Investigation into Phishing Risk Behaviour among Healthcare Staff

: A phishing attack is one of the less complicated ways to circumvent sophisticated technical security measures. It is often used to exploit psychological (as as well as other) factors of human users to succeed in social engineering attacks including ransomware. Guided by the state-of-the-arts in a phishing simulation study in healthcare and after deeply assessing the ethical dilemmas, an SMS-based phishing simulation was conducted among healthcare workers in Ghana. The study adopted an in-the-wild study approach alongside quantitative and qualitative surveys. From the state-of-the-art studies, the in-the-wild study approach was the most commonly used method as compared to laboratory-based experiments and statistical surveys because its ﬁndings are generally reliable and effective. The attack results also showed that 61% of the targeted healthcare staff were susceptible, and some of the healthcare staff were not victims of the attack because they prioritized patient care and were not susceptible to the simulated phishing attack. Through structural equation modelling, the workload was estimated to have a signiﬁcant effect on self-efﬁcacy risk (r = 0.5, p -value = 0.05) and work emergency predicted a perceived barrier in the reverse direction at a substantial level of r = − 0.46, p -value = 0.00. Additionally, Pearson’s correlation showed that the perceived barrier was a predictor of self-reported security behaviour in phishing attacks among healthcare staff. As a result, various suggestions including an extra workload balancing layer of security controls in emergency departments and better security training were suggested to enhance staff’s conscious care behaviour.


Introduction
Digitization refers to a holistic transformation of different sectors by adopting IT systems [1,2]. The systems that are commonly used in the transformation include software applications, networks, and hardware systems. This has been an ongoing course of action in the eHealth space, such as electronic health records (EHRs), medical devices, decision support, and telemedicine, among others. The recent COVID-19 has expedited the adoption rate and expanded the use of information communication technology (ICT) in the healthcare sector. The World Health Organization (WHO) confirmed this by indicating that there has been a tremendous increase in the use of mobile devices such as smartphones, tablets, embedded devices [3,4], and laptops for the self-management of healthcare, diagnosis, treatment, and disease surveillance [5].
Countries in Africa such as Ghana are not left out in the digitization drive in healthcare. Many healthcare facilities have adopted various kinds of ICT systems [6][7][8], including EHR, to improve their healthcare delivery. The major threat in digitization relates to issues of cyber security, especially the human aspect of information security.
Verizon [9] recently reported that human factors across the globe accounted for a woeful 85% of the cyber security incidents in 2020, suggesting that the human element is now the leading targeted mode of entry into healthcare systems.

Perception and Work Factors with a Phishing Simulation Study
Falling victim to a phishing attack is more dominant in security attacks because attackers tend to exploit the psychological factors of their target persons into clicking the links [18]. However, various studies [19][20][21][22][23] in phishing susceptibility in healthcare have not explored these psychological theories, except a study by Jalali et al. which explored the theory of planned behaviour and collected felt trust [24]. This gap in the literature provides a basis for our study in which we explore the relationship between work factors and psychological factors that can be influenced to improve security behaviour relating to a phishing attack. This study therefore explores perception constructs in HBM and PMT. Perception relates to the mindset and psycho-socio-cultural effects of users from an IT infrastructure and how that affects cyber security practice. HBM and PMT theories have been extensively used to explain human behaviour and have been found useful in assessing other information security practices among users [17,25,26]. For instance, Ng et al. investigated the computer behaviour of users having used the HBM. They study identified perceived susceptibility, benefits, and self-efficacy to be determinants of email related to security behavior [17]. Anwar et al. showed that gender has an effect on security self-efficacy. Moreover, Humaidi et al. proposed a comprehensive framework for analysing security practice based on various perception theories [26]. In fact, a mapping review on related theories to assess security practice was conducted by [27] and identified various perception constructs including perceived vulnerability and perceived barriers. As these studies showed that perception constructs are widely used for assessing motivation in information security research, the specific context (i.e., phishing in healthcare) can have major influence on the behavioral intention of users [24]. For instance, the perception of the severity of impact of a non-critical infrastructure may be lower than that of a critical infrastructure such as healthcare in data breach scenarios that violates the availability trait.
In assessing security practices related to phishing among healthcare staff, we therefore opine that it is necessary to explore perception factors in relation to phishing susceptibility. Such factors can then be improved for better security practice in phishing through various intrinsic and extrinsic motivations [28,29]. To this end, psychological constructs that were used in HBM and PMT were deemed suitable to achieving this study objective.
In HBM, the predictor of a person's possible health-related behaviour is dependent on the belief of health threats (illness disease) and the effectiveness of the recommended actions (treatments and medicines) [17,30]. Back in the 1950s, this was derived to prevent sicknesses or help already-sick persons to recover. HBM has been widely used in the healthcare sector as people can perceive the severity of disease and the recommended action to make better health behaviour choices. HBM has found its way into observing information security practice in the human aspect of information security [27,31]. For instance, the human aspects are normally observed for their security susceptibility perception and their belief in the organization's cyber security policy to predict their likelihood behaviour [17]. HBM consists of perceived susceptibility or vulnerability (PV), perceived severity (PS), perceived benefit (PBf), perceived barriers (PBs), cues to action (CA), and self-efficacy (SE). PV is the risk perception of contracting a disease or falling victim to a cyber attack while PS is the perception of the adverse impact of the respective disease (death, disability, family life, or social relation) or security attack (loss of data, punishment, etc.). PBs are viewed as obstacles that are to be overcome in order to follow recommended solutions. In the same trend, the assessment of one's ability or confidence level to follow the recommended solutions is known as perceived SE. Additionally, CA refers to internal or external stimuli that influence one to adapt to the recommended solution. Stimuli include pain, disorders, advice, and knowledge of the situation of victims. PBf includes the perception of the available opportunities of the recommended course of actions. Common drawbacks that have been opined include its limitation to measure attitude, habitual behaviour, or environmental or economic factors with the assumption that the threat knowledge is known by all persons.
PMT on the other hand consists of threat and coping appraisals which are used in decision making by persons under stressful or harmful circumstances [32][33][34]. The decisions usually involve protecting oneself. The threat appraisal consists of PV and PS, which the person who is involved in the stress or harmful situation uses to appraise the level of the threat. PV measures the level of susceptibility of the person while PS is used to gauge the level of severity of the threatening event. Furthermore, the coping appraisal consists of response efficacy (RE), SE, and the response cost (RC). Within the context of PMT, RE refers to the perception of the effectiveness of the recommended action, while RC is the cost component of the recommended measures.

