Awareness Training Transfer and Information Security Content Development for Healthcare Industry

Electronic Health Record (EHR) becomes increasingly pervasive and the need to safeguard EHR becomes more vital for healthcare organizations. Human error is known as the biggest threat to information security in Electronic Health Systems that can be minimized through awareness training programs. There are various techniques available for awareness of information security. However, research is scant regarding effective information security awareness delivery methods. It is essential that effective awareness training delivery method is selected, designed, and executed to ensure the appropriate protection of organizational assets. This study adapts Holton’s transfer of training model to develop a framework for effective information security awareness training program. The framework provides guidelines for organizations to select an effective delivery method based on the organizations’ needs and success factor, and to create information security content from a selected healthcare’s internal information security policy and related international standards. Organizations should make continual efforts to ensure that content of policy is effectively communicated to the employees. Keywords—information security; human error; awareness training program; training content; security policy; electronic health record


INTRODUCTION
The general objective of this paper is to enhance effectiveness of information security awareness training programs.More specifically, this paper aims to develop a framework that works as a guideline for organizations to select the right training delivery method that produces desirable outcomes.An effective training method must fulfil organization's needs and requirements while taking into account employees preferences.The paper also offers recommendations on how to augment internal information security policy document in healthcare sectors.
This study is influenced by importance of personal data protection to encourage researchers to study factors influencing users' behavior and attitudes toward information security, which impacts integrity of healthcare organizations.Security breaches are inevitable threats that always challenges organizations distinctively.Thus, organizations need to safeguard vital information and assets to prevent organization's integrity from being compromise.Information security breaches result in both direct cost (e.g.loss of intellectual property) and indirect cost (e.g.loses of reputation and potential loss in market share).
Human error is considered as the biggest threat to information security effectiveness [3].Lack of employees' attention to security policy and standards is the real threat to information system.According to IT security practitioners survey conducted by [17], minimum of 78% of security breaches experienced by organizations are as a result of employees' negligence (Fig 1).Nevertheless, human error can be minimized through awareness training programs [4].The significance of information security is best defined as the level of user comprehension on Information security awareness.In every organization, employees have varying knowledge of information security awareness [20].
Human errors are categorized into normal human errors and abnormal human errors.Normal human errors refer to individual honest mistakes that are already recognized and can be prevented in advance [5].These kind of errors can be corrected through training programs with an intention to promote behaviors of individuals toward organizational policy.Education and training programs in organizations can help to improve employees' awareness toward security of ehealth system and help them to adhere to appropriate behaviors that do not compromise the security of the system.
In what follows, the background of the study is presented.Section three illustrates the research design.The conceptual framework is presented in section four of this paper.Section five and six discus training content and information security document, respectively.Section seven focuses on training delivery methods.Conclusion is the last section of the paper.

II. BACKGROUND
Even though the number of information security awareness training programs are growing progressively, there is inadequate evidence to verify their effectiveness and impact on daily activities in a work environment [21].Literature [6][13] has stated that some of the information security awareness training programs are not effective enough.For instance, number of awareness training programs tends to be more informative without integrating into employees' daily activities that leads to disciplinary actions.Some other awareness training programs are only provided as one-time session that cannot truly change users' behavior toward www.ijacsa.thesai.orginformation system.Awareness training programs should be a regular activity and reinforced periodically.Source: [17] Training and awareness programs are an effective approach to reduce the risk of individual contribution in electronic health system.However, routine, traditional training programs have been failed because they do not involve critical thinking and do not require users to think about security concepts [19].On the other hand, there are new interactive training approaches that have been successful to engage employees with training activities including computer games, web-based sessions, E-learning, teleconferencing, and crossword puzzles.The key to impart a concept is to hold users engaged sufficiently long so he or she will absorb that concept, especially when the training program is mandatory.
Another reason for awareness training failure is some of training programs are too advanced for trainees.Employees, particularly those with no advance computer skills such as ordinary staff working in healthcare clinics, have different level of computer knowledge, and thus they require to be trained differently.It was also observed that most of trained employees do not attempt to apply the learned skills in work environment [6] [13].Moreover, many awareness training programs do not measure users' performance before and after the training, and therefore, it is not possible to evaluate the training's outcome.Additionally, number of employees are not motivated to contribute in awareness training program as the program do not promote creative activates [14].Similarly, [19] argued that traditional and routine information security awareness training programs have been failed because they do not involve critical thinking and do not reinforce users to think about security concepts.
Effective awareness training techniques should be differentiated from ineffective ones [15].Literature [21] stated that it is essential to increase the effectiveness of information security awareness training programs by encouraging employees to make effort in transferring the skills learned to their daily job activities.It is important to understand and emphasize the factors that differentiate effective trainings from ineffective trainings.Consequently, the existing gap of information security awareness training programs should be bridged to refine and improve the effectiveness of training programs [16] [9].Furthermore, Content of information security awareness training program should be developed from organization's policy based on the selected training technique.Each training approach requires specific content structure to be fitted in the program.The main objective of training content is to enforce information security policy document.Professional and complicated training material makes employees confused or bored towards subject matters.Hence, the training content should be easy to comprehend to motivate the trainees to learn as well as ensuring the delivery of selected content.Exceptionally, in the domain of information security, developers of most training programs are the experts who do not take audience's profiles into account.

