Cyber security risk management in large Australian healthcare systems - a mixed methods study

Author Identifier

Martin Dart

Date of Award


Document Type

Thesis - ECU Access Only


Edith Cowan University

Degree Name

Doctor of Philosophy


School of Science

First Supervisor

Mohiuddin Ahmed

Second Supervisor

Wencheng Yang

Third Supervisor

Nickson M. Karie


This thesis investigates cyber security risk and resilience governance challenges impacting large Australian healthcare providers. Using a mixed-methods approach it exploits the benefits of quantitative and qualitative techniques, identifying problem areas where research was previously lacking in order to deliver actionable insights. This includes the Australian context for cyber risk definition and governance, human factors, healthcare data breach occurrences, and cyber incident cost estimation.

This study examines 450 source documents for thematic indicators, and 929 Australian healthcare data breach cases over five years. A bespoke survey of 103 employees, and in-depth interview with 9 specialists, delivers insights into the beliefs and behaviours of Australian healthcare staff.

Eighteen separate factors are identified as influencing cyber security outcomes across the domains of cyber vulnerabilities, clinical service delivery, and audit, risk, and compliance. Human error is shown to be the persistent contributor to Australian healthcare data breaches although most staff never report data breaches, only prefer to engage with security messaging they perceive as being useful, and see cyber responsibility as resting with the system operator rather than themselves.

Financial cyber risk modelling of Australia’s 697 public hospitals, and an impact analysis of three healthcare organisations with budgets up to $33 billion, illustrate the criticality of improvements to this sector. A minor one-week disruption to the nations’ hospital network is modelled to cost over $135 million, leading to the identification of a 1% contingency budget requirement for any agency seeking to remediate cyber incidents – along with a need for robust cyber insurance coverage.

Where security framework complexity and ambiguity is shown to be a problem, this thesis develops a novel ‘cyber-AIDD’ risk classification and governance framework, using the UML framework to clearly articulate process interrelationships.

Cyber risk legislative and governance demands on the healthcare sector are also shown to be increasing, even though the complex legal patchwork across Australia is highly likely to result in an under-reporting of relevant cyber incidents.

The practical information and regionally-specific data investigated by this thesis provides a strong baseline for any Australian healthcare provider to commence a journey to improved cyber security and resilience. Other researchers can use these findings to build more effective staff education campaigns, compare the risk financial model to real world incidents, or develop new innovations in cyber risk frameworks that are practical and relevant to the healthcare industry.

This research has discovered that Australian healthcare is significantly exposed to cyber security risk from eighteen contributing factors, and has proposed a new approach to manage each one of these risks using innovative methodologies and governance. This thesis presents a range of original knowledge contributions to industry and academia, which have been confirmed in four accompanying peer-reviewed publications.



Access Note

Access to this thesis is embargoed until 22nd January 2029.

Access to this thesis is restricted. Please see the Access Note below for access details.