Abstract
Health information systems (HIS) are a specific area of information systems (IS), where critical patient data is stored and quality health service is only realized with the correct use and efficient dissemination of this data to health workers. Therefore, a balance needs to be established between the levels of security and flow of information on HIS. Instead of implementing higher levels and further mechanisms of control to increase the security of HIS, it is preferable to deal with the arguably weakest link on HIS chain with respect to security: HIS users. In order to provide solutions and approaches for transforming users to the first line of defense in HIS but also to employ capable and appropriate candidates from the pool of newly graduated students, it is important to assess and evaluate the security awareness levels and characteristics of these existing and future users. This study aims to provide a new perspective to understand the phenomenon of security awareness of HIS users with the use of fuzzy analysis, and to assess the present situation of current and future HIS users of a leading medical and educational institution of Turkey, with respect to their security characteristics based on four different security scales. The results of the fuzzy analysis, the guide on how to implement this fuzzy analysis to any health institution and how to read and interpret these results, together with the possible implications of these results to the organization are provided.
Similar content being viewed by others
Notes
Ng et al. define computer security incidents as “a security-related adverse event in which there is a loss of information confidentiality, disruption of information or system integrity, disruption or denial of system availability, or violation of any computer security policies” [1]
References
Ng, B.-Y., Kankanhalli, A., and Xu, Y., Studying users' computer security behavior: a health belief perspective. Decis. Support. Syst. 46(4):815–825, 2009.
Kankanhalli, A., Teo, H.-H., Tan, B. C. Y., and Wei, K.-K., An integrative study of information systems security effectiveness. Int. J. Inf. Manag. 23(2):139–154, 2003.
Stanton, J. M., Mastrangelo, P. R., Stam, K. R., and Jolton, J., Behavioral information security: two end user survey studies of motivation and security practices. Proceedings of the Tenth Americas Conference on Information Systems, New York, 2004.
Aurigemma, S., and Panko, R., A composite framework for behavioral compliance with information security policies. System Science (HICSS) 45th Hawaii International Conference on System Sciences, Maui, 2012.
Chan, M., Woon, I., and Kankanhalli, A., Perceptions of information security at the workplace: linking information security climate to compliant behavior. Journal of Information Privacy and Security 1(3):18–41, 2005.
Pahnila, S., Siponen, M., and Mahmood, A., Employees’ behavior towards IS security policy compliance. System Sciences, 2007. HICSS 2007. 40th Annual Hawaii International Conference on, 2007.
D’Arcy, J., and Hovav, A., Countermeasures and information systems misuse behaviors. Journal of Information System Security 3(2):3–30, 2007.
Hadasch, F., Mueller, B., and Maedche, A., Exploring antesedent environmental and organizational factors to user-caused information leaks: a qualitative study. ECIS 2012 Proceedings, 2012.
Zhang, J., Reithel, B. J., and Li, H., Impact of perceived technical protection on security behaviors. Information Management & Computer Security 17(4):330–340, 2009.
Bulgurcu, B., Cavusoglu, H., and Benbasat, I., Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS Q. 34(3):523–548, 2010.
LaRose, R., Rifon, N. J., and Enbody, R., Promoting personal responsibility for internet safety. Commun. ACM 51(3):71–76, 2008.
Health Information Systems, 27 07 2009. [Online]. Available: http://go.worldbank.org/XFTO56S8S0. [Accessed 2 03 2013].
Katsikas, S. K., Health care management and information systems security: awareness, training or education? Int. J. Med. Inform. 60(2):129–135, 2000.
Giuse, D. A., and Kuhn, K. A., Health information systems challenges: the Heidelberg conference and the future. International journal of medical informatics 69(2):105–114, 2003.
Ammenwerth, E., Gräber, S., Herrmann, G., Bürkle, T., and König, J., Evaluation of health information systems—problems and challenges. Int. J. Med. Inform. 71(2):125–135, 2003.
Haux, R., Health information systems? past, present, future. Int. J. Med. Inform. 75(3–4):268–281, 2006.
Appari, A., and Johnson, M. E., Information security and privacy in healthcare: current state of research. Int. J. Internet and Enterprise Management 6(4):279–314, 2010.
Grandison, T., and Sloman, M., A survey of trust in internet applications. Communications Surveys & Tutorials 3(4):2–16, 2000.
