The human factors and organizational risks to email security

Human factors and organizational risks impact email security due to the interplay between human error and systemic institutional weaknesses. Healthcare organizations face a unique challenge. According to an Online Research Journal Perspectives in Health Information Management study, Human Factors in Electronic Health Records Cybersecurity Breach: An Exploratory Analysis, “The vast majority of health records were compromised due to poor human security. The mean number of records affected by a breach due to unintentional insider threats is more than twice that of breaches caused by malicious intent, such as external cyberattacks and theft.”

The study specifies that 73.1% of breaches stem from unintentional human errors like misdirected emails, phishing, or carelessness, compromising 141 million records from 2015 to 2020. These errors are exacerbated by clinical workflows prioritizing efficiency over security, such as clinicians bypassing protocols to expedite care. 

Organizational risks include fragmented security infrastructure, inadequate staff training, and overreliance on platforms like Microsoft 365 without proper configuration. Hierarchical structures amplify risks, as employees hesitate to question authority figures, enabling impersonation attacks.

Human factors in email security

According to Mapping the Psychosocialcultural Aspects of Healthcare Professionals’ Information Security Practices: Systematic Mapping Study published in JMIR Human Factors, “Health care professionals are usually busy with their core roles of restoring patients’ health, so little attention remains for focusing on information security... especially in emergency care situations. This trade-off creates opportunities for adversaries to attack and gain access to health care systems.”

Human factors in email security risks represent the psychological, behavioral, and cognitive elements that make individuals vulnerable to email-based threats despite technological protections. These factors can be categorized into three distinct but interconnected domains: human cyber risks, human risks, and human vulnerabilities, each requiring specific mitigation strategies. 

Human cyber risks involve susceptibility to phishing and social engineering, while human risks encompass activities at the IT security boundary where cybercriminals and private networks interface. Human vulnerabilities reflect the fundamental psychological predispositions that make individuals susceptible to deception.

How urgency, authority cues, and fear exploit cognitive biases

In the study Thinking Fast, Not Slow: How Cognitive Biases May Contribute

to Racial Disparities in the Use of Force in Police-Citizen Encounters published in the Journal of Criminal Justice notes, “In recent years, cognition research has shown that humans are predisposed to make rapid decisions—to rely on 'cognitive shortcuts,' or heuristics, to 'think fast'—when they perceive risk.”

Urgent messages, authority cues, and fear-inducing content exploit fundamental cognitive biases, creating psychological vulnerabilities that circumvent rational security decision-making. Authority bias plays a role, as individuals tend to attribute greater accuracy to messages appearing to come from leadership figures. 

This bias becomes more potent when combined with artificial urgency, as demonstrated in attacks that use phrases to trigger immediate, unquestioning compliance. These attacks deliberately exploit our tendency to prioritize immediate rewards over future benefits by creating scenarios where the immediate relief of responding to a senior leader outweighs the future benefit of security verification. 

Fear-based messaging leverages loss aversion, where individuals are more motivated to avoid losses than to acquire equivalent gains, as seen in phishing attacks threatening credit score damage. The ostrich effect (avoiding unpleasant information) causes recipients to bypass security protocols when warned that failure to act quickly will have negative consequences. These manipulative techniques are particularly effective in healthcare settings where hierarchical structures are pronounced and rapid response to authority is ingrained.

The difference between insider sabotage and accidental exposures

Accidental exposures stem from honest mistakes without malicious motivation, such as when autocomplete suggests the wrong email recipient, resulting in inadvertent sharing of protected health information. These incidents reflect human fallibility rather than malice, organizations bear responsibility for failing to implement safeguards against predictable human error. 

According to the journal article Comparing Insider IT Sabotage and Espionage: A Model-Based Analysis by the Software Engineering Institute, “The purpose of this study is to examine psychological, technical, organizational, and contextual factors we believe contribute to at least two forms of insider trust betrayal: insider sabotage against critical information technology (IT) systems, and espionage…Security professionals and policy leaders currently view espionage and insider threat as serious problems, but often as separate issues that should be addressed by a different configuration of security countermeasures…Based on the results, it is our position that insider IT sabotage and espionage share many contributing and facilitating system dynamics features.”

Intentional malicious insider threats represent deliberate actions to harm the organization or achieve personal gain, such as exfiltrating patient data to leak to competitors or journalists. These malicious actors may leverage privileged access to email systems, understanding of organizational vulnerabilities, and legitimate credentials to execute their attacks while avoiding detection. The technical sophistication and patience of malicious insiders can vary, creating complex detection challenges.

