Your Hospital Needs You: Eliciting Positive Cybersecurity Behaviours from Healthcare Staff

Staff behaviour plays a key role in the cybersecurity position of an organisation. Despite this, behaviour-change interventions are not commonly applied within the field of cybersecurity. Behaviour change technique could be particularly beneficial given increasing concerns around healthcare cybersecurity risks; particularly following the 2017 WannaCry ransomware attack which had devastating results on healthcare services. Cyber-risk is particularly concerning within healthcare given the criticality of medical systems and the potential impacts of a cyberbreach or attack. In worst case scenarios, cybersecurity incidents could result in patient harm or even fatalities. Whilst there has been concerted investment in improving healthcare’s technological defences against cyberthreat, the same level of investment has not been made in healthcare staff. This has left staff behaviour as a vulnerability which can be exploited by attackers. This paper introduces a structured approach to help organisations work through four key steps that we refer to as the AIDE approach to Assess, Identify, Develop and Evaluate behaviour change techniques to facilitate more secure behaviour. We include a worked example of how we are applying this approach to the development of interventions to mitigate insecure cybersecurity behaviours in a healthcare context.


Introduction
Cybersecurity in healthcare (HC) traditionally lags behind other fields (Coventry & Branley, 2018) despite increasing concerns around cyberattacks and breaches (Albert, 2019). The WannaCry attack in 2017 is a widely recognised example of the potential consequences of cyberattacks on the HC sector (Scott & Wingfield, 2017). WannaCry was a ransomware attack which affected over >100 countries. Within England, the attack resulted in the cancellation of over 19,000 patient appointments and a substantial financial cost to the National Health Service (National Audit Office, 2018). In addition to financial cost and loss of trust in the service, breaches have the potential to endanger human life (Kam, 2015).
The HC working environment has many characteristics that make behaviour change problematic. Staff are patientfocused, time-pressured, fatigued and stressed (Coventry et al., 2020;Coventry & Branley, 2018;Hall et al., 2017;Hall, Johnson, Watt, Tsipa, & O'Connor, 2016). Work culture can lead to security being overlooked or perceived as a burden, particularly if it is perceived to detract from patient care. The working environment is also prone to regular changes to team structure through rotation of staff members and new intakes of students. With this in mind, we suggest a holistic and dynamic methodological approach to behaviour change. The approach builds upon current theory and existing knowledge, whilst having the ability to evolve to reflect changes in the working environment.

Behaviour Change
There are many theories which identify factors underlying human behaviour, some of the most widely applied are the Theory of Planned Behaviour (TPB: Ajzen, 1985Ajzen, , 1991 which emphasises the role of attitudes, social norms and perceived control; The Integrated Behaviour Model (IBM: Fishbein, 2008) that expands upon the TPB by including knowledge and skills to perform the behaviour, salience of the behaviour, environmental constraints, and habit; and The Health Belief Model (Akey, Rintamaki, & Kane, 2013;Rosenstock, 1974Rosenstock, , 1990 and Protection Motivation Theory (Rogers, 1975) that focus on perceived threats and effectiveness of coping behaviour. These theories can guide the development of behaviour change interventions. Such interventions are made up of 'observable and replicable components' referred to as Behaviour Change Techniques (BCTs; Michie & Johnston, 2012). BCTs have been successfully applied across a range of domains including health (Turton, Bruidegom, Cardi, Hirsch, & Treasure, 2015) insurance adoption (van Winssen, van Kleef, & van de Ven, 2016) and promotion of environmentally green behaviours (Timlett & Williams, 2008). Despite success in other domains, BCTs have not been widely applied within cybersecurity (see Pfleeger & Caputo, 2012), and particularly not in the HC context. There is no single intervention that will work across all situations; effective change may require multiple levels and types of interventions. Many different BCTs exist -e.g., the Behaviour Change Technique Taxonomy project has identified 93 distinct BCTs (Michie et al., 2013). Due to this complexity, there have been many been numerous attempts to provide simpler frameworks to provide guidance. One widely applied approach is the MINDSPACE approach proposed by the UK's Institute of Government (Dolan, Hallsworth, Halpern, King, & Vlaev, 2010) which draws upon psychological theories, behavioural economics and 'nudge theory'. Nudging is the process of influencing decision making, and subsequent behaviour, by altering choice architecture or framing (Thaler & Sunstein, 2008). MINDSPACE consists of 9 components, these are summarised in Table 1. authority of the messenger can influence compliance or trust.