III. RESEARCH DESIGN
Training is ineffective unless translated into individual performance [23].Effectiveness of information security awareness is often an overlooked element of an organization's security program.There is a broad range of awareness training delivery methods.However, research is insufficient regarding the effectiveness of delivery methods [1].Similarly, a sideby-side comparison of different awareness delivery methods of information security is lacking [1] [6].Training programs can truly make a difference in employees' performance, and hence, it is important to understand effective transfer of training in organizations.
The aim of this research is, firstly, to develop a conceptual framework for effective transfer of training, and an opt-in framework for selecting an effective awareness training delivery method.Secondly, to provide a side-by-side comparison of different information security awareness delivery method.This guideline will help organizations to effectively select a delivery method and design a training program based on the organizations' needs and success factors.Lastly, to offer insights on augmentation of internal information security policy document to be used by healthcare organizations.
Hospital Universiti Kebangsaan Malaysia (HUKM) is one of the leading healthcare organizations in Malaysia that has adopted electronic healthcare systems.HUKM is selected as primary healthcare to collect necessary information to conduct this study.A series of semi-structured interviewees were conducted with HUKM decision makers in order to obtain necessary information to design the framework.The collected data is significant to create information security content for the selected healthcare and vital in the process of developing the framework.The framework can be used as a guideline to adapt an effective technique for information security awareness training programs.This guideline will be used to help decision makers to measure strength and weaknesses of each awareness training technique with respect to the organization's need.The developed framework can be used by any organization to select a successful awareness training program.
Even though HUKM is ISO certified, nevertheless, there are insufficient details or outdated sections in the internal information security policy document.To create appropriate information security content for awareness training program at HUKM, this study attempts to augment hospital's internal information policy document based on relevant international policies, as explained in next sections.The purpose of augmentation is to encourage HUKM's policy makers to update their internal information security policy.However, it shows the process of content creation to be followed by other healthcare organizations to enhance their internal security policy document.This is an inevitable stage before creating content or selecting a proper awareness training technique.

A. Motivation to Transfer
Hilton defined Motivation to transfer as individual's desire to transfer the necessary knowledge and skills in the training program on the job.This paper argues that awareness can motivate employees to learning.Employees are not aware of their roles to mitigate security issues.Survey conducted by [17] titled Human Factor in Data Protection revealed that most of risks in security breaches are driven from a lack of attention by staff to the security policy of an organization.Employees need to be aware of their important role in protecting organization's vital information to avoid compromising the system by rookie mistakes.Understanding the importance of their role in security effectiveness will motivate employees to attend training programs and incorporate their learning into their job performance.

B. Transfer Climate
The transfer climate arises from employees' perception of their work environment.It influences the degree in which employees apply the learned skills on the job.Holton defined transfer climate as a mediating variable in the relationship between the organizational context and employees' job attitudes and work behavior.Similarly, an effective awareness program must be based on the characteristics of an organization including organization size, business requirement, budget, target audience, and organization mission and culture.A properly designed awareness program that is in line with organization's need will effectively influence employees' attitude and work behavior.
It is crucial to constantly enhance the information security awareness culture in organizations and transform this culture into actual behavior.One way to improve training climate is to distinguish how different organizations have different needs.A more efficient and cost effective approach to implementing an employee security awareness model is to use a specific program that addresses the specific needs of the organization.Awareness programs must be designed with intention of creating organizational-wide security-minded cultures so that people work in a more secure manner and protect the assets of their organization [1].

