Publications
2020
Jalali, Mohammad S.; Landman, Adam; Gordon, William J
Telemedicine, Privacy, and Information Security in the Age of COVID-19 Journal Article
In: Journal of the American Medical Informatics Association, 2020.
Links | BibTeX | Tags: Cybersecurity
@article{655528,
title = {Telemedicine, Privacy, and Information Security in the Age of COVID-19},
author = {Mohammad S. Jalali and Adam Landman and William J Gordon},
url = {https://scholar.harvard.edu/files/jalali/files/telemedicine_privacy_and_information_security_preprint.pdf},
year = {2020},
date = {2020-01-01},
urldate = {2020-01-01},
journal = {Journal of the American Medical Informatics Association},
keywords = {Cybersecurity},
pubstate = {published},
tppubtype = {article}
}
Jalali, Mohammad S.; Bruckes, Maike; Westmattelmann, Daniel; Schewe, Gerhard
Why Employees (Still) Click on Phishing Links: Investigation in Hospitals Journal Article
In: Journal of Medical Internet Research, vol. 22, no. 1, pp. e16775, 2020.
Abstract | Links | BibTeX | Tags: Cybersecurity
@article{647808,
title = {Why Employees (Still) Click on Phishing Links: Investigation in Hospitals},
author = {Mohammad S. Jalali and Maike Bruckes and Daniel Westmattelmann and Gerhard Schewe},
url = {https://scholar.harvard.edu/files/jalali/files/phishing_investigation.pdf},
year = {2020},
date = {2020-01-01},
urldate = {2020-01-01},
journal = {Journal of Medical Internet Research},
volume = {22},
number = {1},
pages = {e16775},
abstract = {Background: Hospitals have been one of the major targets for phishing attacks. Despite efforts to improve information security compliance, hospitals still significantly suffer from such attacks, impacting the quality of care and the safety of patients.Objective: This study aimed to investigate why hospital employees decide to click on phishing emails by analyzing actual clicking data.Methods: We first gauged the factors that influence clicking behavior using the theory of planned behavior (TPB) and integrating trust theories. We then conducted a survey in hospitals and used structural equation modeling to investigate the components of compliance intention. We matched employeestextquoteright survey results with their actual clicking data from phishing campaigns.Results: Our analysis (N=397) reveals that TPB factors (attitude, subjective norms, and perceived behavioral control), as well as collective felt trust and trust in information security technology, are positively related to compliance intention. However, compliance intention is not significantly related to compliance behavior. Only the level of employeestextquoteright workload is positively associated with the likelihood of employees clicking on a phishing link.Conclusions: This is one of the few studies in information security and decision making that observed compliance behavior by analyzing clicking data rather than using self-reported data. We show that, in the context of phishing emails, intention and compliance might not be as strongly linked as previously assumed; hence, hospitals must remain vigilant with vulnerabilities that cannot be easily managed. Importantly, given the significant association between workload and noncompliance behavior (ie, clicking on phishing links), hospitals should better manage employeestextquoteright workload to increase information security. Our findings can help health care organizations augment employeestextquoteright compliance with their cybersecurity policies and reduce the likelihood of clicking on phishing links.},
keywords = {Cybersecurity},
pubstate = {published},
tppubtype = {article}
}
Background: Hospitals have been one of the major targets for phishing attacks. Despite efforts to improve information security compliance, hospitals still significantly suffer from such attacks, impacting the quality of care and the safety of patients.Objective: This study aimed to investigate why hospital employees decide to click on phishing emails by analyzing actual clicking data.Methods: We first gauged the factors that influence clicking behavior using the theory of planned behavior (TPB) and integrating trust theories. We then conducted a survey in hospitals and used structural equation modeling to investigate the components of compliance intention. We matched employeestextquoteright survey results with their actual clicking data from phishing campaigns.Results: Our analysis (N=397) reveals that TPB factors (attitude, subjective norms, and perceived behavioral control), as well as collective felt trust and trust in information security technology, are positively related to compliance intention. However, compliance intention is not significantly related to compliance behavior. Only the level of employeestextquoteright workload is positively associated with the likelihood of employees clicking on a phishing link.Conclusions: This is one of the few studies in information security and decision making that observed compliance behavior by analyzing clicking data rather than using self-reported data. We show that, in the context of phishing emails, intention and compliance might not be as strongly linked as previously assumed; hence, hospitals must remain vigilant with vulnerabilities that cannot be easily managed. Importantly, given the significant association between workload and noncompliance behavior (ie, clicking on phishing links), hospitals should better manage employeestextquoteright workload to increase information security. Our findings can help health care organizations augment employeestextquoteright compliance with their cybersecurity policies and reduce the likelihood of clicking on phishing links.
