Optimizing Investments in Cyber Hygiene for Protecting Healthcare Users

Part of the Lecture Notes in Computer Science book series (LNCS, volume 12065)


Cyber hygiene measures are often recommended for strengthening an organization’s security posture, especially for protecting against social engineering attacks that target the human element. However, the related recommendations are typically the same for all organizations and their employees, regardless of the nature and the level of risk for different groups of users. Building upon an existing cybersecurity investment model, this paper presents a tool for optimal selection of cyber hygiene safeguards, which we refer as the Optimal Safeguards Tool (OST). The model combines game theory and combinatorial optimization (0-1 Knapsack) taking into account the probability of each user group to being attacked, the value of assets accessible by each group, and the efficacy of each control for a particular group. The model considers indirect cost as the time employees could require for learning and trainning against an implemented control. Utilizing a game-theoretic framework to support the Knapsack optimization problem permits us to optimally select safeguards’ application levels minimizing the aggregated expected damage within a security investment budget.

We evaluate OST in a healthcare domain use case. In particular, on the Critical Internet Security (CIS) Control group 17 for implementing security awareness and training programs for employees belonging to the ICT, clinical and administration personnel of a hospital. We compare the strategies implemented by OST against alternative common-sense defending approaches for three different types of attackers: Nash, Weighted and Opportunistic. Our results show that Nash defending strategies are consistently better than the competing strategies for all attacker types with a minor exception where the Nash defending strategy, for a specific game, performs at least as good as other common-sense approaches. Finally, we illustrate the alternative investment strategies on different Nash equilibria (called plans) and discuss the optimal choice using the framework of 0-1 Knapsack optimization.


Cybersecurity Cyber hygiene Healthcare Optimization Training and awareness CIS control Game theory 



We thank the reviewers for their valuable feedback and comments.

Emmanouil Panaousis is partially supported by the European Commission as part of the CUREX project (H2020-SC1-FA-DTS-2018-1 under grant agreement No. 826404). The work of Christos Laoudias has been partially supported by the CUREX project (under grant agreement No. 826404), by the European Union’s Horizon 2020 research and innovation programme (under grant agreement No. 739551 (KIOS CoE)), and from the Republic of Cyprus through the Directorate General for European Programmes, Coordination and Development.