Work Factors and Security Practice
In addition to the psychological factors, the work of healthcare staff is characterized by erratic workload [24,34,35] and work emergency [27,36].Work factors in this study refer to work-related events, such as workload and work emergency that are associated with the use of IT systems in healthcare. Workload consists of the quantum of tasks that one has to perform within a given period, while work emergency refers to the urgency used to accomplish a given task [37]. Particularly in healthcare, time is an important factor where therapeutic measures can be required in a timely manner, without which lives can be lost. In some situations, patients can queue for many hours, waiting to be seen by scarce healthcare professionals. All these create work-related stresses which can have an impact on the phishing-related behaviour of the healthcare worker. Even though various research activities [25,26,31,38] dealt with the perception aspect of security practice in healthcare, little is known about how work factors (workload, work emergency) contribute to cyber security practice among healthcare workers. Jalili et al. made efforts to address this by analysing how workload contributes to cyber security behaviours in phishing [24]. However, work factors in healthcare were not completely addressed as work emergency was not included in the study. Moreover, workload that was included only served as a moderating variable and was not related to the perception variables to assess the effects. That is why we ague that since workload and work emergency are mostly associated with healthcare, especially in the COVID-19 pandemic, security practice can be impacted either directly or indirectly. This gap was also realized and proposals for empirical studies [27,34,36]. Relying on the aforementioned thoughts, the following research questions and hypotheses were formed: In a similar study, Jalili et al. estimated the effect of self-reported behaviour on the actual behaviour related to phishing attacks [24]. In that vain, we tried to compare the selfreported security behaviour related to phishing and the actual behaviour of healthcare staff of having clicked the link. As this study focuses on assessing threats of phishing attacks among healthcare staff and their ability to counteract, we expect that staff of hospitals have a good perception of security practices. Therefore, healthcare staff can appraise security threats and overcome risky perceptions to comply with the security policy amidst work factors and perceptions, as shown in Figure 1. Based on this objective, we hypothesized that:  As shown in Figure 1, the latent variables of security perceptions, including PV, PS, PB, SE, work emergency, and workload, are related to the intended security behaviour construct. Additionally, the model also showed the mediating effect of the perception factors between the work factor constructs and the IB. Position, work experience, and gender were considered as the moderating variables.

Research Methodology
Four approaches were used in this study, as shown in Figure 2. First, a scoping review was conducted that aims to identify phishing simulating study methods/techniques, tools, and study gaps in practically assessed literature. Gray literature was also searched for phishing simulation tools.
This was followed by observing hospitals to understand the ICT and security practices in the hospital. Guided by these, an SMS-based phishing simulation study was set up and deployed. The deployment was carried out alongside a survey of both qualitative and quantitative approaches. The details of each approach are provided in the following subsections.

Scoping Review
The aim of the review was to address the state-of-the-arts by identifying, assessing, and analyzing the various approaches and techniques for use in critical infrastructure such as healthcare. A scoping review was adopted as the study aimed to assess, analyse, and evaluate topics relating to phishing simulation in healthcare, as categorized in Table 1. We therefore searched for phishing-related practical studies in healthcare in PubMed, Google Scholar, Science Direct/Elsevier, IEEE Explore, and ACM Digital. The scoping review took place between September 2021 and December 2021. The following keywords and phrases were used to combine the keywords: 'phishing attack', 'social engineering', 'healthcare', 'information security practice', and 'information security behavior'. Boolean functions of 'AND', 'OR', and 'NOT' were also used. Peer-reviewed journals and articles were considered. Articles were first selected through a quick read-through of the titles, abstracts, and keywords for records that seem to match the inclusion and exclusion criteria. Duplicates were removed and the rest of the articles were fully read and assessed. Additionally, phishing related tools were further explored in grey literature with the key phrase "phishing tools" in the Google search engine. The findings were reported by adapting to Preferred Reporting Items for Systematic Reviews and Meta-Analysis (PRISMA) flow diagram [39]. Security and privacy measure of tools This describes the behaviour of the tools (e.g., whether the tool collects some sensitive data of the target hospital and targeted persons in the study) 7 Ethical measures This defines the consideration of the relative effect on participants (e.g., whether participants consented to the study) 8 Risk measures and measures to be adopted to conduct risk-free assessment in the target environment. 9 Social demographic factors Factors such as gender, workload, and emergency situations which were considered in the attack 10 Situational context of healthcare staff prior to clicking the link This defines what the healthcare workers were immediately engaged in prior to clicking the link 11 Susceptibility reasons This defines the reasons for clicking the link by the staff 12 Survivors bias Analysis of the characteristics of healthcare workers who only clicked the link without considering those who did not click the link.

Inclusion and Exclusion Criteria
Only articles that were practically implemented in phishing-related studies in healthcare were included in the study. Articles outside the scope including literature in other languages, except English, were excluded.

Data Collection, Categorization, and Analysis
In line with the objectives of this study, data collection and categorization were developed based on authors' discussions. The categories were defined purposely to assess, analyze, and evaluate the studies, as shown in Table 1.
The identified articles were processed based on the categorize that were defined in Table 1. A number of counts (n) and proportions were computed on each category.

Observation at the Hospitals
We adopted a 'fly-on-the-wall approach' by observing unnoticed healthcare workers' security practice. So, the researchers were introduced to the healthcare workers as temporal staff of the IT department who were to collect feedback on issues relating to the information systems that were being used by the healthcare staff. We presume that healthcare workers would not behave in their usual way if they were aware that their security practices were being observed [40]. We observed general security practice, but much attention was paid to physical security, internet use, email use, social media use, password management, incident reporting, information handling, and mobile computing, as these areas are prone to security policy violations within the context of the human element [34,[41][42][43]. The purpose of this observation was to complement the review approach to answer RQ2, and thus to understand effective methods of safely and effectively conducting phishing simulation studies in healthcare.

