JMIR Publications

ABSTRACT

Background:

Phishing remains the dominant initial attack vector in healthcare, where attackers exploit psychological factors such as urgency, authority, and trust. Despite extensive investment in technical controls and awareness training, healthcare staff continue to exhibit high susceptibility. Cognitive dissonance, a state of psychological discomfort arising from inconsistencies between beliefs and actions, offers a theoretically grounded mechanism to disrupt rationalization at the moment of phishing exposure, yet it has rarely been evaluated as a proactive cybersecurity intervention in real operational settings

Objective:

A two-stage controlled experiment was conducted at a large Norwegian hospital. In Stage 1, healthcare staff were randomly assigned to either a control or CD-primed condition and completed a survey that measured security perceptions and self-reported practices. In Stage 2, an in-the-wild phishing simulation was sent to all staff, enabling objective measurement of click behavior. Behavioral outcomes were analyzed across three groups: control, CD-primed, and neutral non-responders (total n = 819), using chi-square analysis. Survey-based outcomes (n = 62) were analyzed using MANOVA and ANOVA and are interpreted as exploratory due to limited statistical power.

Methods:

A two-stage controlled experimental design was used. The first stage involved self-reported assessments, while the second stage consisted of real-world behavioral observations through an in-the-wild phishing simulation. In Stage 1, 830 healthcare staff—primarily doctors and nurses from a major hospital in Norway—were randomly assigned to either a control group or an experimental (cognitive dissonance) group. Stage 2 comprised three groups: control, experimental, and a neutral group of non-responders, with approximately 819 healthcare workers participating in the phishing simulation. Phishing susceptibility rates were 65% in the control group, 44% in the experimental group, and 53% in the neutral group. Statistical analysis using Pillai’s Trace was conducted to assess group differences in actual behavior, perceived severity, and cues to action. A post hoc power analysis using the chi-square test of independence was also performed to evaluate the statistical power of group differences in phishing susceptibility across the three groups: control (n = 34), experimental (n = 32), and neutral (n = 753).

Results:

Observed phishing susceptibility differed across groups: 65% in the control group, 53% in the neutral group, and 44% in the CD-primed group. The behavioral analysis demonstrated a very large effect size (Cohen’s w = 1.73) with full post hoc statistical power, providing confirmatory evidence that CD priming was associated with reduced click behavior. Multivariate analysis revealed group differences in actual behavior, perceived severity, and cues to action; however, construct-level findings are considered exploratory due to the low sample size and variable internal consistency.

Conclusions:

This study provides confirmatory behavioral evidence that a brief CD-based prompt, delivered immediately before a phishing attempt, is associated with reduced phishing susceptibility in a real-world healthcare setting. While construct-level findings require cautious interpretation, the results suggest that CD-based priming may serve as a low-cost, scalable enhancement to phishing simulations and security awareness programs. Future research should assess durability, causal mechanisms, and generalizability through larger and longitudinal studies.