  1. 1.
    Mohammadi, F., Panou, A., Ntantogian, C., Karapistoli, E., Panaousis, E., Xenakis, C.: CUREX: seCUre and pRivate hEalth data eXchange. In: IEEE/WIC/ACM International Conference on Web Intelligence, vol. 24800, pp. 263–268 (2019)Google Scholar
  2. 2.
    Vishwanath, A., et al.: Cyber hygiene: the concept, its measure, and its initial tests. Decis. Supp. Syst. 128, 113160 (2019)CrossRefGoogle Scholar
  3. 3.
    Fielder, A., Panaousis, E., Malacaria, P., Hankin, C., Smeraldi, F.: Decision support approaches for cyber security investment. Decis. Supp. Syst. 86, 13–23 (2016)CrossRefGoogle Scholar
  4. 4.
    Kruse, C.S., Frederick, B., Jacobson, T., Monticone, D.K.: Cybersecurity in healthcare: a systematic review of modern threats and trends. Technol. Health Care 25(1), 1–10 (2017)CrossRefGoogle Scholar
  5. 5.
    Solans Fernández, O., et al.: Shared medical record, personal health folder and health and social integrated care in catalonia: ICT services for integrated care. In: Rinaldi, G. (ed.) New Perspectives in Medical Records. T, pp. 49–64. Springer, Cham (2017). Scholar
  6. 6.
    Coventry, L., Branley, D.: Cybersecurity in healthcare: a narrative review of trends, threats and ways forward. Maturitas 113, 48–52 (2018)CrossRefGoogle Scholar
  7. 7.
    Kotz, D., Gunter, C.A., Kumar, S., Weiner, J.P.: Privacy and security in mobile health: a research agenda. Computer 49(6), 22–30 (2016)CrossRefGoogle Scholar
  8. 8.
    Loukas, G.: Cyber-Physical Attacks: A Growing Invisible Threat. Butterworth-Heinemann, Oxford (2015)Google Scholar
  9. 9.
    Billingsley, L., McKee, S.A.: Cybersecurity in the clinical setting: Nurses’ role in the expanding “internet of things". J. Contin. Educ. Nurs. 47(8), 347–349 (2016)CrossRefGoogle Scholar
  10. 10.
    Heartfield, R., Loukas, G.: Detecting semantic social engineering attacks with the weakest link: Implementation and empirical evaluation of a human-as-a-security-sensor framework. Comput. Secur. 76, 101–127 (2018)CrossRefGoogle Scholar
  11. 11.
    Such, J.M., Ciholas, P., Rashid, A., Vidler, J., Seabrook, T.: Basic cyber hygiene: does it work? Computer 52(4), 21–31 (2019)CrossRefGoogle Scholar
  12. 12.
    Zhou, L., Parmanto, B., Alfikri, Z., Bao, J.: A mobile app for assisting users to make informed selections in security settings for protecting personal health data: development and feasibility study. JMIR mHealth uHealth 6(12), e11210 (2018)CrossRefGoogle Scholar
  13. 13.
    Furnell, S., Sanders, P., Warren, M.: Addressing information security training and awareness within the european healthcare community. Stud. Health Technol. Inform. 43, 707–711 (1997)Google Scholar
  14. 14.
    Heartfield, R., Loukas, G.: A taxonomy of attacks and a survey of defence mechanisms for semantic social engineering attacks. ACM Comput. Surv. 48(3), 37 (2016)Google Scholar
  15. 15.
    Heartfield, R., Loukas, G., Gan, D.: You are probably not the weakest link: towards practical prediction of susceptibility to semantic social engineering attacks. IEEE Access 4, 6910–6928 (2016)CrossRefGoogle Scholar
  16. 16.
    Wash, R., Cooper, M.M.: Who provides phishing training?: facts, stories, and people like me. In Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems, p. 492. ACM (2018)Google Scholar
  17. 17.
    Gordon, L.A., Loeb, M.P.: The economics of information security investment. ACM Trans. Inf. Syst. Secur. (TISSEC) 5(4), 438–457 (2002)CrossRefGoogle Scholar
  18. 18.
    Fielder, A., König, S., Panaousis, E., Schauer, S., Rass, S.: Risk assessment uncertainties in cybersecurity investments. Games 9(2), 34 (2018)MathSciNetCrossRefGoogle Scholar
  19. 19.
    Fielder, A., Panaousis, E., Malacaria, P., Hankin, C., Smeraldi, F.: Game Theory Meets Information Security Management. In: Cuppens-Boulahia, N., Cuppens, F., Jajodia, S., Abou El Kalam, A., Sans, T. (eds.) SEC 2014. IAICT, vol. 428, pp. 15–29. Springer, Heidelberg (2014). Scholar
  20. 20.
    Nagurney, A., Daniele, P., Shukla, S.: A supply chain network game theory model of cybersecurity investments with nonlinear budget constraints. Ann. Oper. Res. 248(1–2), 405–427 (2017)MathSciNetCrossRefGoogle Scholar
  21. 21.
    Wang, S.S.: Integrated framework for information security investment and cyber insurance. Pac.-Basin Finance J. 57, 101173 (2019)CrossRefGoogle Scholar
  22. 22.
    Chronopoulos, M., Panaousis, E., Grossklags, J.: An options approach to cybersecurity investment. IEEE Access 6, 12175–12186 (2017)CrossRefGoogle Scholar
  23. 23.
    Martinelli, F., Uuganbayar, G., Yautsiukhin, A.: Optimal security configuration for cyber insurance. In: Janczewski, L.J., Kutyłowski, M. (eds.) SEC 2018. IAICT, vol. 529, pp. 187–200. Springer, Cham (2018). Scholar
  24. 24.
    Whitman, M.E., Mattord, H.J.: Principles of Information Security. Cengage Learning, Boston (2011)Google Scholar
  25. 25.
    Smeraldi, F., Malacaria, P.: How to spend it: optimal investment for cyber security. In: Proceedings of the 1st International Workshop on Agents and CyberSecurity, p. 8. ACM (2014)Google Scholar
  26. 26.
    Osborne, M.J., Rubinstein, A.: A Course in Game Theory. MIT Press, Cambridge (1994)zbMATHGoogle Scholar
  27. 27.
    Von Neumann, J., Morgenstern, O.: Theory of Games and Economic Behavior (60th Anniversary Commemorative Edition). Princeton University Press, Princeton (2007)CrossRefGoogle Scholar
  28. 28.
    Nash, J.F.: Equilibrium points in n-person games. In: Proceedings of the National Academy of Sciences, pp. 48–49 (1950)Google Scholar
  29. 29.
    Alpcan, T., Basar, T.: Network Security: A Decision and Game-Theoretic Approach. Cambridge University Press, Cambridge (2010)CrossRefGoogle Scholar
  30. 30.
    Basar, T., Olsder, G.J.: Dynamic Noncooperative Game Theory. Academic Press, London (1995)zbMATHGoogle Scholar
  31. 31.
    Pisinger, D.: Where are the hard knapsack problems? Comput. Oper. Res. 32(9), 2271–2284 (2005)MathSciNetCrossRefGoogle Scholar
  32. 32.
    Rass, S., König, S.: Password security as a game of entropies. Entropy 20(5), 312 (2018)MathSciNetCrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  1. 1.University of SurreyGuildfordUK
  2. 2.University of GreenwichLondonUK
  3. 3.University of CyprusNicosiaCyprus

Personalised recommendations