Incentives
We are often motivated by incentives (i.e., perceived rewards). We also tend to be influenced by predictable mental shortcuts (or 'heuristics') such as being loss-averse, i.e., having a strong instinct to avoid losses. Therefore framing incentives as loses rather than gains, can potentially have a stronger effect.

Norms
We are strongly influenced by what others do, or what we perceive them to do. Often we may not be aware that we are being influenced by others.

Defaults
We will often 'go with the flow' or pre-set or offered options, i.e., we will often stick with the default option if one is provided.

Salience
We are more likely to pay attention to something new, easy to understand and relevant to us. Priming Our behaviour can be influenced by sub-conscious cues.

Affect
Our emotions shape our decisions, therefore our emotional response to something can shape our actions.

Commitment
We seek to be consistent with our public promises, and reciprocate acts. E.g., if we have made a public commitment -such as an oral or written announcement -that we will do something, we are more likely to do so. Ego We prefer to act in ways that make us feel better about ourselves.
Frameworks such as MINDSPACE can help when co-designing interventions with end-users, as they provide a concise framework that does not require extensive exploration of the underlying theory; particularly beneficial when end-user time is of limited resource, as is typical in HC. MINDSPACE was subsequently supplemented with EAST (Service et al., 2015) which explores more of the issues with implementation and evaluation of interventions and identifies that successful interventions need to be easy, social, attractive and timely.
It is widely recognised in HC that behaviour change is not easy. One belief is that often interventions are too far removed from the context in which they will be implemented, and from potential barriers to successful implementation (Kelly & Barker, 2016). To address this, we will utilise Normalisation Process Theory (NPT; May & Finch, 2009) which identifies factors that promote and inhibit routine uptake of complex interventions into everyday HC practice. This is an action theory, concentrating on explaining what people do, rather than what they believe; and recognises the need to ensure that interventions need to be compatible with current clinical practice. NPT stresses the importance of distinguishing how the intervention differs from current processes, how end-users can collectively agree on the purpose of an intervention (and understand what is required of them) and their perceptions of the potential value of the intervention.

The AIDE approach
Although frameworks such as MINDSPACE provide a basis for developing interventions, they require that the researcher is at the stage where development can begin. However, there are two stages preceding this, firstly there is the need for effective -and accurate -identification of insecure behaviours in the workplace, and secondly there must be adequate identification of the factors driving the behaviours. Without this information, interventions may target the wrong behaviours or fail to address barriers.
Additionally, following the development of the intervention, there is a final stage that needs to be consideredevaluation and refinement.
One existing framework, SCENE (Coventry, Briggs, & Jeske, 2014), encompasses the MINDSPACE framework and addresses many of these issues, i.e., the need for co-creation of nudges, adequate identification of driving factors, and intervention evaluation. However, SCENE is specific to online nudges, it also does not take into account normalisation process for evaluation, nor the need to view this process as a reactive ongoing and evolving https://ojs.vvg.hr/index.php/adrs/article/view/51/39 4/14 process. The AIDE approach expands upon this and provides a method to aid researchers -and importantly, HC organisations themselves -through four key stages for implementing effective behaviour change interventions ( Fig.  1).

Figure 1. The AIDE Approach
This approach also provides the tools to regularly evaluate and refine the interventions to reflect changes in staff, team or organisational structure. This is important as security measures within HC need to be dynamic, realistic and time efficient. Relying upon a singular occurrence of BCT design is inadequate.

Piloting the approach
We are piloting this approach as part of a large EU project (Coventry et al., 2020;PANACEA Research). Here we will detail how we worked through each stage of the AIDE approach up to intervention development, and how we will evaluate and refine these interventions during the final stage of the project. Our research was approved by Northumbria University ethics committee.

Stage 1: Assess
The first stage involves identifying the type of insecure behaviour occurring within the working environment. It is not possible to design an effective intervention without identifying the key behaviours to target. To achieve this within our project, we conducted a set of workshops with staff across three different HC organisations, in three countries (Ireland, Italy and Greece). These workshops included a wide range of staff roles including medical administrators, IT staff, nurses, doctors, surgeons, residents and laboratory technicians. Staff involvement was strictly confidential.
Sessions were conducted face-to-face at the hospital location or remotely via Skype. Each session lasted between 45-60 minutes, and included between 2-9 staff members. A total of 50 staff took part across the three sites. For those interviewees that could not attend the focus groups (e.g., due to patient emergencies), we collected surveybased responses.
During the sessions, staff were asked to discuss the type of behaviour they see at work that may represent a cybersecurity weakness. The facilitators also asked other open-ended questions to prompt discussion, focusing on the following areas: Awareness of previous cybersecurity incidents at work Type of cybersecurity risks that staff felt were of most concern Type of data and technology that staff interact with on a daily basis and perceived security General awareness of potential cyber-risk and vulnerability to By involving end-users we were able to identify a list of insecure behaviours to design interventions relevant to the sites in question. Workshop transcripts were analysed using thematic analysis, and we identified seven types of insecure behaviour: Poor computer and user account security; Unsafe e-mail use; Use of USBs and personal devices; Remote access and home working; Lack of encryption, backups and updates; Use of connected medical devices; and poor physical security. This stage of the research is reported in full in Coventry et al. (2020).

