Identifying Contextual Factors That Shape Cybersecurity Risk Perception for Assisted Living and Health Care Technologies and Wearables: Mixed Methods Study

Introduction

Background

Over the last decade, the landscape of health care technology has expanded significantly, introducing innovative solutions to assist health care needs [Aceto G, Persico V, Pescapé A. The role of information and communication technologies in healthcare: taxonomies, perspectives, and challenges. Journal of Network and Computer Applications. Apr 2018;107:125-154. [CrossRef]1]. These advances have been instrumental in enhancing the efficiency of health care delivery, reducing operational costs, and optimizing timely management. The adoption of artificial intelligence–based solutions in the health care sector has accelerated through applications such as artificial intelligence–supported analysis of X-ray interpretation and blood sample evaluations [Irmici G, Cè M, Caloro E, Khenkina N, Della Pepa G, Ascenti V, et al. Chest X-ray in emergency radiology: what artificial intelligence applications are available? Diagnostics (Basel). Jan 06, 2023;13(2):216. [FREE Full text] [CrossRef] [Medline]2-Ma B, Yang J, Wong FKY, Wong AKC, Ma T, Meng J, et al. Artificial intelligence in elderly healthcare: a scoping review. Ageing Res Rev. Jan 2023;83:101808. [CrossRef] [Medline]5]. Moreover, an emerging trend is using technology to facilitate remote patient care outside traditional health care environments such as hospitals [Rosen JM, Adams LV, Geiling J, Curtis KM, Mosher RE, Ball PA, et al. Telehealth's new horizon: providing smart hospital-level care in the home. Telemed J E Health. Nov 2021;27(11):1215-1224. [CrossRef] [Medline]6,Alwan M. Passive in-home health and wellness monitoring: overview, value and examples. Annu Int Conf IEEE Eng Med Biol Soc. 2009;2009:4307-4310. [CrossRef] [Medline]7]. This trend introduces multiple challenges, particularly in cybersecurity. Medical devices and assisted living technologies have been the subject of cybersecurity incidents [Kioskli K, Fotis T, Mouratidis H. The landscape of cybersecurity vulnerabilities and challenges in healthcare: security standards and paradigm shift recommendations. In: ARES '21: Proceedings of the 16th International Conference on Availability, Reliability and Security. New York, NY. Association for Computing Machinery; 2021. Presented at: ARES '21: The 16th International Conference on Availability, Reliability and Security; August 17-20, 2021:1-9; Vienna, Austria. URL: https://dl.acm.org/doi/10.1145/3465481.3470033 [CrossRef]8-Halperin D, Clark S, Fu K, Heydt-Benjamin T, Defend B, Kohno T, et al. Pacemakers and implantable cardiac defibrillators: software radio attacks and zero-power defenses. New York, NY. IEEE; 2008. Presented at: 2008 IEEE Symposium on Security and Privacy; May 18-22, 2008:129-142; Oakland, CA. [CrossRef]11]. Recently, several hundred insulin pumps were called back by the Food and Drug Administration (responsible for regulating medical devices in the United States) due to software weaknesses, resulting in the battery depletion of insulin pumps [Novak M. 224 injured after glitchy diabetes app drains insulin pump batteries. Gizmodo. 2024. URL: https://gizmodo.com/fda-recall-injured-faulty-diabetes-app-insulin-pump-1851467117 [accessed 2024-05-21] 12,US Food and Drug Administration (FDA). Tandem Diabetes Care, Inc. recalls version 2.7 of the Apple iOS t:connect mobile app used in conjunction with t:slim X2 insulin pump with control-IQ technology prompted by a software problem leading to pump battery depletion. FDA. 2024. URL: https://tinyurl.com/4fhtrt7n [accessed 2024-05-21] 13]. Although this was not an intended attack, it demonstrates the vulnerabilities in the technology that could be exploited for malicious purposes. Incidents resulting from intended attacks have also occurred, including attacks on home care services in Ontario, Canada, Norway, and Sweden, which jeopardized patient safety and their data [Patton J. Ontario home care service provider victim of cyber attack. Global News. 2018. URL: https://globalnews.ca/news/4280633/carepartners-home-care-provider-cyber-attack/ [accessed 2024-06-11] 14,Martin A. "Crisis situation" declared as two Swedish municipalities hit by cyberattack. The Record. 2022. URL: https://therecord.media/crisis-situation-declared-as-two-swedish-municipalities-hit-by-cyberattack [accessed 2024-06-11] 15].

A wide range of remote care technologies are available. These technologies collect and transfer data generated from patients, such as measurements and self-reported data, also known as patient-generated health data (PGHD) [Khatiwada P, Yang B, Lin J, Blobel B. Patient-generated health data (PGHD): understanding, requirements, challenges, and existing techniques for data security and privacy. J Pers Med. Mar 03, 2024;14(3):282. [FREE Full text] [CrossRef] [Medline]16]. Assisted living technologies (known as “welfare technologies” in Norway) refer to technologies that augment an individual’s safety and security, including technology used for remote care. These technologies also manage and transfer PGHD. Assisted living technology, remote care, and disease management technologies have been adopted broadly in Norway and Canada. This adoption is expected to increase drastically in the coming years due to demographic shifts and health care resource constraints [Giansanti D. Cybersecurity and the digital health: the challenge of this millennium. Healthcare (Basel). Jan 11, 2021;9(1):62. [FREE Full text] [CrossRef] [Medline]17,George-Bogdan M, Meşniţă G. Healthcare under siege: the need to improve cybersecurity in the near future. New York, NY. IEEE; 2023. Presented at: 2022 E-Health and Bioengineering Conference (EHB); November 17-18, 2022:1-4; Iasi, Romania. [CrossRef]18]. The 2 countries differ in geographical size and population, but they share a high degree of trust in public institutions and maintain predominantly publicly funded health care systems. Both also share a decentralization of health care delivery; in Canada, health care services are managed by 10 provincial health authorities and 3 territorial authorities, while in Norway, primary health care is distributed among 356 municipalities, while specialist health care is distributed among 4 regional health care authorities. Moreover, the populations of both countries demonstrate high levels of technological literacy, with an internet penetration rate of 99% in Norway and 92% in Canada [Countries with the highest internet penetration rate as of April 2024. Statista. 2024. URL: https:/​/www.​statista.com/​statistics/​227082/​countries-with-the-highest-internet-penetration-rate/​#statisticContainer [accessed 2024-06-24] 19]. Although technological literacy is high, cybersecurity still poses a challenge.