Blumenthal, D., Stimulating the adoption of health information technology. N. Engl. J. Med. 360(15):1477–1479, 2009.
Goldschmidt, P. G., HIT and MIS: implications of health information technology and medical information systems. Commun. ACM 48(10):68–74, 2005.
Janczewski, L., and Xinli Shi, F., Development of information security baselines for healthcare information systems in New Zealand. Computers & Security 21(2):172–192, 2002.
Rindfleisch, T. C., Privacy, information technology, and health care. Commun. ACM 40(8):92–100, 1997.
Smith, E., and Eloff, J., Cognitive fuzzy modeling for enhanced risk assessment in a health care institution. Intelligent Systems and their Applications, IEEE 15(2):69–75, 2000.
Buckovich, S. A., Rippen, H. E., and Rozen, M. J., Driving toward guiding principles a goal for privacy, confidentiality, and security of health information. J. Am. Med. Inform. Assoc. 6(2):122–133, 1999.
Zadeh, L. A., Fuzzy sets as a basis for a theory of possibility. Fuzzy sets and systems 100 Supplement, pp. 9–34, 1999.
Dhillon, G., and Torkzadeh, G., Value–focused assessment of information system security in organizations. Inf. Syst. J. 16(3):293–314, 2006.
Carrasco, R. A., Muñoz-Leiva, F., Sánchez-Fernández, J., and Liébana-Cabanillas, F. J., A model for the integration of e-financial services questionnaires with SERVQUAL scales under fuzzy linguistic modeling. Expert Syst. Appl. 39:11535–11547, 2012.
Ngan, S.-C., Decision making with extended fuzzy linguistic computing, with applications to new product development and survey analysis. Expert Syst. Appl. 38:14052–14059, 2011.
Belohlavek, R., Sigmund, E., and Zacpal, J., Evaluation of IPAQ questionnaires supported by formal concept analyis. Inf. Sci. 181:1774–1786, 2011.
Azar, A., and Darvishi, Z. A., Development and validation of a measure of justice perception in the frame of fairness theory—fuzzy approach. Expert Syst. Appl. 38:7364–7372, 2011.
Hosmer, H. H., Security is fuzzy!: applying the fuzzy logic paradigm to the multipolicy paradigm. Proceedings on the 1992-1993 workshop on New security paradigms, 1993.
Phuong, N. H., and Kreinovich, V., Fuzzy logic and its applications in medicine. Int. J. Med. Inform. 62(2):165–173, 2001.
Binaghi, E., Gallo, I., Ghiselli, C., Levrini, L., and Biondi, K., An integrated fuzzy logic and web-based framework for active protocol support. Int. J. Med. Inform. 77(4):256–271, 2008.
Başçiftçi, F., and İncekara, H., Design of web-based fuzzy input expert system for the analysis of serology laboratory tests. J. Med. Syst. 36(4):2187–2191, 2012.
Esposito, M., De Falco, I., and De Pietro, G., An evolutionary-fuzzy DSS for assessing health status in multiple sclerosis disease. Int. J. Med. Inform. 80(12):245–254, 2011.
Lopes, M. H. B. D. M., Ortega, N. R. S., Silveira, P. S. P., Massad, E., Higa, R., and Marin, H. D. F., Fuzzy cognitive map in differential diagnosis of alterations in urinary elimination: a nursing approach. Int. J. Med. Inform. 80(12):201–208, 2013.
Badawi, A. M., Derbala, A. S., and Youssef, A.-B., Fuzzy logic algorithm for quantitative tissue characterization of diffuse liver diseases from ultrasound images. Int. J. Med. Inform. 55(2):135–147, 1999.
Singh, S., Kumar, A., Panneerselvam, K., and Vennila, J. J., Diagnosis of arthritis through fuzzy inference system. J. Med. Syst. 36(3):1459–1468, 2012.
Das, S., Chowdhury, S. R., and Saha, H., Accuracy enhancement in a fuzzy expert decision making system through appropriate determination of membership functions and its application in a medical diagnostic decision making system. J. Med. Syst. 36(3):1607–1620, 2012.
Ogutcu, G., and Aydin, O., Analysis of personal information security behavior and awareness in E-transformation process. Submitted manuscript.