Phishing Simulation Design and Attack
With regard to social engineering tests, the goal was to determine if healthcare workers using IT systems are able to identify phishing-related malicious messages amidst work factors and their perception. This approach was to find answers to RQ3 and RQ4 together with the hypotheses. Guided by findings from the observations, SMS-based phishing was adopted in this simulation attack because the hospitals had not configured corporate email systems, but rather uses mobile devices such as laptops and mobile phones in their provision of healthcare services. Since this was a simulated study, we did not want to use a critical infrastructure such as healthcare as a test range. Instead, these tests were conducted through the mobile contacts of the healthcare staff. We opined that if healthcare staff can be security-conscious on their cellphones, the healthcare environment can improve. So the plan was that healthcare staff will receive a "malicious message" with a "malicious link". If the target person clicks on the link, the click event would be registered in a database and the person would be redirected to a questionnaire instrument. While other studies have used multiple clicks in similar studies [13,20], the goal of those studies is mainly to access the effectiveness of phishing-related training and education. In this study, a click of the link was used, just as in a recent study conducted by [24]. This is because the goal of Jalali et al. and other current studies is geared towards assessing the effects of theoretical factors.
The questionnaire instrument was used to support in the identification of current circumstances that lead to the clicking of the link together with the behavioural intentions of that user. A secured domain name was registered to look similar to the hospitals' domain, except that the domain name type was different (i.e., information instead). This was the major phishing cue or clue that the researchers wanted to observe from the target. So, a secured online questionnaire tool, created by Nettskjema [44], was used to design a questionnaire for this test. Nettskjema is deemed secured and safe for developing questionnaires as compared to other online forms. Additionally, a website was developed with a database to collect the click events of users. To comply with privacy and security regulations, each click event was encrypted with SHA-256. The click events were collected alongside their date and a time stamp in order to know when each click event occurred. The website was hosted with the registered domain and the link, together with the phishing message, was sent to the targets via SMS. The phishing message was chosen to reflect events that were ongoing at the hospital, including those relating to COVID-19, as shown in Figure 3. The simulation attack began on the 24 November 2021 and ended on the 8th of December 2021. After a week, we closed all responses to the questionnaire and made phone calls to participants to collect qualitative data relating to why they clicked the phishing link. Only participants who remembered having received the SMS and read the content were given audience to provide their responses.
If a respondent clicked on the link of the questionnaire, the click event was first registered in the database and then the questionnaire was opened. To understand the security practice of the respondents, information was collected from the respondents concerning what he or she was engaged in just before clicking the link. The purpose of collecting the information was to understand why the user clicked on the link. For example, the respondent was busy serving patients, etc. This will provide input into providing the needed training with regards to phishing attacks. The personally identifiable records of respondents were not to be stored in the database, and, of course, the link was not actually malicious, as depicted in Figure 4.

Statistical Survey
A total of 167 healthcare staff agreed to join the study through a convenience sampling. Due to ethical, privacy, and security concerns, the identity of these hospitals and the respondents were not disclosed in this paper. To deal with survival biases [24,45], participants who did not click the link and those who clicked the link but failed to fill out the questionnaire were contacted by phone to find out their reason for doing so.
The questionnaire instrument in this study has a social demographic section that collected attributes such as gender, position at work, and length of years of experience of the respondents. Another section collected data on the work situation such as the workload, work emergency, what the participant was engaged in, and his or her expectation prior to clicking the link. Security practice items relating to perceived barrier, perceived vulnerability, perceived severity, and perceived self-efficacy were also included in the study, as shown in Table A1. A Likert scale of five options was used. The questionnaire was crafted to cover security practice relating to internet use, email use, password management, and social media use. These aspects of security practice are mostly prone to security violations by the human element [27,34,41]. These questionnaire items were adapted from existing questionnaire and modified for this study, as shown in Table A1 in Appendix A.

Ethical, Privacy, and Security Measures
When participants realize their behaviour is monitored, they tend to behave differently. On the other hand, when they are monitored without consent, researchers are accused of breaking the laws [40,46]. Researchers have intentionally refused to disclose some of the research procedures and purpose in order to have an unbiased study [40]. Meanwhile, studies involving deceptiveness are proven to be effective because they assess the real responses to phishing and the potential threat attacks that are yet to occur, and can effectively measure the success rate of countermeasures that are yet to be deployed [40,46].
Many ethical committees fail to approve phishing-related studies because they believe that deception in research contradicts informed consent and is potentially harmful to participants, invading privacy, breaking participants' rights, and limiting their control of risks (such as stress or psychological damage) associated with the research. However, the research community opposed this view. Various studies have stated that deception in research is not ethically wrong and the reason for withholding such information is what the ethical committee should be assessing instead [46,47]. They also explained that people in the clinical sector enjoy deception in research if it is likely to educate them. The participants were even interested in participating in similar deceptive researches [40,46].
Psychological association supported the debate and said it may be impossible to study some psychological constructs without withholding certain information about the true purpose of the study or deliberately misleading the participants [40]. The British Psychology Society also agrees with deception in research and said that the awareness of participants about some aspects of the study could likely compromise its validity [40,46].
In essence, using deception as a research method is justified to have valid inference if it has a kind of road map. The road map is as follows: • Pre-launch of phishing: prepare fraudulent text, issue press release to administrators, and pre-inform consent; • Launch of the attack: consider data protection, consider the well-being of the participants; • Post-launch: consider debriefing, post informed consent and data protection.
Having followed these measures, the participants volunteered and consented to the study and also shared their phone numbers for this research. The healthcare facilities that joined this study also adopted full electronic health record systems in their operations and were elected to join the study through an invitation. Ethical clearance was obtained in Ghana. Following that, research coordinators were appointed to liaise with the management of these hospitals to facilitate the study. For instance, the facilitators identified SMS platforms and sent the phishing SMS messages together with the phishing links to the targets. Because of the high cost of internet data bundles in Ghana, the target participants who filled the questionnaire after clicking SMS received a reimbursement of their internet data amounting to GHS 10.00 each (which is about USD 1.67). Prior to filling out the form, participants were debriefed and reminded of their earlier consent to take part in the study. In addition, they were still given the opportunity to opt out if they changed their mind.