Cybersecurity can be understood as the “protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, theft of, or damage to hardware, software, or data, as well as from the disruption or misdirection of the services they provide” [Andress J, Winterfield S. The Basics of Information Security: Understanding the Fundamentals of InfoSec in Theory and Practice. Rockland, MA. Syngress; 2014. 20]. In health care, the implications of cybersecurity incidents extend beyond simple data breaches to encompass critical consequences, potentially harming the health and safety of individuals and compromising PGHD [Aceto G, Persico V, Pescapé A. The role of information and communication technologies in healthcare: taxonomies, perspectives, and challenges. Journal of Network and Computer Applications. Apr 2018;107:125-154. [CrossRef]1,Cartwright A. The elephant in the room: cybersecurity in healthcare. J Clin Monit Comput. Oct 2023;37(5):1123-1132. [FREE Full text] [CrossRef] [Medline]21]. The successful deployment of remote care solutions depends on several elements, including technology accessibility, technological literacy, financial resources, and health care delivery’s structural and organizational aspects [Read E, Gagnon D, Donelle L, Ledoux K, Warner G, Hiebert B, et al. Stakeholder perspectives on in-home passive remote monitoring to support aging in place in the province of New Brunswick, Canada: rapid qualitative investigation. JMIR Aging. May 11, 2022;5(2):e31486. [FREE Full text] [CrossRef] [Medline]22-Freiesleben SD, Megges H, Herrmann C, Wessel L, Peters O. Overcoming barriers to the adoption of locating technologies in dementia care: a multi-stakeholder focus group study. BMC Geriatr. Jun 21, 2021;21(1):378. [FREE Full text] [CrossRef] [Medline]24]. It involves many stakeholders, including patients, clinicians, public and private health care organizations, technology vendors, and regulatory bodies [Sultana NN, Alam M, Sanaul HM. Identifying relevant stakeholders in digital healthcare. Berlin, Germany. Springer; 2121. Presented at: The First International Conference on Applied Intelligence and Informatics; July 30-21, 2021; Nottingham, UK. URL: https://www.researchgate.net/publication/352167151 [CrossRef]25-Peek STM, Wouters EJM, Luijkx KG, Vrijhoef HJM. What it takes to successfully implement technology for aging in place: focus groups with stakeholders. J Med Internet Res. May 03, 2016;18(5):e98. [FREE Full text] [CrossRef] [Medline]27]. The stakeholders involved in device use, operation, and management may hold different perceptions of cybersecurity risks.

Cybersecurity risk perception may differ between patients and health care workers; a patient using a type 1 diabetes (T1D) device may be more concerned about the immediate threat of denial of service impacting their insulin delivery, while a clinician might focus on the broader implications of compromised data integrity across both T1D devices and wearables for clinical decision-making. Cybersecurity risk perception encompasses concerns about threats and their potential impact on technologies, systems, and data, including incidents such as data breaches, attacks, and hacking, which can compromise confidentiality, integrity, availability, and functionality. Understanding these risks requires technical considerations and the social, cultural, and psychological factors that shape how individuals and organizations perceive cybersecurity threats [Huang D, Rau PP, Salvendy G. Perception of information security. Behaviour & Information Technology. May 2010;29(3):221-232. [CrossRef]28,Goh Z, Hou M, Cho H. The impact of a cause-effect elaboration procedure on information security risk perceptions: a construal fit perspective. Journal of Cybersecurity. Jan 2022;8(1):tyab026. [CrossRef]29].

Various disciplines, such as psychology, engineering, and safety science, have explored risk perception. Common theories in the risk perception field include the social amplification of risk framework and protection motivation theory [Slovic P. The perception of risk. In: Scientists Making a Difference: One Hundred Eminent Behavioral and Brain Scientists Talk About Their Most Important Contributions. Cambridge, MA. Cambridge University Press; 2016:179-182.30-Rogers R. Cognitive and physiological processes in fear appeals and attitude change:a revised theory of protection motivation. In: Cacioppo J, Petty R, editors. Social Psychophysiology. New York, NY. Guilford Press; 1983:153-177.36]. Factors such as culture, optimism bias, personal fear, dread, familiarity, benefit, trust, and social trust have been explored in previous research on cybersecurity risk perception [Slovic P. The perception of risk. In: Scientists Making a Difference: One Hundred Eminent Behavioral and Brain Scientists Talk About Their Most Important Contributions. Cambridge, MA. Cambridge University Press; 2016:179-182.30-Fischhoff B, Bostrom A, Quadrel MJ. Risk perception and communication. Annu Rev Public Health. May 1993;14(1):183-203. [CrossRef] [Medline]33,Moen B. Risk perception, priority of safety, and demand for risk mitigation in transport. Doctoral thesis, Department of Psychology, Norwegian University of Science and Technology. NTNU Open. 2008. URL: https://ntnuopen.ntnu.no/ntnu-xmlui/handle/11250/264963 [accessed 2025-03-10] 37-Reeves A, Parsons K, Calic D. Whose risk is it anyway: how do risk perception and organisational commitment affect employee information security awareness? Berlin, Heidelberg, Germany. Springer; 2020. Presented at: 22nd International Conference on Human-Computer Interaction (HCII2020); July 19-24, 2020:232-249; Copenhagen, Denmark. [CrossRef]45]. The Technology Adoption Model (TAM) and TAM2 are widely accepted in explaining why particular technologies are adopted [Vestad A. Personality traits and security motivation. Stud Health Technol Inform. Nov 03, 2022;299:183-188. [CrossRef] [Medline]46-Mitchell-Box K, Braun KL. Fathers' thoughts on breastfeeding and implications for a theory-based intervention. J Obstet Gynecol Neonatal Nurs. 2012;41(6):E41-E50. [CrossRef] [Medline]51]. Previous research highlights a lack of focus on human factors when assessing sociotechnical systems, especially within cybersecurity. A study found that technical factors often receive the most attention, whereas human factors related to awareness, privacy, and trust are frequently overlooked [Rohan R, Funilkul S, Pal D, Chutimaskul W. Understanding of human factors in cybersecurity: a systematic literature review. 2021. Presented at: 2021 International Conference on Computational Performance Evaluation (ComPE); December 1-3, 2021:133-140; Shillong, Meghalaya, India. [CrossRef]52]. Addressing these human factors is crucial for a comprehensive understanding of cybersecurity risks in health care. Therefore, we adopted a cybersecurity approach to contextual factors, dividing them into human, organizational, and technological categories [McEvoy TR, Kowalski SJ. Deriving cyber security risks from human and organizational factors – a socio-technical approach. CSIMQ. Apr 30, 2019;2019(18):47-64. [CrossRef]53,Triplett WJ. Addressing human factors in cybersecurity leadership. JCP. Jul 22, 2022;2(3):573-586. [CrossRef]54].