C. Transfer Design
Holton's model did not provide guidelines to explain what constitutes appropriate transfer designs.According to Holton, the main failure to transfer is training design.In the context of information security, there are various types of security awareness delivery methods adapted by organizations.However, as stated by [2][6], many programs are not effective enough to change employees' attitude and work behavior.Awareness programs often seem less likely to improve employees' performance and many programs fail to enhance expected outcomes.The training itself has a direct influence on transfer of training and the key is to design an effective awareness program.Even though there are some researches on the efficiency of various information security delivery methods, but research is scant regarding effective delivery method of information security awareness.
This study provides guidelines for organizations on how to decide on an effective awareness delivery method for their organization.Enhancing an effective awareness program requires decision makers to make critical decisions about training delivery method as well as training success factors.Although it is important for a security awareness program to ensure that the appropriate topics are covered, it is vital to select the right delivery methods [20].As with any program, the success of information security awareness program will rely heavily on how the awareness information is delivered [1].As stated by [7], -The lecture as a teaching tool is dead.Current programs don't work because we rely on old models of teaching.People learn in different ways.Some people are visual learners, while others learn better from reading or discussing.We need to move away from canned web-delivered training to interactive, hands-on learning to build more effective security awareness programs‖ [7].

D. Transfer Content
This study suggests transfer content to be the fourth factor in transfer of training in Holton's model.Holton  Literature [8] proposed guidelines for healthcare organizations to develop information security training content.As stated by the authors, the content of an information security awareness training program must be driven from organization information security policy.

V. TRAINING CONTENT
As a preliminary step, organizations should identify the information security mistakes commonly made by employees to be used in developing training content.In other words, training content should cover common mistakes occurring in organization.Moreover, training content should be tailor made to organizations' internal information security policy while consistent with international standards [18].It is also important to note that information security mistakes made by junior employees may be different from those made by senior employees.Therefore, training content should cover all target employees with different level of awareness knowledge [4].

VI. INFORMATION SECURITY POLICY DOCUMENT
There is no specific information security policy document tailored for Hospital Universiti Kebangsaan Malaysia (HUKM), therefore, they operate on Universiti Kebangsaan Malaysia (UKM) security policy document.However, once comparing with international standards, it was recognized that the information security policy document is outdated and it needs to be augmented.Hence, new policies are proposed to augment the current information security policy document (Table 1).The international standards consider for augmentation of HUKM information security policy document include:  ISO 27002 which provides guidelines for organizational information security standards and information security management practices including the selection, implementation and management of controls taking into consideration the organization's information security risk environment.
 SANS (The System Administration, Networking, and Security) institute, which provides information security policy and standards as a guideline for organizations to develop and implement security policies.
 HIPAA (The Health Insurance Portability and Accountability Act of 1996) that is designed to protect confidential healthcare information through improved security standards and federal privacy legislation.It defines requirements for storing patient information before, during and after electronic transmission.
Table 1 demonstrates overview of steps were involved in augmenting the HUKM's information security policy document.First, HUKM's information security policy topics were acknowledged among the three international sources to identify relevant clauses and controls (specified by √).Second, strength and quality of policy statement provided by each source is evaluated, and then, compared them with HUKM's policy statements.Next, indispensable information were extracted from the sources (specified by bracket) to be added to relevant part of policy document.Supplementary sections are proposed when required to enhance HUKM's policy document.As shown in the table below, two sections have been added to the augmented document and existing sections were updated in comparison with other relevant international standards.3) aim to provide a guideline for decision makers to select an effective awareness training method to deliver information security content.The framework is developed based on insights from healthcare decision makers coupled with extensive literature study.The designed framework is implemented in the selected healthcare for further evaluation and to recognize which awareness training technique can best fit that particular organization.www.ijacsa.thesai.org

A. Organization Training Need Assessment
Literature [22][6] stated that effective awareness training program cannot be developed without giving significant attentions to specific characteristics of an organization.Awareness raining programs should be tied to organizations' training need and requirements.Hence, it is important to conduct an organization training need assessment survey to obtain necessary information to develop training program.The results of the survey will provide justification to convince management for allocating adequate resources to meet the identified awareness and training needs.Literature [22][6] stated important training criteria to be investigated during the survey that include organization size, business requirement, funding, target audience, organization mission and culture, organization rule and responsibility.

B. Training Development Plan
The  2. Although it may not be realistic to expect a training program to satisfy all the success factors, but decision makers should consider important elements related to their organization's need and the learning objectives.
Table 3 provides a side-by-side comparison of the commonly used techniques as suggested in [1].This table is designed for easy utilization of the above technique selection for awareness training program framework.Some of the boxes in the table are marked by ¤ sign because some of the criteria are subjected to design and implantation approaches.For instance, there are two primary models of web-based instruction namely synchronous (instructor-facilitated) and asynchronous (self-directed, self-paced).Instruction can be delivered by a combination of static method (learning portals, hyperlinked pages, screen cam tutorials, streaming audio/video, and live Web broadcasts) that is categorized as passive learning process.Instruction can also be delivered by interactive method (threaded discussions, chats, and desk-top video conferencing) that is categorized as active learning process.3), Organizations should be able to decide on the best awareness training program that best fit the organization.