2019
Jalali, Mohammad S.; Razak, Sabina; Gordon, William; Perakslis, Eric; Madnick, Stuart
Health Care and Cybersecurity: Bibliometric Analysis of the Literature Journal Article
In: Journal of Medical Internet Research, vol. 21, no. 2, pp. e12644, 2019.
Abstract | Links | BibTeX | Tags: Cybersecurity
@article{631228,
title = {Health Care and Cybersecurity: Bibliometric Analysis of the Literature},
author = {Mohammad S. Jalali and Sabina Razak and William Gordon and Eric Perakslis and Stuart Madnick},
url = {https://scholar.harvard.edu/files/jalali/files/cybersecurity_in_healthcare.pdf},
year = {2019},
date = {2019-01-01},
urldate = {2019-01-01},
journal = {Journal of Medical Internet Research},
volume = {21},
number = {2},
pages = {e12644},
abstract = {Background: Over the past decade, clinical care has become globally dependent on information technology. The cybersecurity of health care information systems is now an essential component of safe, reliable, and effective health care delivery.Objective: The objective of this study was to provide an overview of the literature at the intersection of cybersecurity and health care delivery.Methods: A comprehensive search was conducted using PubMed and Web of Science for English-language peer-reviewed articles. We carried out chronological analysis, domain clustering analysis, and text analysis of the included articles to generate a high-level concept map composed of specific words and the connections between them.Results: Our final sample included 472 English-language journal articles. Our review results revealed that majority of the articles were focused on technology: Technology–focused articles made up more than half of all the clusters, whereas managerial articles accounted for only 32% of all clusters. This finding suggests that nontechnological variables (human–based and organizational aspects, strategy, and management) may be understudied. In addition, Software Development Security, Business Continuity, and Disaster Recovery Planning each accounted for 3% of the studied articles. Our results also showed that publications on Physical Security account for only 1% of the literature, and research in this area is lacking. Cyber vulnerabilities are not all digital; many physical threats contribute to breaches and potentially affect the physical safety of patients.Conclusions: Our results revealed an overall increase in research on cybersecurity and identified major gaps and opportunities for future work.},
keywords = {Cybersecurity},
pubstate = {published},
tppubtype = {article}
}
Background: Over the past decade, clinical care has become globally dependent on information technology. The cybersecurity of health care information systems is now an essential component of safe, reliable, and effective health care delivery.Objective: The objective of this study was to provide an overview of the literature at the intersection of cybersecurity and health care delivery.Methods: A comprehensive search was conducted using PubMed and Web of Science for English-language peer-reviewed articles. We carried out chronological analysis, domain clustering analysis, and text analysis of the included articles to generate a high-level concept map composed of specific words and the connections between them.Results: Our final sample included 472 English-language journal articles. Our review results revealed that majority of the articles were focused on technology: Technology–focused articles made up more than half of all the clusters, whereas managerial articles accounted for only 32% of all clusters. This finding suggests that nontechnological variables (human–based and organizational aspects, strategy, and management) may be understudied. In addition, Software Development Security, Business Continuity, and Disaster Recovery Planning each accounted for 3% of the studied articles. Our results also showed that publications on Physical Security account for only 1% of the literature, and research in this area is lacking. Cyber vulnerabilities are not all digital; many physical threats contribute to breaches and potentially affect the physical safety of patients.Conclusions: Our results revealed an overall increase in research on cybersecurity and identified major gaps and opportunities for future work.
Jalali, Mohammad S.; Kaiser, Jessica P; Siegel, Michael; Madnick, Stuart
The Internet of Things Promises New Benefits and Risks: A Systematic Analysis of Adoption Dynamics of IoT Products Journal Article
In: IEEE Security and privacy, vol. 17, no. 2, pp. 39-48, 2019.