Aim

This paper aims to investigate cybersecurity risk perception for assisted living technologies and wearables among stakeholders from Norway and British Columbia (BC), Canada, and identify contextual factors that shape these perceptions. We aim to explore differences in cybersecurity risk perceptions among different stakeholder groups for these technologies and identify the relevant human, organizational, and technological factors that impact these differences. However, due to ethical considerations, we do not compare survey data from the 2 geographical locations; instead, we rely on the interpretation of qualitative data from interviews to identify if differences in risk perception exist.

Methods

Study Design

This study performed an analysis among relevant stakeholders in Norway and BC, Canada, to explore cybersecurity risk perception and contextual factors associated with assisted living technologies. To simplify reporting, we refer to “cybersecurity risk perception” as “risk perception.” Our sampling approach in Norway was based on previous research on key stakeholders for assisted living technologies [Nilsen ER, Dugstad J, Eide H, Gullslett MK, Eide T. Exploring resistance to implementation of welfare technology in municipal healthcare services - a longitudinal case study. BMC Health Serv Res. Nov 15, 2016;16(1):657. [FREE Full text] [CrossRef] [Medline]23,Guise V, Anderson J, Wiig S. Patient safety risks associated with telecare: a systematic review and narrative synthesis of the literature. BMC Health Serv Res. Nov 25, 2014;14:588. [FREE Full text] [CrossRef] [Medline]55,Nilsen ER, Stendal K, Gullslett MK. Implementation of eHealth technology in community health care: the complexity of stakeholder involvement. BMC Health Serv Res. May 11, 2020;20(1):395. [FREE Full text] [CrossRef] [Medline]56]. In Norway, we focused on 2 specific technologies, medicine dispensers and digital self-reporting forms, as these solutions have been widely adopted. We approached stakeholders to participate as survey respondents and as interviewees. In BC, these same technologies have not been as widely adopted. Hence, we examined other technologies that support an individual in managing their disease remotely: insulin pumps and continuous glucose monitoring (CGM) devices. These technologies are used as examples in the survey and interviews.

The survey was distributed in Norway from September 2023 to March 2024, and interviews were conducted from August 2021 to February 2024. Three preliminary interviews were conducted before ethical approval, which was permitted by Norwegian ethics rules but restricted the ability to gather any identifiable information. However, they enabled the gathering of key insights into the organization and implementation of assisted living technology in the Norwegian health care sector, which were instrumental in the subsequent research design. The survey was distributed in BC from December 2023 to February 2024, and interviews were conducted from December 2023 to April 2024 (Figure 1). This manuscript has been prepared following the COREQ (Consolidated Criteria for Reporting Qualitative Research) guidelines [Tong A, Sainsbury P, Craig J. Consolidated Criteria for Reporting Qualitative Research (COREQ): a 32-item checklist for interviews and focus groups. Int J Qual Health Care. Dec 2007;19(6):349-357. [FREE Full text] [CrossRef] [Medline]57].

‎

Participants

Participants were health care workers, patients or device users, and experts involved in the development and implementation of assisted living technologies and wearables. The stakeholder groups enrolled varied slightly between the 2 countries. Specifically, Norwegian participants included health care workers in primary and specialist care, device vendors or industry professionals, health authorities, and cybersecurity experts. The participants from BC were patients (adults and adolescents), families of patients, clinicians or researchers using health care–related wearable technologies or data, biomedical engineers, hospital or research information technology (IT) professionals, and device vendors or industry professionals. We included adolescents to enrich the data material, as they represent a key user group for the T1D technology use case. Thus, it helped to offer a more comprehensive understanding of the cybersecurity risk affiliated with the technology across different demographics.

Recruitment

The survey and interview respondents in Norway were gathered through an initial email to primary health care providers, specialist health care providers, health care authorities, technology vendors, and the expert network at the Norwegian University of Science and Technology. The survey was distributed by leaders in either primary or specialist health care organizations and a group dedicated to health care technologies in Norway on the social media platform Facebook (Meta Platforms, Inc.). In BC, we recruited adolescents, their parents, and other adults living with T1D using existing lists of participants who had given permission to be contacted for research and additional adult patients through a provincial portal for patient engagement and recruitment: REACHBC [REACH BC - health research study platform in British Columbia. REACH BC. URL: https://www.reachbc.ca/ [accessed 2024-06-20] 58]. Health care clinicians, researchers, IT professionals, biomedical engineers, and device vendors/industry professionals were contacted via email and newsletters utilizing existing networks; participants belonging to health care institutions were approached via departmental email lists and research institute newsletters.

Survey Instrument

The survey deployed in both countries was built on the Behavioral-Cognitive Internet Security Questionnaire (BCISQ), which uses a 5-point Likert scale to gather data on respondents’ behavior and awareness of using solutions based on information and communications technology [Mitchell-Box K, Braun KL. Fathers' thoughts on breastfeeding and implications for a theory-based intervention. J Obstet Gynecol Neonatal Nurs. 2012;41(6):E41-E50. [CrossRef] [Medline]59]. Our survey consisted of 3 main parts: the first part gathered background information, including age, gender, and profession; the second part included the BCISQ; and the final part collected insights on risk perception for assisted living technologies or diabetes technology and smartwatches.