Findings of this Study
This section presents findings from the literature study, observation, simulated phishing attacks, and the statistical survey results.

Scoping Review Findings
As presented in Figure 5, 60 papers were initially identified from scientific databases, of which 2 were duplicates. Additionally, 16 sources of tools for phishing simulation studies were identified. Through readings, 23 records were excluded, leaving 51 records which were eligible for a full reading. In the end, 29 records were further removed because these papers were not specifically in the healthcare domain (e.g., [48][49][50][51]), not precisely within the scope of phishing simulation (e.g., [52,53]). These were not clear in the identification stage until the full assessment stage. In the end, 22 studies (as shown in Figure 5) comprising 6 scientific articles (shown in Table 2) and 16 grey literature sources (shown in Table 3) were included in the study. From the six articles, one study was used only for the survey, four studies were used only in-the-wild field study with an email-based phishing attack, and one of them combined both email-based methods and literature surveys [24].
Additionally, three groups (third-party companies, custom-developed software tools, and commercial tools) emerged in the usage of a total count of five in-the-wild field phishing simulation tools. Gordon et al. [21] used commercial cloud-based phishing simulation tools (representing 20%), but [20,23] used custom-developed tools while [22,24] used third-party companies (each representing 40%) to conduct their phishing attack based on simulated studies. Out of a total of five simulated types of payloads that were used in the study, four (80%) of them simulated a malicious link, while one (20%) study [22] simulated credential harvest. The storylines that were used include health concerns [19], disposition to trust and risk-taking tendency [22], marketing, advertising potential employment position, and [23] offers of IT support services. Amidst various attack types such as email-based, voice-based and SMS-based types, all the studies (except [19] that did not indicate the attack type) used email-based attack types, as shown in Table 1. Slonka et al. further indicated that the phishing cue in the domain name type avoided the storage of clients' passwords, and used SSL to secure the interactions with clients [23] as measures towards enhancing ethics, privacy, security, and risk measures. Jalali et al. also submitted a questionnaire to those who click the link and those who did not click the link in a way to observe survival bias. In addition, the investigators did not collect contact information of the healthcare staff in an effort towards observing security and privacy measures [24].
Furthermore, out of the 16 phishing simulation tools (see in Table 3) that were identified, 7 (43.7%) were open-source, while the remaining 9 (56.3%) were commercial tools. Additionally, 6 (37.5%) could be deployed on the company network premise (premisebased), but the remaining 10 (62.5%) were cloud-based and inherited the cloud-related risks.  [20] in-the-wild field study custom-developed software tools. simulated malicious link email [21] in-the-wild field study Cofense, formerly PhishMe (commercial ) simulated malicious link email [22] in-the-wild field study third-party company credential harvesting, batch files obfuscated marketing, advertising potential employment positions email [23] in-the-wild field study custom-developed software tools simulated malicious link IT support request email

Observation Study
In terms of how to launch a simulated attack in the hospital, it was realised that the hospitals did not configure corporate email addresses and their network was limited to a local area network (LAN). Their healthcare staff could only access the EHR systems within the hospital premises without internet connections. The hospital's network had an internet connection to enable access to APIs and also to enable remote desktop access to the EHR. Additionally, the healthcare staff used mobile devices such as laptops and mobile phones in deliver healthcare services. Observational findings in other areas such as physical security, password management, incident reporting, and information handling were less relevant in this phishing study and were not reported in this paper.

Phishing Clicks
Out of a total of 167 healthcare staff who were targeted in the SMS-based phishing simulation study, 102 (61.1%) clicked the simulated malicious link, but 65 (38.9%) healthcare staff were not susceptible to the attack. Furthermore, 25 (24.5%) participants, out of the 102 who clicked the link, answered the questionnaire whose link was embedded in the study. So, a total of 77 (75.5%) failed to answer the questionnaire. The clicking behaviour was high at the start of the simulation attack, but sharply decreased after the first 2 days, as shown in the graph in Figure 6. Additionally, the intended phishing security behaviours were generally lower (as shown in Figure 7) than their actual behaviour across all the roles of the healthcare staff who participated in the study.

Statistical Analyses
The population profile of participants who clicked the link and answered the questionnaire is shown in Table 4. The proportion of males (44%) and females (56%) was similar, but the age range between 30 and 40 was the highest (72%). Nurses constituted the majority of the participants' population by 52%. None of the participants had less than one year of work experience. An almost-equal proportion of the participants were off-duty (56%) and on-duty (44%), and 32% engaged in patient care and administrative duties (8%) while the rest (40%) failed to disclose what they were engaged in. A total of 17 (68%) out of the 25 participants believed in the subject of the phishing message, 6 (24%) were curious and only 2 (8%) did not disclose their expectations prior to clicking the link. The reliability of the constructs was assessed with Cronbach's alpha(CA) and composite reliability (CR), as shown in Table 5. All the CR values of the constructs were greater than 0.700. Additionally, the values of all the constructs of the average variance extracted (AVE) were greater than 0.500, which thereby met the convergence validity. The validity results are also presented in Table 5. The discriminate validity was assessed with the Fornell-Larcker criterion, the heterotrait-monotrait ratio (HTMT), and the cross factor loading of all the items. Having assessed the entire model, the values of R 2 were computed to be 0.369, 0.116, 0.086, 0.293, and 0.554 for the perceived barrier, perceived severity, perceived vulnerability, self-efficacy, and self-reported behaviour variables, respectively, while the values of Q 2 were obtained to be 0.312, 0.036, 0.003, 0.229, and 0.405 for the respective variables. The model was then used to further test our hypothesis to determine the significance of the relationship. As shown in Figure 8 and Table 6, all hypotheses from H1 to H14 were evaluated to determine if PV, PS, PB, SE, WE, WL, and all mediating effects (from H15 to H22) have a significant effect on self-reported cyber security behaviour (IB) related to phishing among healthcare workers. Additionally, the model was used to assess the effect of gender, position, and work experience as moderating variables, as shown in Figure 8 and Table 6. The findings shown in Figure 8 and Table 6 reveal that work emergency had a significant negative effect on perceived barrier risk, as defined in the first hypothesis (H1) with a value of −0.46 at p-value = 0.00. Additionally, workload had a significant positive effect on perceived self-efficacy, as defined in H10 with a value of 0.50 at a p-value = 0.02. Aside from this, none of the constructs (PV, PS, PB, and SE) had a significant effect on IB risk. Moderating variables of gender, position, and years of work experience also showed no significant impact on IB.
Furthermore, as shown in Table 7, Pearson's correlation of the valid constructs showed that perceived barrier (PB) was positively correlated with the self-reported behaviour intention (r = 0.571, p-value = 0.01). Additionally, workload (WL) was also realized to have a significant positive correlation with perceived self-efficacy (r = 0.494, p-value = 0.05). However, perceived self-efficacy (SE) risk negatively correlated with IB (r = −0.483, p-value = 0.05). Similarly, work emergency had a significant negative correlation with PB risk at (r = −0.401, p-value = 0.05).