Milne, G. R., Labrecque, L. I., and Cromer, C., Toward an understanding of the online consumer’s risky behavior and protection practices. J. Consum. Aff. 43(3):449–473, 2009.
Bechara, A., Risky business: emotion, decision-making, and addiction. J. Gambl. Stud. 19(1):23–51, 2003.
Moore, S., and Gullone, E., Predicting adolescent risk behavior using a personalized cost-benefit analysis. Journal of Youth and Adolescence 25(3):343–359, 1996.
Birch, D. G., and McEvoy, N. A., Risk analysis for information systems. J. Inf. Technol. 7(1):44–53, 1992.
Rainer, R. K. J., Snyder, C. A., and Carr, H. H., Risk analysis for information technology.
Horst, M., Kuttschreuter, M., and Gutteling, J. M., Perceived usefulness, personal experiences, risk perception and trust as determinants of adoption of e-government services in The Netherlands. Comput. Hum. Behav. 23(4):1838–1852, 2007.
Slovic, P., Finucane, M. L., Peters, E., and MacGregor, D. G., Risk as analysis and risk as feelings: some thoughts about affect, reason, risk, and rationality. Risk Anal. 24(2):311–322, 2004.
Tsohou, A., Karyda, M., Kokolakis, S., and Kiountouzis, E., Formulating information systems risk management strategies through cultural theory. Information Management & Computer Security 14(3):198–217, 2006.
Dubois, D., and Prade, H., Gradualness, uncertainty and bipolarity: making sense of fuzzy sets. Fuzzy Sets Syst. pp. 3–24, 2012
Gong, D.-W., Yuan, J., and Sun, X.-Y., Interactive genetic algorithms with individual’s fuzzy fitness. Comput. Hum. Behav. 27(5):1482–1492, 2011.
Chiou,H.-K., Tzeng, G.-H. and Cheng, D.-C., Evaluating sustainable fishing development strategies using fuzzy MCDM approach, Omega, pp. 223–234, 2005
Deng, W.-J., and Pei, W., Fuzzy neural based importance-performance analysis for determining critical service attributes, Expert Systems With Applications, pp. 3774–3784, 2009
Ma, J., Ruan, D., Xu, Y., and Zhang, G., A fuzzy-set approach to treat determinacy and consistency of linguistic terms in multi-criteria decision making. International Journal of Approximate Reasoning, pp. 165–181, 2007
Klir, G. J., and Yuan, B., Fuzzy sets and systems. Prentice Hall PTR, New Jersey, 1995.
Tsai, H.-H., and Lu, I.-Y., The evaluation of service quality using generalized Choquet integral. Inf. Sci. 176(6):640–663, 2006.
Acknowledgments
The authors would like to thank Gizem Ogutcu for sharing the data from health employees and students that were used in this study.
Conflict of interest
The authors declare that they have no conflict of interest.
Author information
Authors and Affiliations
Corresponding author
Appendix A
Appendix A
The responses to questions between 1 and 60 are given as “Always, Often, Usually, Rarely or Never”
-
1.
I use Messenger, GTalk, Skype and similar chat programs.
-
2.
I use e-mail.
-
3.
I use my corporate e-mail address for my private matters as well.
-
4.
I join e-mail groups on the Internet.
-
5.
I use Facebook, Twitter and similar social network sites.
-
6.
I have more than one e-mail addresses.
-
7.
I accept invitations for applications sent through social networks.
-
8.
I use online banking.
-
9.
I shop on the Internet.
-
10.
I use web sites that provide e-citizenship services (identity number inquiry, social security premiums etc.).
-
11.
I play online games.
-
12.
I download/save music, movies, programs and files from the Internet.
-
13.
I watch online videos/movies.
-
14.
I share my contact information on the Internet when required (Cell number, e-mail, address etc.).
-
15.
I share my personal information on the Internet when required (First and last name, date of birth etc.).
-
16.
I prefer to install/use original (licensed) software in my computer.
-
17.
I use security programs like anti-virus, spyware removal etc.
-
18.
I use security programs as firewall, adware preventing etc.
-
19.
I use content filtering software.
-
20.
I use e-mail filtering software.
-
21.
I am informed about online activities by using follow up software.
-
22.
I review the temporary Internet files and the Internet browsing history.
-
23.
I delete the temporary Internet files and Internet history before leaving a public computer.