The organizational risk in healthcare email security

Policy and governance gaps 

A study called Primary healthcare policy and governance in low-income and middleincome countries: an evidence gap map published in BMJ Global Health notes, “Defining or conceptualising governance in health systems is always necessary as it involves the interaction of the government with a diverse and broad range of actors—including the community, private sector, non-government actors and non-health sectors—requiring collaborative policies and synergistic actions.”

The established guidelines for clinical email use, though developed years ago, identify numerous policy areas that remain inadequately addressed in many healthcare organizations today. These include insufficient turnaround time policies for urgent messages, inadequate patient education regarding privacy limitations, and incomplete transaction categorization systems. 

Many healthcare organizations continue to operate with outdated email security policies that fail to address modern threat vectors like executive impersonation attacks and sophisticated phishing campaigns. The disconnect between policy documentation and operational implementation creates dangerous security gaps. 

Further governance weaknesses include inadequate oversight of third-party email services, inconsistent enforcement of email security standards across organizational departments, and insufficient coordination between information security and clinical leadership in policy development.

The correlation between executive sponsorship of cybersecurity

Organizations with strong executive sponsorship of cybersecurity programs demonstrate more effective implementation of email security controls, including the proper configuration of security settings that many healthcare organizations neglect. This executive engagement typically correlates with increased resource allocation for both technical controls and human-focused security measures like awareness training.

A 2015 article titled ‘Making Cybersecurity Effective: The Five Governing Principles for Implementing Practical IT Governance and Control’ states, “Strong executive sponsorship is the prerequisite for effective IT governance and the proper way to establish information security is to engineer an array of interlocking best practices, from a commonly accepted model of best practice. Organizations must define substantive policies, assign roles and responsibilities, educate employees, and describe and enforce accountability.” 

When executive leadership views cybersecurity as primarily an IT function rather than an organization-wide responsibility, email security programs often suffer from insufficient visibility, authority, and resource allocation. The relationship becomes more complex when examining executive communication patterns themselves, senior leaders who regularly communicate via email but demonstrate poor security practices inadvertently normalize risky behaviors throughout the organization. 

Executive impersonation scams demonstrate how attackers exploit the established communication patterns of specific executives. Organizations where executives actively participate in security awareness training show lower susceptibility to phishing attacks targeting leadership.

The benefit of human-centric training and simulations

Human-centric training and simulation approaches represent sophisticated educational methodologies that directly address psychological and behavioral dimensions of email security threats in healthcare settings. The above-mentioned Perspectives in Health Care study notes that phishing drills reduce susceptibility by 50% when paired with real-time feedback. 

These programs typically involve cyber attack simulations that safely expose healthcare staff to realistic phishing attempts, executive impersonation scenarios, and other email-based threats within controlled environments. 

The effectiveness of these approaches stems from their ability to create emotional engagement with security concepts rather than merely transferring technical knowledge. The human-centric methodology extends beyond technical training to address the cognitive biases that attackers exploit, helping healthcare staff recognize and counteract psychological vulnerabilities like authority bias and loss aversion through practical exercises. 

Modern simulation platforms incorporate adaptive learning elements that customize scenarios based on individual risk profiles, targeting specific vulnerabilities identified through real-time monitoring of employee cyber risk behaviors. Healthcare organizations benefit particularly from industry-specific simulations that replicate the unique urgency, terminology, and workflows of medical environments, making the training directly applicable to daily clinical communications.

The emerging trends elevating human factors to email security

The evolution toward sophisticated plain-text attacks represents a particularly concerning development, as these attacks deliberately avoid suspicious links or attachments to bypass technical security filters while exploiting psychological vulnerabilities. 

There is a growing prevalence of multi-stage attacks that begin with seemingly innocuous email exchanges to establish trust before escalating to more damaging requests, making detection increasingly difficult. Generative AI technologies are enabling more convincing impersonation attacks by allowing threat actors to perfectly mimic the writing styles, terminology preferences, and communication patterns of specific healthcare executives and clinicians. 

The continued shift toward mobile email access creates additional vulnerabilities, as smaller screens and limited security features on mobile devices make detecting subtle signs of phishing more challenging for healthcare staff working in fast-paced environments.

Related: HIPAA Compliant Email: The Definitive Guide (2025 Update)

FAQs 

What human factors contribute to email security risks in healthcare?

Human factors include inadvertent errors such as misaddressed emails, falling for phishing scams, and failure to follow security protocols.

How do operational risks affect email security?

Operational risks arise from system misconfigurations, lack of proper encryption, inadequate access controls, and insufficient monitoring.

What operational controls are essential for healthcare email security?

Key controls include encryption protocols (TLS, S/MIME), proper configuration of email platforms, domain authentication standards (DMARC, SPF), and continuous risk assessments to identify vulnerabilities.