Citation: Yeng, P.K.; Fauzi, M.A.; Yang, B.; Nimbe, P. Investigation into Phishing Risk Behaviour among Healthcare Staff. Information 2022, 13, 392. https://doi.org/ 10.3390/info13080392 Academic Editor: Georgios Kambourakis Received: 12 July 2022 Accepted: 5 August 2022 Published: 18 August 2022 Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affil- iations. Copyright: © 2022 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https:// creativecommons.org/licenses/by/ 4.0/). information Article Investigation into Phishing Risk Behaviour among Healthcare Staff Prosper Kandabongee Yeng 1, * ,† , Muhammad Ali Fauzi 1 , Bian Yang 1 and Peter Nimbe 2 1 Department of Information Security and Communication Technology, Norwegian University of Science and Technology, 2815 Gjøvik, Norway 2 Department of Information Security and Communication Technology, University of Energy and Natural Sesources, Sunayni P.O. Box 214, Ghana * Correspondence: prosper.yeng@ntnu.no † Current address: Department of Information Security and Communication Technology, NTNU, Teknologivegen 22, 2815 Gjøvik, Norway. Abstract: A phishing attack is one of the less complicated ways to circumvent sophisticated technical security measures. It is often used to exploit psychological (as as well as other) factors of human users to succeed in social engineering attacks including ransomware. Guided by the state-of-the-arts in a phishing simulation study in healthcare and after deeply assessing the ethical dilemmas, an SMS- based phishing simulation was conducted among healthcare workers in Ghana. The study adopted an in-the-wild study approach alongside quantitative and qualitative surveys. From the state-of-the- art studies, the in-the-wild study approach was the most commonly used method as compared to laboratory-based experiments and statistical surveys because its findings are generally reliable and effective. The attack results also showed that 61% of the targeted healthcare staff were susceptible, and some of the healthcare staff were not victims of the attack because they prioritized patient care and were not susceptible to the simulated phishing attack. Through structural equation modelling, the workload was estimated to have a significant effect on self-efficacy risk (r = 0.5, p-value = 0.05) and work emergency predicted a perceived barrier in the reverse direction at a substantial level of r = -0.46, p-value = 0.00. Additionally, Pearson’s correlation showed that the perceived barrier was a predictor of self-reported security behaviour in phishing attacks among healthcare staff. As a result, various suggestions including an extra workload balancing layer of security controls in emergency departments and better security training were suggested to enhance staff’s conscious care behaviour. Keywords: security practice; healthcare; phishing attack; social engineering; smishing 1. Introduction Digitization refers to a holistic transformation of different sectors by adopting IT systems [1,2]. The systems that are commonly used in the transformation include software applications, networks, and hardware systems. This has been an ongoing course of action in the eHealth space, such as electronic health records (EHRs), medical devices, decision support, and telemedicine, among others. The recent COVID-19 has expedited the adoption rate and expanded the use of information communication technology (ICT) in the healthcare sector. The World Health Organization (WHO) confirmed this by indicating that there has been a tremendous increase in the use of mobile devices such as smartphones, tablets, embedded devices [3,4], and laptops for the self-management of healthcare, diagnosis, treatment, and disease surveillance [5]. Countries in Africa such as Ghana are not left out in the digitization drive in healthcare. Many healthcare facilities have adopted various kinds of ICT systems [6–8], including EHR, to improve their healthcare delivery. The major threat in digitization relates to issues of cyber security, especially the human aspect of information security. Information 2022, 13, 392. https://doi.org/10.3390/info13080392 https://www.mdpi.com/journal/information