Data-Driven and Artificial Intelligence (AI) Approach for Modelling and Analyzing Healthcare Security Practice: A Systematic Review

Data breaches in healthcare continue to grow exponentially, calling for a rethinking into better approaches of security measures towards mitigating the menace. Traditional approaches including technological measures, have significantly contributed to mitigating data breaches but what is still lacking is the development of the “human firewall,” which is the conscious care security practices of the insiders. As a result, the healthcare security practice analysis, modeling and incentivization project (HSPAMI) is geared towards analyzing healthcare staffs’ security practices in various scenarios including big data. The intention is to determine the gap between staffs’ security practices and required security practices for incentivization measures. To address the state-of-the art, a systematic review was conducted to pinpoint appropriate AI methods and data sources that can be used for effective studies. Out of about 130 articles, which were initially identified in the context of human-generated healthcare data for security measures in healthcare, 15 articles were found to meet the inclusion and exclusion criteria. A thorough assessment and analysis of the included article reveals that, KNN, Bayesian Network and Decision Trees (C4.5) algorithms were mostly applied on Electronic Health Records (EHR) Logs and Network logs with varying input features of healthcare staffs’ security practices. What was found challenging is the performance scores of these algorithms which were not sufficiently outlined in the existing studies

Human Behavior Prediction for Risk Analysis

The Conflicting Incentives Risk Analysis (CIRA) method makes predictions about human decisions to characterize risks within the domain of information security. Since traditional behavior prediction approaches utilizing personal features achieve low prediction accuracies in general, there is a need for improving predictive capabilities. Therefore, the primary objective of this study is to propose and test a psychological approach for behavior prediction, which utilizes features of situations to achieve improved predictive accuracy. An online questionnaire was used for collecting behavioral and trait data to enable a comparison of approaches. Results show that the proposed behavior prediction approach outperforms the traditional approach across a range of decisions. Additionally, interrater reliabilities are analyzed to estimate the extent of objectivity in situation evaluations, providing an indication about the potential performance of the approach when a risk analyst needs to rely on unobtrusive assessment of action-desirability

Inferring Delay Discounting Factors from Public Observables: Applications in Risk Analysis and the Design of Adaptive Incentives

Decision-makers regularly need to make trade-offs between benefits in the present and the future. Smaller immediate rewards are often preferred over larger delayed rewards. The concept of delay discounting describes how rewards further in the future lose their value in comparison to immediate or more proximal rewards. Empirical evidence shows that people discount future rewards using a hyperbolic function, which gives rise to preference reversals as the delay between a decision and receipt of the reward increases. People show great differences in terms of their tendency to discount future benefits. The extent of discounting is characterized by each individuals’ discounting factor k. This study investigates the extent to which the discounting factor k can be inferred from publicly observable pieces of information (i.e. ownership of items, habits) linked to individuals. Data was collected from 331 respondents in an online questionnaire. The analyses show that 37% of the variance can be (More

A Taxonomy of Situations within the Context of Risk Analysis

Prediction of deliberate human decisions with potential negative impact on others would have great practical and scientific utility. The Conflicting Incentives Risk Analysis (CIRA) method defines risk as a result of misaligned incentives between various stakeholders. The method makes predictions based on action desirability from the perspective of the individual in the position to implement the action. Therefore, in order to assess action desirability it is necessary to characterize stakeholders and their perceptions about the situation as well. While classification systems and taxonomies related to stakeholder attributes are wellestablished, systematic classifications of situational aspects are underdeveloped in the literature. Therefore, the main objective of this paper is to present a classification of situational variables in the form of a taxonomy capturing key situational features that exert influence on decision-makers. The development of the taxonomy begins with mapping two major types of risks distinguished in the CIRA method to relevant psychological constructs. The principled, systematic development of dilemmas enabled by the taxonomy allows researchers to investigate the predictability of stakeholder behavior which may result in various types of risks. The taxonomy is extensible, thus additional concepts and variables can be included depending on the needs of the analysis and according to future developments within the fields of psychology and information security