Views of Targets Who Did Not Click the Link
In efforts to enrich this study, we had a phone conversation with participants who clicked the link but did not answer the questionnaire and those who did not even click the link. From Figure 6, out of 167 healthcare workers who were targeted in the study, 142 failed to fill the questionnaire. Out of these, 28 provided feedback as to the reasons why they clicked the phishing simulation link without answering the questionnaire or why they did not even click the link. Eight of these respondents were males and the remaining twenty who provided the feedback were females, as shown in Figure 9.
The respondents who did not click the link said the message was malicious and some said they were busy and did not click the link. Some of those who did not click the link also claimed that there were many questionnaire items and others said they did not have time to fill out the questionnaire. Eleven individuals in total (eight females and three males) saw the message as suspicious. Two males and four females, were busy and did not click the link. Additionally, two males and four females claimed that there were many questionnaire items, while four females and two males did not fill out the questionnaire because they were busy. The female proportion was generally high (71.5%) as compared to the males (28.5%). Similarly, the proportion of females was higher in all as compared to the males.

Discussion
The human aspect of cyber security practice has become a major window in recent times for cyber criminals to disturb healthcare organisations' operations through unauthorized accesses and data breaches [9]. In terms of ransomware, the human element is often baited through phishing attacks to click on malicious links. The victims may therefore compromise healthcare cyber systems if they happen to be susceptible. They may end up installing remote connection tools and malware, or may even provide their user credentials to the attackers, enabling them to move forward with their attack. Healthcare staff can fall victim to phishing attacks due to the nature of their work. They are often occupied with a heavy workload due to the high patients-to-staff ratio and their work is sometimes characterized by emergency situations, thereby increasing their cognitive load [70]. Additionally, healthcare workers may have poor information security knowledge and training and poor perception, possibly causing them to undermine better cyber security hygiene in phishing attacks [71]. Since most hospitals in Ghana are adopting EHR, many questions are being asked in the context of cyber security relating to a phishing attacks.
To provide significant answers to these questions, a smishing simulation study backed by state of-the-art studies was conducted among healthcare workers in Ghana and insight into the findings is discussed in the following sections.

Principal Findings
The principal findings in this study are shown in Table 8. In preparation for the implementation of this phishing simulation study, the hospital's environment was physically observed to gain an understanding of its IT systems and how the healthcare workers use these tools to provide healthcare. Before that, a systematic review was conducted to provide the state-of-the-arts on various teams in a phishing simulation attack context. The attack was subsequently launched together with a statistical survey. In the scoping review, six scientific papers were identified to have been practically assessed in phishing simulation studies in healthcare. A further search for phishing simulation tools in grey literature revealed 16 different types of phishing simulation tools. Emailbased phishing attacks with in-the-wild studies and surveys were the two methods being used to conduct phishing simulated studies in healthcare. Out of this in-the-wild study, email-based was the most common, as shown in Table 2. Third-party companies, customdeveloped tools, and commercial tools were being used in the state-of-the-arts, of which third-party companies and custom-developed software tools were often used. A simulated malicious link was often used as the payload and storylines, including health concerns, marketing, and advertising for potential jobs, and IT support was used. Reconnaissance and intelligence gathering indicated that the hospital did not use incorporate an email system and most of the healthcare staff had not configured corporate emails. So, the hospital used mobile devices such as laptops and phones in communications and accessing EHR in their healthcare delivery.
From the 167 targeted healthcare staff who were sent the simulated phishing messages, more than half (61.1%) fell victim to the attack but only 25 (24.5%) of the victims filled a questionnaire and indicated varying reasons for their susceptibility. For instance, 7 (68%) out of the 25 participants believed in the subject of the phishing message and 6 (24%) were curious. The CA of workload and work emergency were slightly lower with CA values of 0.667 and 0.429, respectively; however, their corresponding CR values were above 0.700. It has been noted that if the number of questionnaire items measuring the construct is 10 or more, the coefficient of CA is expected to be 0.6 or higher [72,73]; otherwise, it is usual for the CA values to be around 0.5. Based on the view that just one click is needed in phishing susceptibility attack to achieve the adversary's goal, 167 participants, resulting in a 61.1% susceptibility rate, met the significant requirements. Other related phishing simulated studies have similar or lower participants [74,75].

RQ5
Self-reported behaviour and perception risks were generally lower than their actual behaviour, as shown in Figure 7 6 RQ6 Deceptiveness can be used in research but certain procedures are needed.