Links | BibTeX | Tags: Adoption dynamics, Cybersecurity, Simulation modeling
@article{631218,
title = {The Internet of Things Promises New Benefits and Risks: A Systematic Analysis of Adoption Dynamics of IoT Products},
author = {Mohammad S. Jalali and Jessica P Kaiser and Michael Siegel and Stuart Madnick},
url = {https://scholar.harvard.edu/files/jalali/files/adoption_dynamics_of_iot_products.pdf},
year = {2019},
date = {2019-01-01},
urldate = {2019-01-01},
journal = {IEEE Security and privacy},
volume = {17},
number = {2},
pages = {39-48},
keywords = {Adoption dynamics, Cybersecurity, Simulation modeling},
pubstate = {published},
tppubtype = {article}
}
2018
Jalali, Mohammad S.; Russell, Bethany; Razak, Sabina; Gordon, William
EARS to Cyber Incidents in Health Care Journal Article
In: Journal of the American Medical Informatics Association, pp. 1-10, 2018.
Abstract | Links | BibTeX | Tags: Cybersecurity
@article{631226,
title = {EARS to Cyber Incidents in Health Care},
author = {Mohammad S. Jalali and Bethany Russell and Sabina Razak and William Gordon},
url = {https://scholar.harvard.edu/files/jalali/files/ears_framework.pdf},
year = {2018},
date = {2018-01-01},
urldate = {2018-01-01},
journal = {Journal of the American Medical Informatics Association},
pages = {1-10},
abstract = {Background: Connected medical devices and electronic health records have added important functionality to patient care, but have also introduced a range of cybersecurity concerns. When a healthcare organization suffers from a cybersecurity incident, its incident response strategies are critical to the success of its recovery.Objective: In this article, we identify gaps in research concerning cybersecurity response plans in healthcare. Through a systematic literature review, we develop aggregated strategies that professionals can use to construct better response strategies in their organizations.Methods: We reviewed journal articles on cyber incident response plans in healthcare published in PubMed and Web of Science. We sought to collect articles on the intersection of cybersecurity and healthcare that focused on incident response strategies.Results: We identified and reviewed 13 articles for cybersecurity response recommendations. We then extracted information such as research methods, findings, and implications. Finally, we synthesized the recommendations into a framework of eight aggregated response strategies (EARS) that fall under managerial and technological categories.Conclusions: We conducted a systematic review of the literature on cybersecurity response plans in healthcare and developed a novel framework for response strategies that could be deployed by healthcare organizations. More work is needed to evaluate incident response strategies in healthcare.},
keywords = {Cybersecurity},
pubstate = {published},
tppubtype = {article}
}
Background: Connected medical devices and electronic health records have added important functionality to patient care, but have also introduced a range of cybersecurity concerns. When a healthcare organization suffers from a cybersecurity incident, its incident response strategies are critical to the success of its recovery.Objective: In this article, we identify gaps in research concerning cybersecurity response plans in healthcare. Through a systematic literature review, we develop aggregated strategies that professionals can use to construct better response strategies in their organizations.Methods: We reviewed journal articles on cyber incident response plans in healthcare published in PubMed and Web of Science. We sought to collect articles on the intersection of cybersecurity and healthcare that focused on incident response strategies.Results: We identified and reviewed 13 articles for cybersecurity response recommendations. We then extracted information such as research methods, findings, and implications. Finally, we synthesized the recommendations into a framework of eight aggregated response strategies (EARS) that fall under managerial and technological categories.Conclusions: We conducted a systematic review of the literature on cybersecurity response plans in healthcare and developed a novel framework for response strategies that could be deployed by healthcare organizations. More work is needed to evaluate incident response strategies in healthcare.
Jalali, Mohammad S.; Siegel, Michael; Madnick, Stuart
Decision-Making and Biases in Cybersecurity Capability Development: Evidence from a Simulation Game Experiment Journal Article
In: Journal of Strategic Information Systems, 2018.