Construction of Human Motivational Profiles by Observation for Risk Analysis

This study aimed at analyzing the extent to which publicly observable pieces of information representing stakeholders’ past and current choices can be utilized for the construction of motivational profiles. Motivation is operationalized by the theory of Basic Human Values, which organizes 10 values capturing distinct aspects of human motivation into a hierarchical order. The construction of motivational profiles for individual stakeholders is motivated by the need to enhance the existing decision-maker model in the Conflicting Incentives Risk Analysis (CIRA) method. This study utilized an online questionnaire to collect responses from participants (n = 331) about a wide range of habits and personal items that are easily observable in various contexts by an analyst. The validity of the set of observables as surrogate predictors of the motivational profiles is evaluated by various methods (i.e., comparison to previous results, cross-validation of models, comparison to test-retest reliability of the psychometric instrument) and techniques (calculation of prediction interval for individual profile scores). The assessment of the uncertainties associated with predicting motivational profiles is explored in detail. Additionally, an example illustrates how the profiles can be utilized for the assessment of action desirability (i.e., prediction of behavior) based on the utility calculations established in CIRA. The results contribute to an improved understanding about the accuracy with which human stakeholder motivation can be inferred from public observables and utilized within the context of information security risk analysis

Secure Benchmarking using Electronic Voting

It is a common practice in the industry to organize benchmark processes to establish information security performance evaluation standards. A benchmarking system collects information security-related data from the organization to establish a standard. The information shared by the organization often contains sensitive data (details of the vulnerability, Cyber attacks). The present benchmarking systems do not provide a secure way of exchanging sensitive information between the submitter and the benchmark authority. Furthermore, there is a lack of any mechanism for the submitters to verify that the final benchmark result contains the response submitted by them. Hence, people are reluctant to take active participation in sharing their sensitive information in the benchmarking process. We propose a novel approach to solve the security limitations of present benchmarking systems by applying the concepts of electronic voting to benchmark. Our solution provides secrecy to submitters’ identity and to the benchmark responses. Our approach also ensures that all the submitted responses have been correctly counted and considered in the final benchmark result

Healthcare Staffs' Information Security Practices Towards Mitigating Data Breaches: A Literature Survey

The purpose of this study was to understand healthcare staffs' information security (IS) practices towards mitigating data breaches. A literature survey was conducted to understand the state-of-the-art methods, tools, evaluation techniques and the challenges to their implementation. The results would be used for emperical studies in a hospital setting in Norway on Healthcare Security Practice Analysis, Modeling and Incentivization (HSPAMI). Human Aspect of Information Security Questionnaire was identified as robust and comprehensive tool for gathering staff security practices. Integrated theories was being adopted to form a comprehensive staffs' characteristics. A mixed-method for evaluating the theories was also identified to be the best strategy

Using Demographic Features for the Prediction of Basic Human Values Underlying Stakeholder Motivation

Abstract: Human behavior plays a significant role within the domain of information security. The Conflicting Incentives Risk Analysis (CIRA) method focuses on stakeholder motivation to analyze risks resulting from the actions of key decision makers. In order to enhance the real-world applicability of the method, it is necessary to characterize relevant stakeholders by their motivational profile, without relying on direct psychological assessment methods. Thus, the main objective of this study was to assess the utility of demographic features-that are observable in any context-for deriving stakeholder motivational profiles. To this end, this study utilized the European Social Survey, which is a high-quality international database, and is comprised of representative samples from 23 European countries. The predictive performances of a pattern-matching algorithm and a machine-learning method are compared to establish the findings. Our results show that demographic features are marginally useful for (More

A framework for estimating information security risk assessment method completeness: Core Unified Risk Framework

In general, an information security risk assessment (ISRA) method produces risk estimates, where risk is the product of the probability of occurrence of an event and the associated consequences for the given organization. ISRA practices vary among industries and disciplines, resulting in various approaches and methods for risk assessments. There exist several methods for comparing ISRA methods, but these are scoped to compare the content of the methods to a predefined set of criteria, rather than process tasks to be carried out and the issues the method is designed to address. It is the lack of an all-inclusive and comprehensive comparison that motivates this work. This paper proposes the Core Unified Risk Framework (CURF) as an all-inclusive approach to compare different methods, all-inclusive since we grew CURF organically by adding new issues and tasks from each reviewed method. If a task or issue was present in surveyed ISRA method, but not in CURF, it was appended to the model, thus obtaining a measure of completeness for the studied methods. The scope of this work is primarily functional approaches risk assessment procedures, which are the formal ISRA methods that focus on assessments of assets, threats, vulnerabilities, and protections, often with measures of probability and consequence. The proposed approach allowed for a detailed qualitative comparison of processes and activities in each method and provided a measure of completeness. This study does not address aspects beyond risk identification, estimation, and evaluation; considering the total of all three activities, we found the “ISO/IEC 27005 Information Security Risk Management” to be the most complete approach at present. For risk estimation only, we found the Factor Analysis of Information Risk and ISO/IEC 27005:2011 as the most complete frameworks. In addition, this study discovers and analyzes several gaps in the surveyed methods