Work Factors and Perception Risks in Relation to Self-Reported Phishing Risk Behaviour
In the report, all the factor loading values were greater than their corresponding crossloading, indicating valid discriminate validity [76]. Moreover, the HTMT values were below the limit of 0.9, indicating the discriminate validity of the constructs [76,77]. Additionally, the variance inflation factor values were below the threshold of five, indicating no issues of multicollinearity [77]. R 2 refers to the effect or changes in the dependent variable's influenced by the independent variables, which is expected to be equal to or greater than 0.10 in order for the related construct to be adequate for predictions [78]. Aside from perceived vulnerability (PV) which recorded an R 2 of 0.086, all the dependent constructs of PB, PS, SE, and self-reported behaviour met the 0.10 threshold, as shown in Table 6. Though the R 2 of PV is slightly lower than 0.01, other sources [79,80] indicate that such a model can be used for explaining the relationship between variables other than prediction. Q 2 measures the predictive relevance of the model, of which the value is expected to be greater than 0 in order for it to be relevant [81]. To this end, the model was generally fit and was used for the estimation, as shown in Table 6 and Figure 8 using structural equation model (SEM) of SmartPLS [82]. SEM is used for estimating causality among variables in the structures of various equations [83].
Assessing the contribution of work factors and perception variables with self-reported cyber security behaviour, the results showed that work emergency (WE) negatively predicted PB (r = 0.46, p-value = 0.00) and this supported H1. The remaining hypothesis were not significantly predicted with the SEM model. Furthermore, workload significantly predicted PS in the positive direction, as opposed to our hypothesis H10, as shown in Table 6 and Figure 8. Additionally, a validation with Spearman's correlation showed that workload also significantly predicted self-efficacy risk (r = 0.494, p-value = 0.05) and work emergency predicted perceived barrier risk in the reverse direction at the significance of r = −0.401, p-value = 0.05. These predictions were similar with that of the SEM.
Additionally, workload (WL) was also observed to have a significant positive correlation with perceived self-efficacy (r = 0.494, p-value = 0.05). This is in contradiction with our initial assertion of H10. Thus, as the workload of the healthcare staff increases, they tend to struggle to cope with additional responsibilities of security practice, thereby increasing their perceived self-ability risk of complying with security regulations. The healthcare staff could, as a result, be susceptible to phishing tricks. This also supports our initial assumption. A similar study by Jalali et al. also found a causal effect of workload on the phishing risk behaviour of healthcare staff [24]. Similarly, work emergency had a significant negative effect with PB risk. This translates that higher work emergency among healthcare staff corresponds to lower risks of PB. Consequently, a lower risk of PB is also a significant positive predictor of phishing susceptibility behaviour, as shown in Table 7. This can possibly be related to findings in Table 9, where a qualitative finding revealed that six of the healthcare staff were busy and did not click the link. Though not proven to be statistically significant, it could mean that, during an emergency, the healthcare workers tend to prioritize patient care and subsequently fail to be susceptible to a phishing attack. So, further training and awareness could possibly boost efforts of conscious care behaviour.
A further step of analysis with correlation showed that PB was positively correlated with IB at (r = 0.571, p-value = 0.05). This contradicts our hypothesis H11, as we originally presumed that PB negatively correlates with IB. Perceived barriers are obstacles that can inhibit secure phishing-related security behaviour. The results, therefore, suggest that higher perceptions of obstacles to secure phishing practices are related to an increase in self-reported conscious care phishing security behaviour. If the relationship was a causal effect, the removal of perceived barrier risks will improve phishing security-conscious care behaviour. Related studies on cyber security behaviour and awareness [17,25] did not show statistically significant results to support this or otherwise. Additionally, SE risk negatively correlated with IB (r = −0.483, p-value = 0.05), as shown in Table 7, which translates that the perceived risk of the assessment of the healthcare workers' ability to comply with phishing security policy decreases with corresponding increases in their phishing security risk behaviour. This contradicts the initial assertion (H14), as we expected SE to positively correlate with phishing-related security behaviour. This could therefore mean that healthcare workers who think they have the ability to overcome phishing tricks do not, why is why they were susceptible to this attack in the first place.
However, all mediating and moderating variables were assessed and they did not have any significant effects on the study. This indicates that the effect of those variables are statistically equal to zero. With regards to phishing simulating studies in the healthcare context, this is the first which draws specific variables from the HBM and PMT to design this model. A related study that used constructs from the theory of plan behaviour showed a positive prediction of attitude, subjective norm, and perceived behavioural control [24]. That study further indicated that workload was positively correlated with phishing-related practice. Relating to the study, the sample size in this work was relatively small; therefore, further studies with an adequate sample size are required to arrive at a more valid conclusion.