VIII. CONCLUSION
Human errors are known as the most serious threats to information security in Electronic Health Record systems.Employees who interact with EHR systems need to be educated about the risks and hazards associated with information security.There is a wide range of information security awareness techniques.However, research is insufficient on effective information security awareness delivery methods.It is essential that effective awareness training delivery method is selected, designed, and implemented to ensure proper protection of the organizational assets.It could be of a great help for organizations to have a step-by-step guideline that provides them with the necessary information on how to select an effective training technique, which fulfills the organization's need and requirement.The authors developed a framework for effective transfer of training.The aim is empowering healthcare decision makers to easily select an effective awareness training program to deliver information security content.Nevertheless, other industries might benefit from the guidelines by applying minor modifications.In this paper training success factors are discussed as critical factors in selecting an effective delivery method.It also explains the process of augmentation of information security content based on internal policy and international standards that can be used as a guideline for healthcare organizations.www.ijacsa.thesai.org

Fig. 1 .
Fig. 1.Factor that Mostly Put Data at Risk

A
. Transfer of Training Holton (1996) developed a training conceptual model that focuses on individual performance.Learning, individual performance, and organizational results are three primary outcomes of the model for training intervention.These outcomes are described, respectively, as the learning outcome achievement desired by an organization, learning being applied on the job as a result of change in individual performance, and results at the organizational level as a consequence of change in individual performance.Fig 2 demonstrates the Holton's transfer of training model.Holton's model suggests that transfer of training is affected by three crucial factors including motivation to transfer, transfer climate, and transfer design.Only when the three primary influences on transfer behavior are at their appropriate levels, learning is expected to lead to change individual performance [9].

Fig. 3 .
Fig. 3. Factors Affecting Transfer of Information Security Awareness Training Program As mentioned earlier, there are number of awareness training delivery methods.Organizations need to select an effective training delivery method based that can fulfill training needs of both organization and employees.Selection of a training method should be based on the information obtained from interviews with management and the predeveloped training program plan.The selected technique should fulfill the need of both organization and employees.A guide to selection of awareness training program framework (Fig 4) and selection of awareness training program guidelines (Table Based on a guide to selection of awareness training program framework (Fig 4) and selection of awareness training program guidelines (Table stated that the three crucial factors affect transfer of training are motivation to transfer, transfer climate, and transfer design.However, the importance of training content in selecting an effective next step is to clarify the format of training program such as learning outcomes, length of training, target learners, overall format of training, overall description of the training, participant requirements, instructional material and aids needed, logistical issues.Training programs are developed with regards to the capability and requirement of an organization.For example, large organizations are likely to allocate more budgets on training program or they require more employees to participate in the program [11].

TABLE II
into two categories; active and passive.In Active learning the responsibility of learning lies with the learner.It covers all methods of training where the participants are involved and active in the learning process.In passive learning knowledge is directly transferred from one entity to another.It is normally a one way transfer from entity with more knowledge of the topic towards an entity with less knowledge.Coverage of TopicsSome of the training techniques are suitable for disseminating of a single message, whereas others can be used for delivering a number of messages.Content UpdatabilityTraining content should be developed in a way that it allows trainers to update and modify the content if necessary.CustomizationTraining contents should be tailor made to each organization based on their specific needs and requirements.FunThe amount of entertaining is directly related to individual learning.Participants should be given opportunities to have fun and enjoy what they are doing when engaged with training activities.Motivation Motivational factors are needed to encourage individuals to change the way they used to behave and operate.Challenge An effective training technique must challenge and engage the participants.Many programs fail to challenge the user which could lead to privation of self-motivation that may encumber successful delivery of the materials.Supervision In some training programs trainer directly lead and supervise the program.Whereas, some training programs are run without any supervision.Feedback & Measurability Every successful training program provides feedback to both trainees and instructors.Feedback and evaluation are the strengths of each training program and an easy way to distinguish effective trainings form non-effective ones.Trainers must measure and evaluate employees performance before and after training sessions.Easily Accessible It refers to the availability of training programs to the organizations and users.For instance, the availability of experienced trainers, training materials, location, and etc.