-
24.
I use passwords for my files.
-
25.
I use complex and long passwords that cannot be easily guessed for my accounts.
-
26.
I use electronic/mobile signature.
-
27.
I generally use the favorites list while browsing the Internet.
-
28.
I transfer files while I chat.
-
29.
I share the files on my computer.
-
30.
I use online banking by public Internet.
-
31.
I report to the authorities IS security incidents that I encounter on the Internet.
-
32.
I share my passwords with others.
-
33.
I keep my passwords written in places that can easily be found.
-
34.
I have a password to turn on my computer.
-
35.
I turn off the auto-complete feature of my computer.
-
36.
I open e-mails from people that I do not know and I download their attachments.
-
37.
I check whether the web sites I visit have an SSL certificate.
-
38.
I change my passwords periodically.
-
39.
I change my wireless modem password periodically.
-
40.
When sending the same message to multiple recipients, I use blind carbon copy (BCC).
-
41.
I do regular updates on the software I use.
-
42.
I have experienced troubles because of computer viruses.
-
43.
I have experienced financial loss as a result of online shopping.
-
44.
My credit card has been copied.
-
45.
I have experienced troubles since I started sharing my personal information on the Internet.
-
46.
I have experienced financial loss since I started using electronic banking.
-
47.
My personal information has been shared with third parties/published on the Internet without my consent.
-
48.
My usernames and passwords related with my accounts on the Internet were accessed illegally.
-
49.
I have been insulted or threatened on the Internet by people I do not know.
-
50.
I have experienced financial loss due to gambling web sites.
-
51.
I have experienced financial loss due to social network sites.
-
52.
I have experienced financial loss due to friendship sites.
-
53.
I have been faced out of my intention with websites with violence or pornographic content while surfing on the Internet.
-
54.
The files on my computer have been stolen/deleted.
-
55.
Fake accounts have been created on behalf of me.
-
56.
Correspondence I did on the Internet was viewed or saved by others out of my intention or knowledge.
-
57.
I follow the legal developments related to computer and the Internet security.
-
58.
I know who to inform if I come under or come across to a cyber-crime
-
59.
I know that my personal information can be used by some others abusively.
-
60.
Other parties’ recording my credit card details are not important for me while I use my credit card on online shopping.
-
61.
I wanted to be a hacker.
The responses to questions between 61 to 89 are given as “Too Dangerous, Dangerous, Less Dangerous, Safe or No Idea”
-
62.
Virus software.
-
63.
Antivirus Software.
-
64.
Spy programs (Keylogger, Screenlogger,Trojan etc.)
-
65.
File sharing programs (Ares, Limewire etc.)
-
66.
Web browser scripts such as ActiveX, Javascript etc.
-
67.
Web browsers (Internet Explorer, Mozilla Firefox, Google Chrome etc.)
-
68.
Chat programs (Messenger, etc.)
-
69.
Undesired, Spam or Junk e-mail.
-
70.
Online games.
-
71.
USB/External memory devices.
-
72.
MS Office applications (Word, Excel etc.)
-
73.
Use of manual keyboard when entering a password.
-
74.
Use of copy/pirated program.
-
75.
Downloading materials such as music/photo/movie from the Internet without paying anything.
-
76.
Opening e-mails with advertising content.
-
77.
Use of online banking.
-
78.
Sharing chat/information with strangers online.
-
79.
Shopping online.
-
80.
Browsing pornographic web sites.
-
81.
Browsing gambling web sites.
-
82.
Becoming a member to social networks (Facebook, Twitter etc.)
-
83.
Use of Bluetooth.
-
84.
Use of wireless modem.
-
85.
Loading credits to phone through the Internet.
-
86.
Use of unlicensed or free security programs.
-
87.
Handing out identity card or driving license to security staff at the building entrance.
-
88.
Giving identity card details to cargo, cell phone operator or similar agencies.
-
89.
Knowing others’ citizenship number.
Rights and permissions
About this article
Cite this article
Aydın, Ö.M., Chouseinoglou, O. Fuzzy Assessment of Health Information System Users’ Security Awareness. J Med Syst 37, 9984 (2013). https://doi.org/10.1007/s10916-013-9984-x
Received:
Accepted:
Published:
DOI: https://doi.org/10.1007/s10916-013-9984-x