The BCISQ measures behavior and perception of information security risk when using the internet in 2 ways: first, by having participants assess and respond to various “risky” situations, and subsequently, by simulating a scenario that asks for the respondent’s most commonly used password question. In Norway, the simulation was presented through the open-ended question: “To check the quality of your password, write your most used password.” This could not be replicated in BC due to ethical considerations and concerns by institutional research privacy leaders. Instead, we posed the question, “If we asked you to reveal your most used password to evaluate the security of your password, would you reveal it?” with the answer option “yes/no”. Two subscales measure the cognitive dimension; the first scale captures an evaluation of information security risk, utilizing the term “likelihood” as per Adams [Adams J. Risk. London, UK. UCL Press; 1995. 60] to understand how users evaluate the probability of cyber risk, while the second subscale captures how important users evaluated security mechanisms in managing these risks, following the approach of Velkie and Solic [Mitchell-Box K, Braun KL. Fathers' thoughts on breastfeeding and implications for a theory-based intervention. J Obstet Gynecol Neonatal Nurs. 2012;41(6):E41-E50. [CrossRef] [Medline]59] who evaluated the individual’s assessment of risk and perceived importance of security mechanisms. For example, the first scale contained questions to evaluate risk, such as “How would you rate the likelihood of someone stealing your identity on the internet (some examples of services that use your personal identity include online banking, social media, and e-mail)?” with options ranging from “very unlikely” to “very likely”, while importance was captured by a direct question, such as “How would you rate the importance of updating your smartphone or laptop with the latest software?”, with options on a scale of “not very important” to “very important.” [Mitchell-Box K, Braun KL. Fathers' thoughts on breastfeeding and implications for a theory-based intervention. J Obstet Gynecol Neonatal Nurs. 2012;41(6):E41-E50. [CrossRef] [Medline]59,Adams J. Risk. London, UK. UCL Press; 1995. 60].

We extended the survey to encompass questions related to assisted living technologies or diabetes technology and smartwatches to enhance our understanding of risk perceptions associated with specific technologies. Smartwatches were intended to target a technology widely recognized by the general population yet not primarily serving a dedicated health function. This allowed us to explore if risk perception differs between assisted living and diabetes technologies versus smartwatches. The survey sought to capture respondents’ evaluations of the likelihood and impact (consequence) of incidents compromising confidentiality, integrity, and availability. Continuing the structure of the BCISQ, responses were collected on the same 5-point Likert scale.

Before deploying the surveys in Norway and BC, we conducted preliminary tests with researchers, mainly from the health care field. These tests led to minor modifications in the question structure and sequence, ensuring clarity and relevance in both contexts. The survey was distributed in Norwegian in Norway and in English in BC. The surveys can be found in

Multimedia Appendix 1

British Columbia survey questionnaire.

Interviews

A semistructured interview approach was adopted, and interview guides were prepared in advance. These aimed at gathering comprehensive data on key areas: (1) understanding of assisted living technologies or diabetes technologies; (2) cybersecurity risk understanding; (3) cybersecurity threats and vulnerability specific to these technologies; (4) behavior, attitude, and awareness; and (5) organizational and management practices for technology and security. Because of the varied knowledge and characteristics of the stakeholders, we developed customized interview guides. In Norway, interview guides were tailored to each stakeholder group to reflect their unique perspectives and roles. In BC, an initial interview guide was developed and adjusted according to the specific stakeholder being interviewed. Primary themes were consistent, yet the flexibility in the interview process allowed for follow-up on specific topics based on the interviewee’s responses. For instance, health care workers familiar with one of the technologies were asked more detailed follow-up questions regarding their risk perceptions of that technology. Conversely, for those less familiar with specific technologies, discussions were generally focused on risk perceptions of assisted living technologies or smartwatches. The interview guides are attached in

Multimedia Appendix 3

Interview guide (British Columbia, Canada).

Analysis

Descriptive statistics were applied to the survey data in both data sets to summarize participants’ characteristics and responses to questions related to the BCISQ (behavior and attitude) and risk perception. Variability was assessed using Cronbach α, indicating the internal consistency of the items. A significant challenge in our analysis was comparing the 2 data sets subject to different privacy regulations. The Norwegian data were stored in Norway, and data transfer to other countries, especially outside the European Union, was prohibited. Similarly, the BC data were stored in BC, and transferring data outside Canada was prohibited. The data sets were analyzed separately to overcome these challenges and account for variation in the specific stakeholder groups participating in the 2 countries. Subsequently, the results of the aggregated data were subjected to further analysis and comparison. We used R statistical software (version 4.3.2; R Foundation for Statistical Computing) and Excel (Microsoft Corporation) to analyze the quantitative data.

Interviews were transcribed and verified against the recordings, followed by analysis using NVivo (Lumivero) for thematic analysis. We used a stepwise deductive-inductive approach. This process began with establishing codes and progressed to linking codes via axial coding, facilitating the identification of relationships between codes [Tjora A. Kvalitative Forskningsmetoder i Praksis (4th edition). Oslo, Norway. Gyldendal; 2021. 61]. Subsequently, we developed categories encompassing multiple codes, enabling the identification of key concepts and themes. The stepwise inductive-deductive method allowed us to continuously refine our understanding of empirical findings supported by theory [Tjora A. Kvalitative Forskningsmetoder i Praksis (4th edition). Oslo, Norway. Gyldendal; 2021. 61]. This approach also aligns with the suggested approach for conducting thematic analysis by Braun and Clarke [Braun V, Clarke V. Using thematic analysis in psychology. Qualitative Research in Psychology. Jan 2006;3(2):77-101. [CrossRef]62]. Throughout the process, the researchers discussed recurring themes to enhance the consistency of the analysis. When analyzing the qualitative data, we completed separate analyses to prevent data transfer and then aggregated and interpreted data on themes and recurring topics between both data sets.

Ethical Considerations

Ethical approval in Norway was obtained from the Norwegian Agency for Shared Services in Education and Research (606692) on March 21, 2022, with updated approval on August 15, 2023, to reflect the data from BC. Ethical approval in BC was granted by the University of British Columbia/Children’s and Women’s Health Centre of British Columbia Research Ethics Board (H23-01987; date of approval 2023-11-27; principal investigator: MG). Implied informed consent was used for surveys, while electronic consent was used for interviews.

