Fortifying Healthcare: An Action Research Approach to Developing an Effective SETA Program

Abstract

Organizations continue to use security education training and awareness (SETA) programs to reduce the number of cybersecurity incidents related to phishing. A large healthcare organization contacted the authors to share that they continued to struggle with the efficacy of their traditional training program and to ask whether we could design a better program. Using an action research methodology, we designed a new training program using self-regulation theory. We tested this new training with an experiment using a sample of 307 medical and administrative staff. The results of chi-square tests comparing the click rate of phishing emails before and after the training showed that the new SETA program was more effective than the existing SETA program (overall medical staff χ2 = 4.87, p < 0.05; overall administrative staff χ2 = 16.04, p < 0.05). The results also showed differences between medical and office staff regarding the effectiveness of training. The research shows the effectiveness of self-regulatory theory in SETA training and how this approach leads to significant improvement vs traditional methods of training. The research also points to new emerging issues in security training research.