Phishing Attack Methods, Tools, Risks Measures, Payload, and Storyline
From the state-of-the-art, six scientific studies were published on phishing practical studies in the area of healthcare. Some of the studies [20][21][22][23] used the in-the-wild study approach, but [19] used a questionnaire-based survey, while [24] combined both in-the-wild and the questionnaire survey. With these few studies, it is clear that there is a huge gap in the practical assessment of healthcare workers' phishing simulation studies. So, little knowledge has been contributed so far in the scientific community towards understanding security practices in phishing security conduct among healthcare workers. This might have possibly contributed significantly to the knowledge gap of healthcare staff and resulted in the numerous successes in ransomware attacks in healthcare. The low account of phishing simulation studies in healthcare might have been due to the critical nature of healthcare and the strict regulatory requirements needed to conduct such studies. Furthermore, according to Salah et al., the phishing simulation study consists of three types: a self-reported survey, a laboratory experiment, and an in-the-wild study [40]. Self-reported surveys are ineffective due to biases from participants and researchers. Laboratory-controlled experiments are also known to be unreliable as they create an artificial environment for participants. An in-the-wild field study is considered reliable since participants are observed in their natural environment. The challenges associated with the in-the-wild study are ethical-based, as it involves deception. Another issue involves how to collect feedback from targeted participants in a phishing simulation study. To overcome these issues, recommended road maps for safely conducting the study and survey instruments with follow-up contacts can be used as part of an effective study.
Email-based phishing is one of the preferred attack methods used by cybercriminals to launch phishing attacks [84,85]. Malicious links are usually embedded in the emails and sent to the targets with messages enticing them to click the links. The links are usually associated with payloads, such as malware installations, malicious attachments, harvesting of sensitive information (such as credit card numbers), personal identification numbers (PINs), social security numbers, and other bank details. Email-based attacks are popular in this state-of-the-art, merely due to the widespread usage of email systems among organisations. Unfortunately, the healthcare systems that were involved in this study had not begun to use corporate email systems. However, as phishing attacks include VOIP and SMS, instant messaging, and social networking sites, SMS-based phishing was therefore adapted in this study combined with a questionnaire-based survey. Both SMS-based and questionnaire studies were very essential in this work because the SMS helped to measure the susceptibility level (click/not click) of the healthcare staff, while the questionnaire helped in measuring the perception and work factors that possibly contributed to the susceptibility. Clearly, each of these methods alone would not have been able to meet the study objective and as the email system was not configured in the target hospital, it was basically not an option.
Regarding phishing simulation tools, third-party security companies, custom-developed tools, and a commercial tool were identified in the state-of-the-arts, as shown in Table 2. Appraising privacy, security, and ethical concerns, this study did not use third-party companies since the scope of the ethical clearance did not include giving out contact information to third-party companies. So, we developed custom software and hosted it with an SSL certificate to record the click events of the targets. The SMS messages were hence sent via an SMS messaging company; however, to avoid privacy and security issues, the contact phone numbers of the targets were not saved on this platform. Other phishing simulated study tools such as Gophish, Phishing frenzy, King phish, and Cofense (as shown in Table 2) were not adopted in this study because they were all email-based systems and not associated with SMS-based attacks [13].
In terms of privacy, security, and ethical considerations, Jalili et al. avoided collecting information out of fear of privacy breaches. Similarly, Slonka et al. did not actually harvest the credentials of the targets but replaced the provided emails with some numerical values and further used SSL to secure the connection between the web server and the target participants. These were deemed safe methods; however, we encrypted the unique click events that were recorded and saved them onto the database of a website that was hosted for this exercise and followed the ethical road map proposed by Salah et al. [40]. The site was also secured with an SSL certificate to avoid data breaches. This approach was deemed reliable and valid for recording the unique click event of each respondent. To reduce the tendency of multiple recordings from one user, it was considered necessary to have reliable unique click events such that when a user happened to click the link more than once, the original click could be detected to avoid multiple recordings from one person. The SHE-256 algorithm was used based on guidelines provided in the General Data Protection Regulation of EU [86,87].

Phishing Attack Risk among Healthcare Staff
The study recorded a click rate of 61.1% (as shown in Figure 6) which would be considered very high when compared with related investigations that were performed in [23] (20.4%) and [20] (14.2%). This answered the research question RQ3, indicating that healthcare workers are susceptible to a phishing attack in the hospital. After all, the phisher may just need a single click to launch the malicious payload. Therefore, a click rate of over 50% might have even exceeded the goal of the phisher. For better understanding, and as a means of dealing with survivorship bias, those who did not click the link were contacted. With reference to Figures 6 and 9, out of 65 healthcare staff who were contacted, 17 of them provided brief feedback as to why they did not click on the link. Eleven of them regarded the message as suspicious, while six of them were busy and failed to click the link. The healthcare staff who regarded the message as fake said they were not exposed to COVID-19 risk factors and so did not believe the SMS message, implying that they would have been victims if they had been in contact with others at that time. So, their suspicion was not based on their knowledge of phishing attacks, suggesting that such healthcare staff might also need treatment together with those who click the link to improve their phishing attack resilience level. It is interesting to know that some healthcare staff (six persons) did not click the link because they were busy with patient care, as indicated in Figure 9. While a related study [24] identified that high workload contributes to phishing susceptibility, a recent study on healthcare security practice showed the reverse [88], where a higher workload has a rather negative correlation with self-reported security behaviour risks of healthcare staff. Since it was merely a correlation, the authors did not attach a causality effect to the findings. Furthermore, the study participants were relatively small, limiting the generalisation of their findings. Though this might be insignificant, our study points to a similar finding in this work, as six persons forgot to click the link simply because they were busy with patients.
To better understand the susceptibility of the victims, the location, expectations, and engagements of the victim were collected via the questionnaire. Of those who provided this information, 56% were off-duty, while 44% were on-duty. Additionally, 68% believed in the subject of the phishing message while 24% were curious. Some were engaged in patient care (32%), administrative duties (8%), leisure (12%), and house chores (8%).
According to Sonowal et al., curiosity, urgency, helpfulness, fear, trust, and greed are among the properties often baked into the phishing messages to entice prospective victims [13]. Interestingly, a higher proportion of the victims who clicked the link were curious and some also trusted the message which was crafted to have these phishing message tones. In total, 40% (10) of healthcare staff who clicked the link were also engaged in healthcare activities. On the other hand, of the 17 persons who did not click the link (as shown in Figure 9), 6 (35.3%) of them said they were busy. During busy healthcare provision, there are still questions around who responds to the phish and who responds to the patient and why. It is possible that those healthcare staff who click the phishing link while caring for the patients were expecting such messages due to their exposure to COVIDrelated factors and probably did not perceive or appraise the cyber security consequences of their action. This calls for strengthening the security systems in the hospital, such that access controls and alerts to suspicious links can prompt busy healthcare staff to carefully assess a link before clicking. For those who continue to care for the patient, it is possible that they prioritized patient care over the phishing message. It could also be the case that they were not exposed to any COVID-19-related factors and felt less susceptible to the virus, and therefore had less priority for the phishing message.

Survivorship Bias and Feedback from Respondents Who Neither
Clicked the Link nor Filled the Questionnaire and Those Who Clicked the Link but Failed to Fill the Questionnaire Figure 9 shows the reasons why the healthcare staff click the link but failed to fill the questionnaire item. Apparently, five persons claimed that there were many items in the questionnaire, while six victims responded that they were too busy and did not have time to fill it in. In Ghana, the doctor-patient and nurse-patient ratios are far lower than the World Health Organisation (WHO) standard. For example, the doctor-patient ratio in Ghana is about 1:13,000 while that of the WHO limit is at 1:5000 [89,90]. This supports the findings that the healthcare staff could be busy and do not have time to fill out the questionnaire.