Written informed consent was obtained for all interviews. Before each interview, participants were emailed a consent form. As a result of different privacy legislation, the forms were collected in different ways. We used the Research Electronic Data Capture (REDCap) electronic consent framework for BC, while in Norway, the forms were distributed and collected via email, with participants signing and returning the consent form [Harris PA, Taylor R, Minor BL, Elliott V, Fernandez M, O'Neal L, et al. REDCap Consortium. The REDCap consortium: building an international community of software platform partners. J Biomed Inform. Jul 2019;95:103208. [CrossRef] [Medline]63].

Privacy and confidentiality protection were priorities in this study. Data were analyzed once samples were deidentified. Norwegian data were stored on an encrypted device with password protection, and the tool used to collect survey data did not collect metadata or IP addresses to prevent the identification of human participants. In BC, data were collected through REDCap, which also did not record IP addresses. Extracted data were stored on research institute network drives, with access restricted to research team members.

Norwegian research participants received no compensation for their participation. In BC, survey participants were entered into a raffle for approximately US $7.50 gift cards, while all the interview participants received an approximately US $15 gift card.

Results

Participation Overview

We received 274 survey responses (Norway, n=185; BC n=89). Participants were predominantly female (139/185, 75.1%, in Norway and 57/89, 64%, in BC) and most respondents were between 21 and 56 years old; 45 interviews were completed (Norway n=31, BC n=14). The median age category was 46-50 years in Norway and 41-45 years in BC (Table 1).

BCISQ

BCISQ data demonstrated that both respondent groups assessed their behavior as low-risk (Table 2). The groups had a median score of 1 and 1.1 (never). The range of the group demonstrates that few of the respondents ever engage in “risky” behavior, regardless of country. On the cognitive likelihood (risk) scale, both groups demonstrated a neutral to unlikely understanding of the occurrence of an undesired event. However, the range was wider in Norway (range 1.6) versus BC (range 1.0). Norway had a median score of 4 on the cognitive importance scale, while BC had a 3.8 median score.

The last instrument of the BCISQ was the behavioral simulation. In total, 46 out of 185 (24.9%) Norwegian respondents answered the question: 17 out of 185 (9.2%) were deemed to have provided a possible actual password based on password requirements (capital letters, special characters, and password length), while the remaining 29 provided responses that were not deemed to be their actual password. Of the BC respondents, 16 out of 89 (18%) answered that they would provide their password. Moreover, when asked about password strategy, the majority in both groups reported that they only implemented minor password changes when changing passwords (94/185, 50.8%, in Norway and 45/89, 51%, in BC).

Reliability Analysis

The Norwegian data sample demonstrated internal consistency with Cronbach α, which was above the acceptable rate (0.7) on the overall questionnaire and the cognitive likelihood and importance scales, but lower on the behavioral scale. The BC responses demonstrated acceptable internal consistency overall and for the cognitive likelihood and importance scales, but the risky behavior self-assessment measurement was not within the acceptable range (Table 3).

Risk Perception for Assisted Living Technologies and Diabetes Technologies

For assisted living and diabetes technologies, the likelihood (probability) of confidentiality, integrity, or availability being compromised had a median score of 2 (unlikely) to 3 (neutral) among all respondents (Figure 2).

‎

Because of a survey logic error, which resulted in optional risk perception questions, the Norwegian sample was limited to 147 out of 185 (79.5%) participants. The range for availability was slightly higher for assisted living technologies (IQR 3-4). Results for consequences (impact) were evaluated higher, between 3 (moderate) and 4 (major), indicating a more serious evaluation of consequence. For diabetes technologies, the range for integrity had the highest consequence, between 3 (major) and 5 (catastrophic). The Cronbach α was 0.679 for the Norwegian data sample and 0.664 for the BC sample.

Risk Perceptions for Smartwatches

For smartwatches, the likelihood (probability) of confidentiality, integrity, or availability being compromised had a median in both populations between 2 (unlikely) and 3 (neutral), with most results at 3 (neutral; Figure 2). The IQR was between 2 and 3 for all measurements. The results for consequences (impact) were between 2 (minor) and 3 (moderate). As a result of a survey logic error, which resulted in optional risk perception questions, the Norwegian sample was limited to 65 out of 185 (35.1%) participants. For the smartwatch risk perception measurement in Norway, Cronbach α was 0.812, and for BC, it was 0.694.

Interview Findings

We conducted 45 interviews (Norway n=31, BC n=14), involving 25 females (Norway n=17, BC n=8) and 23 males (Norway n=18, BC n=5). The initial coding process resulted in 72 codes for Norway and 61 for BC. After aggregating into categories encompassing all codes, we had 10 categories for BC and 10 categories for Norway, which mapped to 3 overarching themes derived from the theory on contextual factors in cybersecurity: organizational, technological, and human factors. As some categories overlapped, this resulted in 14 themes (Textbox 1).

Organizational Factors

Contextual factors encompass factors specific to organizations, such as organizational structure, culture, and roles and responsibilities, which affect how risks are perceived and managed. In the analysis, we identified themes that included several contextual factors (Table 4).

Technological Factors

Technological factors include how technologies are implemented, which security mechanisms are integrated, and their functionality. This category refers to the characteristics and capabilities of the technology and how the respondents perceived cybersecurity risk based on their understanding of different technological and system-related factors (Table 5).

Human Factors

The concept of human factors refers to the physiological and behavioral elements that influence how cybersecurity and risks are perceived for systems and technology (Table 6).

Discussion

Principal Findings

For assisted living technologies, cybersecurity risk was perceived as reasonably low. Yet, there were variations in how confidentiality, integrity, and availability were assessed between technologies. Findings from the BCISQ demonstrated similar behavior and awareness among respondents, but risk perceptions for different technologies varied. For assisted living technology, integrity and confidentiality were prioritized, whereas, for diabetes technology, availability was viewed as more critical. Moreover, our survey and interview findings indicated that risk perception is stronger toward assisted living and diabetes technologies than smartwatches. This nuance was further explored in interviews, where both groups acknowledged availability as a crucial aspect of device functionality. Although few respondents considered data or device manipulation likely, they expressed significant concern about the potential consequences if such events occurred. Risk perceptions of the respondents are significantly affected by contextual factors in the area of human factors, namely, knowledge, competence, familiarity, dread/security of consequence, perceived benefit, and trust. The technological factor of “functionality and criticality” was also found to affect risk perception, as demonstrated in the differences between “high-risk” and “low-risk” devices. These are the factors evaluated to have the greatest implications for risk perception. Organizational factors such as health care sector organization were identified to have an effect, but based on the interviews, less than the others.