Stage 2: Identify
Having identified insecure behaviours occurring in the workplace, the second stage is to identify factors driving each behaviour. For example is this behaviour driven by a desire to prioritise speed of patient care? Or perhaps due to a lack of awareness? Without this information interventions are likely to be ineffective (Hedström et al., 2013).
Previous research has identified a range of factors that can drive insecure behaviour, such as perceived selfefficacy, security attitudes, external influences and threat evaluation (Blythe, 2013). It is also important to acknowledge that many insecure behaviours have been found to be instrumental, reasoned and conducted as a means to an end, e.g., to save time (Hedström et al., 2013).
To identify driving factors within our study, we conducted a second phase of workshops with HC staff across the three sites. Each workshop ran for a total of 3 hours. The sessions included between 15-25 staff members per group, a total of 56 staff took part across the three HC sites. Again, staff included the same wide range of roles to ensure that we gained a wide perspective. This time staff were presented with two priority behaviours. These behaviours were chosen by senior staff members at each location (from the seven behaviours identified in the first phase), according to those that they felt were most relevant/concerning for their particular working environment. As HC staff time is limited, this enabled us to explore the most critical security priorities in more depth.
The workshops began with the facilitators providing a short overview from the first workshop. Staff were then provided with information on the behaviours they would be discussing and informed that the goal of the workshop was to identify why these behaviours may be occurring. Staff were split into small groups of 3-5 members and provided with worksheets to help start discussion. The worksheets (Appendix A) were based upon common factors identified by behavioural theories and accompanying crib sheets were provided (Appendix B). The crib sheets were translated into the local language of each site to aid staff members who were not fluent English speakers. Following the group work, everyone was brought back together to for a final overall discussion and summary of key findings.
Thematic analysis of the workshop transcripts identified several facilitators of insecure behaviour: lack of cybersecurity awareness, time pressure and fatigue, behaviour prioritisation (i.e., staff priority is patient care and cybersecurity can be seen as a barrier or burden), mutual trust amongst colleagues, lack of reinforcement, and insecure behaviours necessary to complete their job (Coventry et al., 2020).
We encouraged staff to feel free to share any suggestions they may have regarding how things could be improved. However, it is interesting to note that staff generally felt disempowered to change things -largely due to feeling that the insecure behaviour was necessary to do their job. E.g., staff found it difficult to identify interventions to prevent use of USB devices, as no alternative method was available. Consequently, the only intervention they suggested was a technological intervention, e.g., using password-protected, encrypted USB devices. Likewise, staff only identified one potential intervention for encouraging secure sending of patient information, which was a technological intervention to automatically detect if confidential documents are being attached to an e-mail to prevent sending. This highlights how, in some situations, technological changes may be more appropriate than behavioural interventions.

Stage 3: Develop
The third stage of the AIDE approach consists of intervention development. Insecure behaviour and facilitating factors have been identified in the preceding two stages, therefore the researchers can start to identify appropriate interventions. It is likely that this third phase will provide numerous intervention options, and not all may be feasible, appropriate or necessary. Examples of the potential interventions identified in our own study are shown in Table 2. We also identified a range of environmental changes which could be used to facilitate secure behaviour. E.g., introducing an improved login process to reduce burden on staff due to effort and time spent logging in/out, or changing the policy so that passwords no longer have to be changed so often (unless password is compromised). Ego Display a message thanking staff for acting securely and therefore helping to ensure patient safety and data privacy.
The next step that we recommend is the development of a set of criteria to enable the researchers and end-users to collaboratively identify the final interventions for prototype development. The criteria we used in our study is presented in Table 3, with each item scored on a scale of 1-5. Criteria may differ according to context.