Implication of the Study
Our study has both practical implications and implications for the scientific community. First of all, new knowledge has been provided in the state-of-the-arts regarding phishing simulation methods, tools, payloads, ethics, privacy, and security in the context of healthcare for future consideration. Secondly, it is now known that being busy in the hospital can disturb conscious care phishing behaviour and can equally have a positive effect on conscious care behaviour. Armed with this knowledge, security professionals can find a balance of training healthcare staff to promote their conscious care phishing behaviour. Extra security layers could also be provided in healthcare to support users in their efforts of using conscious care security practice, especially in the emergency department. Additionally, as PB risk positively predicted IB risk, PB risks can then be improved towards improving conscious care behaviour if causality is established. Furthermore, workload predicted SE risk in the positive direction, while SE risk predicted IB risk in the negative direction.
Based on this study, various measures need to be taken by the leaders of healthcare and even the government in relation to phishing attacks. The leaders of the healthcare community need to provide appropriate training, awareness, learning, and eduction procedures to averse this susceptibility trend. Moreover, intrinsic incentives can be designed based on these findings to improve phishing-related conscious care behaviour. For instance, regarding educating staff on phishing attacks, healthcare staff need to know how to comprehensively identify phishing clues. This could provide them with the knowledge to avoid clicking on suspicious links. After educating the staff, training with simulation attacks needs to be conducted with healthcare staff to help them to understand the nature of real attacks. Aside from these, the perception of healthcare staff needs to improve to reduce the security behaviour risk. Social and cultural factors need to be developed to improve the conscious care behaviour of the healthcare staff. Equipping the healthcare staff with adequate knowledge and skills on phishing-related security practice could be help to reduce the perceived barrier risk in phishing attacks and other perception risks. In this regard, state-of-the-art training technologies such as virtual reality, augmented reality, or extended reality could be employed to train and inculcate longer-lasting psychological incentives towards an avoidance of phishing susceptibility. In traditional training methods, people may skip through online modules by reading the bare minimum to pass the final quiz, or attending a presentation without really paying attention or absorbing any knowledge. Virtual realities may not only enable people to see and understand the problem of cybersecurity relating to phishing, but will engage them emotionally. Immersive technologies are deemed effective. For instance, a study by Kohn et al. showed that when students are engaged and motivated, such that they feel less stress, the understanding of what they are being thought is better and they experience better levels of cognition, develop patterns, and enjoy better long-lasting in memory.
In the simulated attack, the SMS message caption was crafted to align with the government institution responsible for healthcare. This could have also increased the click rate since some of the healthcare staff will not doubt the source. Therefore, the government should prevent SMS service provider platforms to use the names of reputable companies as sources of SMS messages. This way, adversaries will try to create similar(but not exact) names of related companies. This could increase suspicions around the source of SMS messages by the targets and can help to reduce the susceptibility level of phishing attack.

Conclusions
Following the huge benefits of ICT systems in healthcare, many hospitals have abandoned paper-based systems for computerized systems. However, the associated challenges include ransomware attacks and other cybersecurity-related threats. A phishing attack happens to be the most common method of ransomware attack because it targets the most vulnerable link in the security chain.
Guided with state-of-the-art and observational measures, an SMS-based phishing simulation study was performed among healthcare workers in Ghana who were elected to be part of the study. The results showed that more than half of the targeted healthcare staff (61%) were susceptible. To prevent survivorship bias, a phone call conversation showed that some of the healthcare staff were not victims in the attack because they prioritized patient care and were not susceptible to the simulated phishing attack. The selfreported phishing behaviours of healthcare workers were generally lower than their actual behaviour of having clicked the link. A correlation between work factor variables and perception variables showed that the perceived barrier is a predictor of self-reported intended behaviour among healthcare staff, that workload significantly predicted selfefficacy risk (r = 0.494, p-value = 0.05), and that work emergency predicted a perceived barrier risk in the reverse direction on a significant level (r = −0.401, p-value = 0.05). Furthermore, self-efficacy negatively predicted self-reported security behaviour related to phishing attacks. If causality was established, it basically would have meant that healthcare staff are confident in their ability to appraise and avoid phishing attacks, but do not in fact have the requisite ability to overcome them. Various suggestions have been provided to the leaders of the healthcare organization in Ghana and the government towards reducing phishing susceptibility level in the healthcare community. For instance, state-of-the-art training, using immersive technologies including virtual reality, could help to improve the psychological perceptions (such as perceived barrier and self-efficacy) that present a higher risk against cyber security practice. Some suggestions have also been provided to the government, regarding how to reduce the issue of cyber criminals being able to use the names of reputable organizations in SMS-based phishing attacks.
One of the limitations in this study includes the small number of participants who responded to the questionnaire. We pretested our questionnaire, but future studies could therefore conduct a more intensive pre-testing to increase the response rate. Additionally, further work is needed to practically assess the treatment effects with multiple clicks to practically assess various incentives, such as the perception variables in HBM, PMT, and cognitive dissonance in phishing simulation studies. Guided with these perceptions and work factors that affect the phishing security practice, better security training, awareness, and incentive measures can therefore be crafted in order to mitigate the phishing susceptibility rate. Informed Consent Statement: Informed consent was obtained from all subjects involved in the study.
Data Availability Statement: Not applicable.

Conflicts of Interest:
The authors declare no conflicts of interest. Prior to clicking this link, I had performed some mind draining activities (thinking, deciding, calculating, remembering, looking, searching, etc.) which affected my ability to pay much attention to the message details and the SMS links before clicking. 28 Prior to clicking this link, I had performed some amount of physical activities (e.g., pushing, pulling,turning, controlling, activating, etc.) which affected my ability to pay much attention to message details and the SMS link before clicking.