Abstract | Links | BibTeX | Tags: Cybersecurity, Simulation modeling
@article{631229,
title = {Decision-Making and Biases in Cybersecurity Capability Development: Evidence from a Simulation Game Experiment},
author = {Mohammad S. Jalali and Michael Siegel and Stuart Madnick},
url = {https://scholar.harvard.edu/files/jalali/files/decision-making_in_cybersecurity.pdf},
year = {2018},
date = {2018-01-01},
urldate = {2018-01-01},
journal = {Journal of Strategic Information Systems},
abstract = {We developed a simulation game to study the effectiveness of decision-makers in overcoming two complexities in building cybersecurity capabilities: potential delays in capability development; and uncertainties in predicting cyber incidents. Analyzing 1479 simulation runs, we compared the performances of a group of experienced professionals with those of an inexperienced control group. Experienced subjects did not understand the mechanisms of delays any better than inexperienced subjects; however, experienced subjects were better able to learn the need for proactive decision-making through an iterative process. Both groups exhibited similar errors when dealing with the uncertainty of cyber incidents. Our findings highlight the importance of training for decision-makers with a focus on systems thinking skills, and lay the groundwork for future research on uncovering mental biases about the complexities of cybersecurity.},
keywords = {Cybersecurity, Simulation modeling},
pubstate = {published},
tppubtype = {article}
}
We developed a simulation game to study the effectiveness of decision-makers in overcoming two complexities in building cybersecurity capabilities: potential delays in capability development; and uncertainties in predicting cyber incidents. Analyzing 1479 simulation runs, we compared the performances of a group of experienced professionals with those of an inexperienced control group. Experienced subjects did not understand the mechanisms of delays any better than inexperienced subjects; however, experienced subjects were better able to learn the need for proactive decision-making through an iterative process. Both groups exhibited similar errors when dealing with the uncertainty of cyber incidents. Our findings highlight the importance of training for decision-makers with a focus on systems thinking skills, and lay the groundwork for future research on uncovering mental biases about the complexities of cybersecurity.
Jalali, Mohammad S.; Kaiser, Jessica P
Cybersecurity in Hospitals: a Systematic, Organizational Perspective Journal Article
In: Journal of Medical Internet Research, vol. 20, no. 5, pp. e10059, 2018.
Abstract | Links | BibTeX | Tags: Cybersecurity, Participatory modeling
@article{631227,
title = {Cybersecurity in Hospitals: a Systematic, Organizational Perspective},
author = {Mohammad S. Jalali and Jessica P Kaiser},
url = {https://scholar.harvard.edu/files/jalali/files/cybersecurity_in_hospitals.pdf},
year = {2018},
date = {2018-01-01},
urldate = {2018-01-01},
journal = {Journal of Medical Internet Research},
volume = {20},
number = {5},
pages = {e10059},
abstract = {Background: Cybersecurity incidents are a growing threat to the health care industry in general and hospitals in particular. The health care industry has lagged behind other industries in protecting its main stakeholder (ie, patients), and now hospitals must invest considerable capital and effort in protecting their systems. However, this is easier said than done because hospitals are extraordinarily technology-saturated, complex organizations with high end point complexity, internal politics, and regulatory pressures.Objective: The purpose of this study was to develop a systematic and organizational perspective for studying (1) the dynamics of cybersecurity capability development at hospitals and (2) how these internal organizational dynamics interact to form a system of hospital cybersecurity in the United States.Methods: We conducted interviews with hospital chief information officers, chief information security officers, and health care cybersecurity experts; analyzed the interview data; and developed a system dynamics model that unravels the mechanisms by which hospitals build cybersecurity capabilities. We then use simulation analysis to examine how changes to variables within the model affect the likelihood of cyberattacks across both individual hospitals and a system of hospitals.Results: We discuss several key mechanisms that hospitals use to reduce the likelihood of cybercriminal activity. The variable that most influences the risk of cyberattack in a hospital is end point complexity, followed by internal stakeholder alignment. Although resource availability is important in fueling efforts to close cybersecurity capability gaps, low levels of resources could be compensated for by setting a high target level of cybersecurity.Conclusions: To enhance cybersecurity capabilities at hospitals, the main focus of chief information officers and chief information security officers should be on reducing end point complexity and