Risky Behavior and Information Security Awareness

The results from the BCISQ demonstrated that our respondents assessed their behavior as secure, with a more unlikely than likely chance of being exploited. Security measures were evaluated as high in importance, which indicates a strong awareness among respondents. There were only minor variations in the data between the included participants, indicating that respondents have similar behavior and awareness about cybersecurity. However, a discrepancy was identified between how respondents self-assessed their behavior and how they behaved: 17 out of 185 (9.2%) Norwegian respondents and 16 out of 89 (18%) BC respondents were willing to engage in risky behavior by revealing their passwords to check password quality. In addition, 94 out of 185 (50.8%) Norwegian respondents and 45 out of 89 (51%) respondents reused passwords, which is viewed as risky behavior and bad practices within cybersecurity.

Comparison With Prior Work

Organizational Factors

In our study, factors such as organizational structure, roles and responsibilities, and expectations toward vendors influenced how risks were perceived. This is supported by previous research, which found that organizational factors can contribute to increase (amplify) or decrease (attenuate) perception of risks [Kasperson RE, Webler T, Ram B, Sutton J. The social amplification of risk framework: new perspectives. Risk Anal. Jul 2022;42(7):1367-1380. [FREE Full text] [CrossRef] [Medline]35]. Moreover, previous research has found that cross-cultural differences can affect risk perceptions [Kasperson R, Renn O, Slovic P, Brown H, Emel J, Goble R, et al. The social amplification of risk: a conceptual framework. Risk Analysis. May 29, 2006;8(2):177-187. [FREE Full text] [CrossRef]34,Kasperson RE, Webler T, Ram B, Sutton J. The social amplification of risk framework: new perspectives. Risk Anal. Jul 2022;42(7):1367-1380. [FREE Full text] [CrossRef] [Medline]35]. Our survey suggested minimal differences among respondents from Norway and BC in behavior, awareness, and view of risks for health care technology and smartwatches. Similarly, our interviews found similarities in risk perceptions between the participants, indicating that region (cross-cultural differences) has a minimal effect on risk perception in this case [Larsen M, Lund M. Cyber risk perception in the maritime domain: a systematic literature review. IEEE Access. 2021;9:144895-144905. [CrossRef]44,Reeves A, Parsons K, Calic D. Whose risk is it anyway: how do risk perception and organisational commitment affect employee information security awareness? Berlin, Heidelberg, Germany. Springer; 2020. Presented at: 22nd International Conference on Human-Computer Interaction (HCII2020); July 19-24, 2020:232-249; Copenhagen, Denmark. [CrossRef]45].

Technological Factors

We found similar understandings of the risks of assisted living and diabetes technologies based on the consequences if confidentiality, integrity, or availability were compromised. A minor difference was found where availability risks were evaluated higher in consequence for insulin pumps and CGMs (4=major), while integrity and confidentiality risks were evaluated higher for medicine dispensers and digital self-reporting (4=major).

Smartwatches were included to investigate if respondents perceived risks differently for “low-risk” compared with “high-risk” devices, as risk perception has previously been connected to the severity and fear of consequences [Sjoberg L. Factors in risk perception. Risk Anal. Feb 2000;20(1):1-11. [Medline]39,Siegrist M, Cvetkovich G, Roth C. Salient value similarity, social trust, and risk/benefit perception. Risk Anal. Jun 2000;20(3):353-362. [CrossRef] [Medline]42,Larsen M, Lund M. Cyber risk perception in the maritime domain: a systematic literature review. IEEE Access. 2021;9:144895-144905. [CrossRef]44,Tornatzky L, Fleischer M, Chakrabarti A. Lexington M, editor. The Processes of Technological Innovation. Lanham, MD. Lexington Books; 1990. 48,Starr C. Social benefit versus technological risk. Science. Sep 19, 1969;165(3899):1232-1238. [CrossRef] [Medline]64,Huang D, Rau P, Salvendy G. A survey of factors influencing peoples perception of information security. In: Jacko J, editor. Human-Computer Interaction, Part IV. Heidelberg, Germany. Springer; 2007:906-915.65]. Our survey identified differences in risk perception, where “high-risk” devices included assisted living technologies and diabetes technologies, and “low-risk” included smartwatches. The probability and consequences were evaluated higher for “high-risk” devices than “low-risk” devices (Figure 2). In interviews, the perceived consequences of a closed-loop insulin control system were viewed as potentially fatal, which was a consideration for adopting such technologies. Manipulation of data, compromising data integrity, could lead to devastating consequences, such as wrong insulin/medication dosage. This indicates that the function and criticality of the device affect risk perception and technology adoption, which aligns with previous research [Sjoberg L. Factors in risk perception. Risk Anal. Feb 2000;20(1):1-11. [Medline]39,Starr C. Social benefit versus technological risk. Science. Sep 19, 1969;165(3899):1232-1238. [CrossRef] [Medline]64,Slovic P. Perception of risk. Science. Apr 17, 1987;236(4799):280-285. [CrossRef] [Medline]66,Fischhoff B, Slovic P, Lichtenstein S. Weighing the risks: risks: benefits which risks are acceptable? Environment: Science and Policy for Sustainable Development. Jul 08, 2010;21(4):17-38. [CrossRef]67].

