Volume 17 , Issue 2 , PP: 178-199, 2026 | Cite this article as | XML | Html | PDF | Full Length Article
Nwanneka E. Mwim 1 * , Jabu Mtsweni 2 , Bester Chimbo 3
Doi: https://doi.org/10.54216/JCIM.170213
E-health institutions are prominent targets for cybercriminals due to their reliance on information technology systems and issues related to the users have been identified as the biggest security weakest. Hence, while cybersecurity culture (CSC) research emphasizes the necessity of the human factor, limited empirical work has been done in the context of e-health in Africa. Therefore, an empirical evaluation was conducted to identify how preparedness, responsibility, management, technology and environment influence cybersecurity in South African e-health institutions. This quantitative research studied e-health institutions in the Mpumalanga province of South Africa. Various methods were used to investigate the multiple linear regression effects of the main factors of CSC and the results show that although the preparedness (Beta = 0.281; p-value < 0.05) and environment (Beta = 0.500; p-value < 0.05) factors had the greatest influence, management, technology and environment had a positive effect on CSC. These factors contributed 48.2 % to the variance (R-Squared). The study seems to be the first empirical study that combines the human factor domain framework (HFD) with other theoretical frameworks to identify critical factors of CSC. Furthermore, the impact of technology on CSC was empirically tested. The study is significant as it identified key factors that contributed to the institution’s CSC and quantified their impact. These results can enable e-health institutions to make decisions based on evidence regarding their cybersecurity interventions, strategy and practices. However, the empirical evaluation was limited to one context, namely the Mpumalanga province in South Africa and at two hospitals selected based on easy access (convenience) and purposive sampling with criteria based on work experience and knowledge of CSC limited the number of participants eligible to participate.
Cybersecurity culture , E-health , Preparedness , Responsibility , Management , Environment , Technology
[1] Department of Health, “The National Health Care Facilities Baseline Audit National Summary Report,” National Department of Health, Republic of South Africa, 2012. [Online]. Available: https://www.hst.org.za/publications/HST%20Publications/NHFA_webready_0.pdf. Accessed: Nov. 13, 2024.
[2] South African National Department of Health, “eHealth Strategy South Africa 2012-2016,” South African National Department of Health, 2012.
[3] D. R. Petretto et al., “Telemedicine, e-Health, and Digital Health Equity: A Scoping Review,” Clin. Pract. Epidemiol. Ment. Health, vol. 20, no. 1, pp. 1–21, 2024, doi: 10.2174/0117450179279732231211110248.
[4] W. J. Triplett, “Cybersecurity Vulnerabilities in Healthcare: A Threat to Patient Security,”Cybersecurity Innovative Technol. J., vol. 2, no. 1, pp. 15–25, 2024, doi: 10.53889/citj.v2i1.333.
[5] N. Hassan, N. Maarop, Z. Ismail, and W. Abidin, “Information security culture in a health informatics environment: A qualitative approach,” in Proc. 2017 Int. Conf. Res. Innovation Inf. Syst. (ICRIIS), 2017, pp. 1–6, doi: 10.1109/ICRIIS.2017.8002450.
[6] ITRC, “2018 End-of-Year Data Breach Report,” 2019. [Online]. Available: https://www.idtheftcenter.org/wpcontent/uploads/2019/02/ITRC–2018-End-of-YearAftermath–FINAL–V2–combinedWEB.pdf. Accessed: Jun. 23, 2020.
[7] Ponemon Institute LLC, “Sixth Annual Benchmark Study on Privacy and Security of Healthcare Data,” 2016.
[8] R. Roohparvar, “5 Industries That Top the Hit List of Cyber Criminals in 2017,” Infoguard Cyber Security, 2017. [Online]. Available: http://www.infoguardsecurity.com/5-industries-tophit-list-cyber-criminals-2017. Accessed: Jul. 02, 2019.
[9] C. M. Mejía-Granda, J. L. Fernández-Alemán, J. M. Carrillo-de-Gea, and J. A. García-Berná, “Security vulnerabilities in healthcare: an analysis of medical devices and software,” Med. Biol. Eng. Comput., vol. 62, no. 1, pp. 257–273, 2024, doi: 10.1007/s11517-023-02912-0.