Table 3. Criteria for identification of final interventions for prototype development Criterion Description
Technological feasibility The feasibility of implementing any hardware or software required for the intervention. This must take into account the technology already in use and how feasible it would be to introduce the necessary components. Time and ease of implement [R] Time and ease of implementing the complete intervention, this includes design, piloting, integration of any technological components, staff training, intervention materials etc.

Disruption to work processes [R]
Any disruption to other work process that could occur as a result of introducing the intervention. E.g., reduced staff time due to training needs,

Requires policy change [R]
Whether the intervention requires a change to company and/or governmental policy.

Financial cost [R]
The degree to which implementing (and running) the intervention is financially costly for the organisation. Estimated effectiveness' Estimated effectiveness based upon existing literature or previous experience relating to this behaviour change approach.
Sustainability Long-term sustainability of the intervention within the organisation.

Generalisability
Whether the intervention is only suitable for a specific, niche context or whether it has the potential to be applied in a wider context.

Note: R = Reverse scored
Using the criteria, a team of researchers should independently score each identified nudge. Once completed, the scores should be tested for interrater reliability using Cohen's kappa (for 2 raters) or Fleiss' kappa (for 3+ raters). Reliability should be >0.80 -a commonly accepted level of strong agreement. If reliability is <0.80, it is recommended that the researchers meet to discuss the scores causing the discrepancies and work towards mutual agreement. If agreement is not forthcoming, the criteria may not be well defined and may require amendment until adequate interrater reliability is achieved.
The overall scores can then be used to narrow down the potential interventions to the final choices (i.e., those scoring most highly). It is recommended that the selected interventions are then presented to end-users to sense check and help identify potential barriers to implementation and/or adoption. Final choices for prototype development will be chosen based upon this end-user feedback. Prototypes should also be co-designed with endusers, using a feedback loop to refine the prototype, and initial pilot sessions using a representative group of endusers. Once prototypes have been refined and are ready for the implementation, they will be evaluated within the working environment. To achieve this, researchers and end-users must work together to explicitly identify measurable outcomes that can be used as success metrics (or validation indicators). Whenever possible, these metrics should include an objective technological measure and a baseline measure for comparison, e.g., phishing penetration test results before and after an anti-phishing intervention is introduced. It is also beneficial to supplement empirical, technological results with self-reported feedback from the end-users (e.g., via interview or survey). This enables the researchers to gain more insight into why and how the intervention may be being successful (or not) and may also highlight potential revisions to improve effectiveness. In some instances, technological measures may be difficult to obtain and more reliance may be necessary upon self-reported measures.
It is important to note that success metrics will differ significantly depending upon the environment and targeted behaviour(s) -which further supports the application of customisable approaches such as the AIDE approach. Once metrics have been identified and measured, this completes the first iteration of the AIDE approach. However, this is designed to be an ongoing, reiterative and dynamic process (Fig. 1) that evolves with the working environment. This is particularly important as the HC environment changes regularly including new staff intake, staff rotation, introduction of new devices, system updates etc.
Without this dynamic approach, interventions may fail to reflect the current cybersecurity position and priorities. The AIDE approach should be regularly used to re-assess and re-evaluate current behaviour and interventions.

Conclusion
To summarise, the AIDE approach introduces a novel framework to structure and guide the application of behaviour change interventions within the working environment, including within HC. Rather than focusing upon how to develop a particular intervention (as methodologies already exist for this, e.g., MINDSPACE: Dolan et al., 2010), this approach provides a framework to structure the entire process from the initial stages of assessing problematic behaviours and identifying underlying motivations, through to developing an appropriate intervention (including evaluating suitability and effectiveness), and onto continued reassessment. Although we have demonstrated this approach in relation to the HC environment -its dynamic process means that it is easily generalised across many settings.
The AIDE approach encompasses the importance of involving end-users in the process of behaviour change development. It is possible that with adequate training and support, this approach could also be used to build a toolkit to enable end-users, such as HC organisations, to apply this process 'in-house'. This is something that the PANACEA project aims to deliver.
What prompts or reminds you to behave securely at work (in relation to the identified behaviour)? For example, are there any relevant posters to raise awareness? Alerts on the workstations or by e-mail?

ENVIRONMENTAL AND/OR TECHNOLOGICAL CONSTRAINTS:
In what ways does your environment create barriers to secure behaviours? In what way does your environment and/or the technology you use encourage the identified risky behaviour?
This could include your working environment, daily responsibilities and/or the computer systems.

HABIT AND/OR CONVENIENCE:
Do you think the identified risky behaviour has become habitual at work?