Human Factors

Previous research has demonstrated that human factors such as knowledge, behavior, and emotions are essential for understanding cybersecurity risk [Rohan R, Funilkul S, Pal D, Chutimaskul W. Understanding of human factors in cybersecurity: a systematic literature review. 2021. Presented at: 2021 International Conference on Computational Performance Evaluation (ComPE); December 1-3, 2021:133-140; Shillong, Meghalaya, India. [CrossRef]52]. Risk perception theory highlights that understanding, competence, and familiarity with both hazards and risks affect risk perception. Yet, the TAM views familiarity as an enabler for technology adoption [Goh Z, Hou M, Cho H. The impact of a cause-effect elaboration procedure on information security risk perceptions: a construal fit perspective. Journal of Cybersecurity. Jan 2022;8(1):tyab026. [CrossRef]29,Larsen M, Lund M. Cyber risk perception in the maritime domain: a systematic literature review. IEEE Access. 2021;9:144895-144905. [CrossRef]44,Ajzen I, Fishbein M. Understanding Attitudes and Predicting Social Behavior. Hoboken, NJ. Prentice-Hall; 1980. 47,Venkatesh V, Davis FD. A theoretical extension of the Technology Acceptance Model: four longitudinal field studies. Management Science. Feb 2000;46(2):186-204. [CrossRef]50,Mitchell-Box K, Braun KL. Fathers' thoughts on breastfeeding and implications for a theory-based intervention. J Obstet Gynecol Neonatal Nurs. 2012;41(6):E41-E50. [CrossRef] [Medline]51,Huang D, Rau P, Salvendy G. A survey of factors influencing peoples perception of information security. In: Jacko J, editor. Human-Computer Interaction, Part IV. Heidelberg, Germany. Springer; 2007:906-915.65,Slovic P. Perception of risk. Science. Apr 17, 1987;236(4799):280-285. [CrossRef] [Medline]66]. Findings from our study agree with previous studies, where increased familiarity and knowledge of a technology resulted in a change in risk perception. Thus, the perceived severity of consequences affected risk perception, agreeing with previous research emphasizing that the severity level will increase or decrease risk perception [Slovic P. The perception of risk. In: Scientists Making a Difference: One Hundred Eminent Behavioral and Brain Scientists Talk About Their Most Important Contributions. Cambridge, MA. Cambridge University Press; 2016:179-182.30-Slovic P, Fischhoff B, Lichtenstein S. Why study risk perception? Risk Analysis. May 30, 2006;2(2):83-93. [FREE Full text] [CrossRef]32,Reeves A, Parsons K, Calic D. Whose risk is it anyway: how do risk perception and organisational commitment affect employee information security awareness? Berlin, Heidelberg, Germany. Springer; 2020. Presented at: 22nd International Conference on Human-Computer Interaction (HCII2020); July 19-24, 2020:232-249; Copenhagen, Denmark. [CrossRef]45]. The concept of dread has been investigated thoroughly within risk perception theories [Slovic P. Perception of risk. Science. Apr 17, 1987;236(4799):280-285. [CrossRef] [Medline]66,Finucane ML, Alhakami A, Slovic P, Johnson SM. The affect heuristic in judgments of risks and benefits. J Behav Decis Making. Jan 2000;13(1):1-17. [CrossRef]68]. Dread associated with potential harm affects risk perception: in both interviews and our survey, consequences were evaluated as more severe, with potentially fatal consequences. Within TAM and risk perception studies, it has been found that perceived usefulness is important for technology adoption and that the benefits of technology lead to greater risk acceptance, followed by a lower risk perception [Siegrist M, Cvetkovich G, Roth C. Salient value similarity, social trust, and risk/benefit perception. Risk Anal. Jun 2000;20(3):353-362. [CrossRef] [Medline]42-Larsen M, Lund M. Cyber risk perception in the maritime domain: a systematic literature review. IEEE Access. 2021;9:144895-144905. [CrossRef]44,Fischhoff B, Slovic P, Lichtenstein S. Weighing the risks: risks: benefits which risks are acceptable? Environment: Science and Policy for Sustainable Development. Jul 08, 2010;21(4):17-38. [CrossRef]67]. Similarly, we found that respondents were willing to accept risk up to a certain level due to the perceived benefits of the devices. This indicates that convenience and benefit also shaped how risks were perceived, resulting in a lower risk perception.

The implication of trust on risk perception has been debated in previous work [Sjöberg L. Risk perception: experts and the public. European Psychologist. Mar 1998;3(1):1-12. [FREE Full text] [CrossRef]40]. In our study, trust was an essential factor influencing risk perception. Our respondents expressed trust in health care institutions and medical device companies to ensure that technology is secure, previously conceptualized as social trust [Siegrist M, Cvetkovich G, Roth C. Salient value similarity, social trust, and risk/benefit perception. Risk Anal. Jun 2000;20(3):353-362. [CrossRef] [Medline]42]. Trust is also placed on individuals, whereas if a user trusts others interacting with technologies, risks are perceived to be lower [Haugli-Sandvik M, Lund MS, Bjørneseth FB. Maritime decision-makers and cyber security: deck officers’ perception of cyber risks towards IT and OT systems. Int J Inf Secur. Feb 02, 2024;23(3):1721-1739. [CrossRef]43,Larsen M, Lund M. Cyber risk perception in the maritime domain: a systematic literature review. IEEE Access. 2021;9:144895-144905. [CrossRef]44]. Lastly, there is also trust dedicated to technologies, as respondents perceived these as trustworthy due to a lack of incidents, which resulted in lower perceived risk for assisted living technologies and diabetes technologies.

Limitations

The starting point of this study was to investigate cybersecurity perceptions among stakeholders in 2 different countries. The first limitation concerns the inherent differences between these 2 countries. Although we recognize these differences, we can compare risk perceptions due to a focus on technologies deployed in the health care sector. We recognize differences between users of assisted living technologies and diabetes technologies; however, the findings provide valuable insight into cybersecurity risk perception. A limitation in the Norwegian data sample is the exclusion of patients, which should be addressed in future studies to provide a more comprehensive perspective. In continuing this research, including patients as part of the Norwegian sample would be advisable to capture their concerns about cybersecurity risks.

Next, due to a survey logic error that resulted in optional risk perception questions, the Norwegian sample was limited to 147 out of 185 (79.5%) participants for assisted living technologies and 65 out of 185 (35.1%) participants for smartwatches. This significantly reduces the power of the Norwegian sample in this dimension; nevertheless, we believe the observations still provide valuable insights.