improving internal stakeholder alignment. These strategies can solve cybersecurity problems more effectively than blindly pursuing more resources. On a macro level, the cyber vulnerability of a countrytextquoterights hospital infrastructure is affected by the vulnerabilities of all individual hospitals. In this large system, reducing variation in resource availability makes the whole system less vulnerable—a few hospitals with low resources for cybersecurity threaten the entire infrastructure of health care. In other words, hospitals need to move forward together to make the industry less attractive to cybercriminals. Moreover, although compliance is essential, it does not equal security. Hospitals should set their target level of cybersecurity beyond the requirements of current regulations and policies. As of today, policies mostly address data privacy, not data security. Thus, policy makers need to introduce policies that not only raise the target level of cybersecurity capabilities but also reduce the variability in resource availability across the entire health care system.},
keywords = {Cybersecurity, Participatory modeling},
pubstate = {published},
tppubtype = {article}
}
Background: Cybersecurity incidents are a growing threat to the health care industry in general and hospitals in particular. The health care industry has lagged behind other industries in protecting its main stakeholder (ie, patients), and now hospitals must invest considerable capital and effort in protecting their systems. However, this is easier said than done because hospitals are extraordinarily technology-saturated, complex organizations with high end point complexity, internal politics, and regulatory pressures.Objective: The purpose of this study was to develop a systematic and organizational perspective for studying (1) the dynamics of cybersecurity capability development at hospitals and (2) how these internal organizational dynamics interact to form a system of hospital cybersecurity in the United States.Methods: We conducted interviews with hospital chief information officers, chief information security officers, and health care cybersecurity experts; analyzed the interview data; and developed a system dynamics model that unravels the mechanisms by which hospitals build cybersecurity capabilities. We then use simulation analysis to examine how changes to variables within the model affect the likelihood of cyberattacks across both individual hospitals and a system of hospitals.Results: We discuss several key mechanisms that hospitals use to reduce the likelihood of cybercriminal activity. The variable that most influences the risk of cyberattack in a hospital is end point complexity, followed by internal stakeholder alignment. Although resource availability is important in fueling efforts to close cybersecurity capability gaps, low levels of resources could be compensated for by setting a high target level of cybersecurity.Conclusions: To enhance cybersecurity capabilities at hospitals, the main focus of chief information officers and chief information security officers should be on reducing end point complexity and improving internal stakeholder alignment. These strategies can solve cybersecurity problems more effectively than blindly pursuing more resources. On a macro level, the cyber vulnerability of a countrytextquoterights hospital infrastructure is affected by the vulnerabilities of all individual hospitals. In this large system, reducing variation in resource availability makes the whole system less vulnerable—a few hospitals with low resources for cybersecurity threaten the entire infrastructure of health care. In other words, hospitals need to move forward together to make the industry less attractive to cybercriminals. Moreover, although compliance is essential, it does not equal security. Hospitals should set their target level of cybersecurity beyond the requirements of current regulations and policies. As of today, policies mostly address data privacy, not data security. Thus, policy makers need to introduce policies that not only raise the target level of cybersecurity capabilities but also reduce the variability in resource availability across the entire health care system.
2017
Madnick, Stuart; Jalali, Mohammad S.; Siegel, Michael; Lee, Yang; Strong, Diane; Wang, Richard; Ang, Wee Horng; Deng, Vicki; Mistree, Dinsha
Measuring Stakeholders' Perceptions of Cybersecurity for Renewable Energy Systems Proceedings
Springer Springer, 2017.
BibTeX | Tags: Cybersecurity
@proceedings{631220,
title = {Measuring Stakeholders' Perceptions of Cybersecurity for Renewable Energy Systems},
author = {Stuart Madnick and Mohammad S. Jalali and Michael Siegel and Yang Lee and Diane Strong and Richard Wang and Wee Horng Ang and Vicki Deng and Dinsha Mistree},
year = {2017},
date = {2017-01-01},
urldate = {2017-01-01},
booktitle = {Lecture Notes in Artificial Intelligence 10097},
pages = {67–77},
publisher = {Springer},
organization = {Springer},
keywords = {Cybersecurity},
pubstate = {published},
tppubtype = {proceedings}
}