Human factors in cybersecurity: Designing an effective cybersecurity education program for healthcare staff.

Abstract

Leaders who promote cybersecurity education focused on the human factors of cyberattack build a resilient workforce that complements technical protections, reducing organizational risk. Cybersecurity is a priority for information technology teams, relying primarily on technology to protect systems. As technical protections mature, the vulnerability shifts to human factors. Education must focus on the risk presented by humans rather than machines. A human factors-centred education program trains human reaction to threats considering the unique healthcare environment. Leaders may look to industries, like aviation, experiencing similar technical advancement, for education practices based on human factors. This article outlines a cybersecurity education program developed for healthcare, applying strategies adopted from commercial aviation. Four core pillars of training are defined: (1) dynamic education delivery options, (2) social engineering focused simulations, (3) high-risk positions and role-based training, and (4) stakeholder and leadership engagement. The first phase of implementation is analyzed, and lessons learned defined.