation among the employees on the subject of cyber security and their own ability to protect the organisation. Furthermore, as direct access to hospital policy documents concerning security is difficult, the interviews are also used to outline which policies are in place and how they are implemented during daily business. The questions established for the different categories of interviewees can be found in Annex I.

The second method of data collection is the research and reports presented by the Dutch government concerning cyber security in hospitals. Such documents are analysed to establish what the objectives of the government concerning cyber security are. The documents offer an interesting source to test in the interviews what is implemented to influence the human factor. The documents will consist of annual reports of the national cybersecurity perception over a period of 5 years, in order to track if there have been changes concerning cyber threats within the hospital sphere. The analysis shall focus on the appearance of the human factor among these documents, to establish to what extend this is of importance when the government is outlining advice and warnings to hospitals when it comes to cyber security. In addition, the presence of the healthcare sector and in specific hospitals is analysed in order to establish what threats and to what extend these are marked as vulnerable.

Both methods complement each other, as annual reports by the government can show one story and an interview can sketch a different reality. Comparing both sources allows for an analysis between the existing and researched threat and how it deflects in practice. The analysis tries to establish to what extend the hospital employees indicate the same risk perception as the government deems necessary.

(33)

3.3 Data Analyses

The data analysis is based on the framework outlined in chapter 2. Within the interviews the analysis focuses on identifying the factors influencing behavioural compliance. For the interviews it is to determine which indicators are present at the level of employees and which at that level are perceived to be most challenging and common from an employee’s personal perspective. The focus is mainly put on the employee’s as these indicate the human factor within cyber security and are the ones to execute policy. The analysis concerning the annual reports focuses more on establishing the presence of the human factor within the governmental perspective. Furthermore, it is used to identify to what extend the human factor is presented at the level of hospitals and what the advice of the government is concerning this topic.

To analyse the cybersecurity perception reports the method of content analysis is applied. The unit of analysis are sentences that are categorized following a coding scheme presented in Table 1. The method of content analysis is used to establish to what extend hospitals are present in relation to cyber security and to what extend the human factor is present as a vulnerability concerning this spectrum. The analysis also focuses on establishing the risk profile of hospitals within cyber security as outlined from governmental research. Using this method of analysis on these documents creates the opportunity to compare the results from the governmental documents with the data from the interviews to what extend the human factor is taken into account when creating cyber security policy and if the governmental perspective and hospital perspective are similar. The content analysis is applied on five documents and these are analysed following the rules set out in the codebook presented in Annex III. The documents consist of Cybersecuritybeeld

Nederland of the years 2014, 2015, 2016, 2017 and 2018. The annual reports are analysed from a

dual perspective, one focussing on the presence of hospitals as a sector of interest when it comes to cyber security and the development of this sector and its interest. The other focussing on the presence of the human factor marked as a vulnerability within the spectrum of hospitals. The indicators for both categories focus on synonyms and explanations for hospital and human factor, which are indicated in Table 1. The results are outlined in Chapter 4 and presented in Annex V.

(34)

Code Category Definition Indicators A Hospitals The organisation of hospitals

or healthcare providing organisations, brought into context with cyber security threats and vulnerabilities

Hospital (ziekenhuis); Health Sector (zorgsector); Medical (medisch); Health (gezondheid); Patient (patiënt)

B Human

Factor

The human factor defines as the influence human behaviour had on cyber security. Within this research it is described in relation to hospitals and their cyber security and resilience.

Human Factor (menselijke factor); Human Error (menselijke fout); Carelessness (onzorgvuldig, slordig); Employee(s) (medewerker(s)); Successful (Spear)Phishing attack (phishing aanval of hack via phishing); successful social engineering (succesvolle aanval via social engineering); Internal actors (interne actoren)

C Human

Factor within Hospitals

The human factor within hospitals focuses on the relation between the human influence on cyber security in general, applied to the specific case of hospitals.

Human Factor (menselijke factor); Human Error (menselijke fout); Carelessness (onzorgvuldig, slordig); Employee(s) (medewerker(s)); Hospital (ziekenhuis); Health Sector (zorgsector); Medical (medisch); Health (gezondheid); Successful (Spear)Phishing attack (phishing aanval of hack via phishing); successful social engineering (succesvolle aanval via social engineering); Internal actors (interne actoren)

Table 1: Coding Scheme for Content Analysis Annual Reports on Cyber Security Perception of the Netherlands

The challenges of the human factor in policy implementation: The case of cybersecurity in hospitals