Expanding the sample to include a wide range of patients in both countries would also allow a deeper exploration of how patient-specific factors, such as age, condition, or digital literacy, influence risk perception. Further, women are overrepresented in both samples (139/185, 75.1%, for Norway and 57/89, 64%, for BC). Although a more equal gender distribution would be desirable, it reflects the workforce composition in the health care sector in both regions [Labour Market Information (LMI) Directorate SC. British Columbia sector profile: health care. Government of Canada - Job Bank. 2023. URL: https:/​/www.​jobbank.gc.ca/​trend-analysis/​job-market-reports/​british-columbia/​sectoral-profile-health-care [accessed 2024-05-20] 69,Jia Z, Kornstad T, Stølen N, Hjemås G. Arbeidsmarkedet for helsepersonell fram mot 2040. Rapporter. Feb 2023. URL: https://tinyurl.com/p22f3rs4 [accessed 2024-06-24] 70]. Future research should aim for equal gender representation to ensure that one gender’s perspectives do not disproportionately shape the findings. Recruitment strategies could be adjusted to target more men or other underrepresented groups in the sample. Additionally, we did not perform a subgroup analysis by age category to explore if age is a factor that can explain some of the variability observed in risk perception, which should also be considered in future work, including more diverse populations and larger sample sizes.

Additionally, we could not combine the data sets for further statistical analysis, which restricts the depth of our analysis. The technologies used as examples in the study (assisted living or diabetes technology) serve different purposes and groups, which may lead to varying risk perceptions. This variability must be considered when interpreting the results, as it may influence stakeholders’ views on risk differently. Future research should aim to collect a larger sample, possibly through collaborations with multiple health care institutions. Additionally, future studies could consider longitudinal designs to identify changes in risk perceptions over time.

This study did not perform a subgroup analysis of survey responses by participant type, such as patients and clinicians. However, differences among patients and clinicians were observed in the interviews and, therefore, included in the discussion. Future research should investigate the effects of participant type in interpreting the survey data to more comprehensively explore the potential differences in risk perception by participant type or organizational role.

Next, the first author (AS) conducted the thematic analysis of interviews. This approach introduces the potential for bias, as a single researcher’s perspective can influence the interpretation of qualitative data. To mitigate this, the themes and key findings were discussed among the researchers. Future studies should aim for multiple researchers to engage in the thematic analysis process, ensuring a more balanced analysis. Furthermore, the reliance on self-reported data from surveys and interviews inherently carries the risk of response bias, where participants might provide socially desirable answers or have recall bias.

Suggestions for Further Research

The BC cohort should be used to investigate differences between participant groups and user characteristics further. Including patients from the Norwegian population would also be interesting, as this could provide a more comprehensive understanding of risk perceptions and enable the comparison between patients in Norway and BC. A comparative analysis of Norwegian and BC patient populations could reveal how factors such as health care infrastructure, cultural attitudes, and patient demographics influence cybersecurity risk perception. This broader understanding could also inform more tailored approaches to risk communication and management in different health care contexts.

This study has examined cybersecurity risk perception related to specific individual health devices, yet they are often combined—a technological complexity that should be explored further. Further research should explore these complexities by investigating how interoperable systems manage cybersecurity risks, such as CGMs and insulin pumps working in tandem. This would involve assessing the technical vulnerabilities introduced by their interaction and understanding how users perceive or experience those risks in real-world settings. It may also be worthwhile to explore whether various vendor or operating system considerations (eg, Android vs iOS for smartphones) impact users’ risk perception.

Another promising direction would be to combine technological analysis of systems with human and behavioral studies, providing a comprehensive system-level perspective on cybersecurity risks in health care. Such research could offer insights into balancing cybersecurity’s technical aspects with user experiences, ultimately contributing to more secure health care technology ecosystems. In addition, future studies should incorporate mixed method approaches, such as triangulating self-reported data with observational data or objective measures (eg, usage logs or system performance data), to validate and complement the findings. This would provide a more comprehensive understanding of risk perceptions and reduce the potential bias in self-reporting.

Practical Recommendations

Implementing technology is not straightforward, and one could argue it is even more challenging in health care due to patient safety and security considerations. Ensuring transparency about potential risks and threats is critical for fostering trust, as subjective perceptions of risk vary among interested parties, as identified in this study. For instance, when rolling out new devices such as closed-loop systems for diabetes management (T1D), health care workers and technology developers could hold regular informational sessions or consultations directed toward both care receivers (patients and end-users) and caregivers. Based on the identified needs, one could focus on explaining the security features of and fail-safe mechanisms implemented in these systems. Enabling ongoing risk communication could help reduce skepticism and perceived risk.

Moreover, a structured risk management process, including regularly updated risk and threat assessments, is essential. The study found that respondents were generally willing to accept a certain degree of risk when the perceived benefits and convenience of their device outweighed the potential risks. The balance between risk and benefit/convenience is a crucial driver of technology acceptance. For example, although users may have concerns about data privacy when using wearables, many still choose to use them because of the convenience and value of the health insights these devices provide—such as real-time glucose monitoring or medication assistance—as these are essential in managing their health.

In addition, strengthening the knowledge and competence of all relevant parties—developers, care receivers, and health care workers—is essential, as cybersecurity risks and threats can be challenging to understand, especially for novices. Awareness is a security measure that can mitigate risks derived from humans’ interaction with technology, and education is another area that should not be neglected to increase cybersecurity understanding. Practical steps such as security awareness programs could be integrated into the onboarding process for new technologies. For example, when introducing T1D technology (insulin pump or CGM) or assisted living technology (digital medication dispenser or digital self-reporting forms) to new users, as a part of the adoption process, one could introduce training sessions that cover key security areas such as password management, recognizing phishing attempts, and fail-safe mechanisms of the platforms. Such initiatives should be developed in close cooperation with the developers and vendors of the technology, as they often hold more detailed information about the system’s security features.

Conclusions

We found minimal behavior and risk perception differences among the participants from Norway and BC. Human factors and device functionality were most influential in shaping cybersecurity risk perceptions. Considering the expected reliance on assisted living technologies and remote care solutions for disease management in the coming years, insight into risk perceptions can assist in reducing fears among relevant parties so that technologies can be adopted more broadly. Understanding risk perceptions can strengthen risk management and awareness, and understanding how to develop mitigating strategies to improve cybersecurity risk management is essential. Different inhibitors and drivers exist in technology adoption, so it is essential to understand the needs and capabilities of specific technology users. Building competence, knowledge, and trust can be essential steps in this endeavor. For future technological innovation and development, security should be considered as a prerequisite rather than an afterthought—it should be a license to operate.