[10] D. Schatz, R. Bashroush, and J. Wall, “Towards a More Representative Definition of Cyber Security,” J. Digit. Forensics, Secur. Law, vol. 12, no. 2, p. 8, 2017, doi: 10.15394/jdfsl.2017.1476.
[11] E. Luijif, K. Besseling, and P. De Grassf, “Nineteen National Cyber Security Strategies,” Int. J. Crit. Infrastruct., vol. 9, no. 1-2, pp. 3–31, 2013.
[12] Da Veiga, “A Cybersecurity Culture Research Philosophy and Approach to Develop a Valid and Reliable Measuring Instrument,” in Proc. 2016 SAI Comput. Conf., 2016, pp. 1006–1015, doi: 10.1109/SAI.2016.7556102.
[13] Aksoy, “Building a Cyber Security Culture for Resilient Organizations Against Cyber Attacks,” İşletme Ekonomi ve Yönetim Araştırmaları Dergisi, vol. 7, no. 1, pp. 96–110, 2024, doi: 10.33416/baybem.1374001.
[14] Van ‘t Wout, “Develop and Maintain a Cybersecurity Organizational Culture,” in Proc. 14th Int. Conf. Cyber Warfare Secur., 2019, pp. 457–466.
[15] K. Thomson, R. Von Solms, and L. Louw, “Cultivating an Organizational Information Security Culture,” Comput. Fraud Secur., vol. 2006, no. 10, pp. 7–11, 2006, doi: 10.1016/S1361-3723(06)70430-4.
[16] N. Gcaza, R. Von Solms, M. Grobler, and J. van Vuuren, “A General Morphological Analysis: Delineating a Cybersecurity Culture,” Inf. Comput. Secur., vol. 25, no. 3, pp. 259–278, 2017, doi: 10.1108/ICS-12-2015-0046.
[17] Corradini, Building a Cybersecurity Culture in Organizations. Berlin/Heidelberg, Germany: Springer, 2020, pp. 63–86.
[18] Huang and K. Pearlson, “For What Technology Can’t Fix: Building a Model of Organizational Cybersecurity Culture,” in Proc. 52nd Hawaii Int. Conf. Syst. Sci., 2019, pp. 6398–6407.
[19] Georgiadou, S. Mouzakitis, K. Bounas, and D. Askounis, “A Cyber-Security Culture Framework for Assessing Organization Readiness,” J. Comput. Inf. Syst., vol. 62, no. 4, pp. 706–716, 2020, doi: 10.1080/08874417.2020.1845583.
[20] Da Veiga, Cybersecurity Education for Awareness and Compliance. IGI Global, 2019, pp. 72–100.
[21] European Union Agency for Network and Information Security (ENISA), “Cyber Security Culture in Organizations,” 2017.
[22] M. Ioannou, E. Stavrou, and M. Bada, “Cybersecurity Culture in Computer Security Incident Response Teams: Investigating Difficulties in Communication and Coordination,” in Proc. 2019 Int. Conf. Cyber Secur. Protection Digit. Serv., 2019, pp. 1–4, doi: 10.1109/CyberSecPODS.2019.8885240.
[23] M. Alshaikh, “Developing Cybersecurity Culture to Influence Employee Behavior: A Practice Perspective,” Comput. Secur., vol. 98, 2020, doi: 10.1016/j.cose.2020.102003.
[24] Alhogail and A. Mirza, “A Comprehensive Human Factor Framework for Information Security in Organizations,” J. Theor. Appl. Inf. Technol., vol. 78, no. 2, pp. 201–211, 2015.
[25] S. H. Bakry, “Development of Security Policies for Private Networks,” Int. J. Netw. Manag., vol. 13, no. 5, pp. 567–575, 2003.
[26] Uchendu, J. R. C. Nurse, M. Bada, and S. Furnell, “Developing a Cyber Security Culture: Current Practices and Future Needs,” Comput. Secur., vol. 109, 2021, doi: 10.1016/j.cose.2021.102387.
[27] E. Pavlova, “Enhancing the Organizational Culture Related to Cyber Security During the University Digital Transformation,” Inf. Secur., vol. 46, no. 2, pp. 239–249, 2020, doi: 10.11610/isij.4617.
