Abstract
Information security breaches are of major concern for healthcare mobile ad-hoc networks (h-MANETs). In this paper, we propose a model that identifies and assesses risk in an h-MANET deployed by a healthcare institution in a disaster-prone region a priori by modeling the possible routes a hacker might follow to compromise a target. Our model proposes a novel method to compute the transition probability of each hop in the h-MANET. Next, it employs Markov theory to compute the maximum and minimum number of hops required to compromise the target for a given source-target <S-T> pair. It then determines the vulnerability for all the paths comprising minimum to maximum hops only for each <S-T> pair by computing their overall transition probability. Finally, our model computes the risk associated with each of these paths. Based on the calculated risk level of each path, the management can recommend an appropriate risk mitigation strategy.
Similar content being viewed by others
References
Alexander, S., Cheng, Y., Coan, B., Ghetie, A., Kaul, V., Siegell, B., Bellovin, S., Maxemchuk, F., Schulzrinne, H., Schwab, S., Stavrou, A., & Smith, J. (2009). The dynamic community of interest and its realization in ZODIAC. IEEE Communications Magazine, 47(10), 40–47.
Arnes, A., Valeur, F., Vigna, G., & Kemmerer, R. (2006). Using hidden Markov models to evaluate the risk of intrusions. Recent advances in intrusion detection. Lecture Notes in Computer Science, 4219, 145–164.
August, T., Niculescu, M., & Shin, H. (2014). Cloud implications on software network structure and security risks. Information Systems Research, 25(3), 489–510.
Bai, F., & Helmy, A. (2004). A survey of mobility modeling and analysis in wireless adhoc networks. Wireless AdHoc and sensor networks. Dordrecht: Kluwer Academic Publishers.
Bhargava, S., & Agrawal, D. (2001). Security enhancements in AODV protocol for wireless ad hoc networks. Proceedings of Vehicular Technology Conference (VTC) Fall, 4, 2143–2147.
Blazevic, L., Buttyan, L., Capkum, S., Giordano, S., Hubaux, J., & Boudec, J. (2001). Self-organization in mobile ad-hoc networks: the approach of terminodes. IEEE Communications Magazine, 39(6), 166–174.
Blazevic, L., Boudec, J., & Giordano, S. (2005). A location-based routing method for mobile ad hoc networks. IEEE Transactions on Mobile Computing, 4(2), 97–110.
Bojanc, R., & Jerman-Blazic, B. (2008). An economic modelling approach to information security risk management. International Journal of Information Management, 28(5), 413–422.
Broderick, J. (2006). ISMS, security standards and security regulations. Information Security Technical Report, 11(1), 26–31.
Cai, F., Ming, L., Jing, C., Li, Z., & Liu, X. (2011). A projection pursuit based risk assessment method in mobile ad hoc networks. International Journal of Computational Intelligence Systems., 4(5), 749–758.
Camp, T., Boleng, J., & Davies, V. (2002). A survey of mobility models for ad hoc network research. Wireless Communication & Mobile Computing Journal, 2(5), 483–502.
Cao, Y., & Xie, S. (2005). A position based beaconless routing algorithm for mobile ad hoc networks. Proceedings of the International Conference on Communications, Circuits and Systems, 1(1), 303–307.
Casey, E. (2006). Investigating sophisticated security breaches. Communications of the ACM, 49(2), 48–55.
Chang, K., & Wang, C. (2011). Information systems resources and information security. Information Systems Frontiers, 13(4), 579–593.
Chen, P., Kataria, G., & Krishnan, R. (2011). Correlated failures, diversification, and information security risk management. MIS Quarterly, 35(2), 397–422.
Dai, H., Jia, Z., & Kin, Z. (2009). Trust evaluation and dynamic routing decision based on fuzzy theory for MANETs. Journal of Software, 4(10), 1091–1101.
Das, S., Mukhopadhyay, A., Sadhukhan, S., & Saha, D. (2013a). Vulnerable path determination in mobile ad-hoc networks using Markov Model. In Proceedings of the 19 th Americas Conference on Information Systems (AMCIS), August 15-17, Chicago, Illinois, USA.
Das, S., Mukhopadhyay, A., & Shukla, G. (2013b). i-HOPE framework for predicting cyber breaches: a logit approach. Proceedings of the 46th Hawaii International Conference on System Sciences (HICSS), January 7–10, Hawaii, USA.
Deng, H., & Agrawal, D. (2004). TIDS: threshold and identity-based security scheme for wireless ad hoc networks. Ad Hoc Networks, 2(3), 291–307.
Ghosh, A., & Swaminatha, T. (2001). Software security and privacy risks in mobile e-commerce. Communications of the ACM, 44(2), 51–57.
Giruka, V., & Singhal, M. (2005). Angular routing protocol for mobile ad-hoc networks. IEEE international conference on distributed computing systems workshops. Columbus, OH.
Gupta, A., & Ranga, S. (2012). Various routing attacks in mobile adhoc networks. International Journal of Computing and Corporate Research, 2(4), 1–15.
Hausken, K. (2014). Returns to information security investment: Endogenizing the expected loss. Information Systems Frontiers, 16(2), 329–336.
Huang, C., Zhou, Q., & Zhang, D. (2016). Integrated wireless communication system using MANET for remote pastoral areas of Tibet. China Communications, 13(4), 49–57.
Hubaux, J., Buttyan, L., & Capkyun, S. (2001). The quest for security in mobile ad hoc networks. In Proceedings of the ACM symposium on Mobile Ad Hoc Networking and Computing (MobiHOC), 146-155, New York, NY, USA.
ISO/IEC 27001 (2013). Information technology security techniques. Information security management systems—requirements. https://www.iso.org/standard/54534.html. Accessed 21 Jan 2016.
Jang, H., Lien, Y., & Tsai, T. (2009). Rescue information system for earthquake disasters based on MANET emergency communication platform. In Proceedings of the 2009 international conference on wireless communications and mobile computing: connecting the world wirelessly, 623-627 New York, NY, USA.
Kannan, K., & Telang, R. (2005). Market for software vulnerabilities? Think again. Management Science, 51(5), 726–740.
Ko, Y. & Vaidya, N. (1998). Location-aided routing (LAR) in mobile ad hoc networks. In Proceedings of the 4th Annual ACM/IEEE International Conference on Mobile Computing and Networking (MOBICOM), 66-75 Dallas, TX, USA.
Kritzinger, E., & Smith, E. (2008). Information security management : an information security retrieval and awareness model for industry. Computers & Security, 27(5-6), 224–231.
Li, P., & Rao, H. R. (2007). An examination of private intermediaries’ roles in software vulnerabilities disclosure. Information Systems Frontiers, 9(5), 531–539.
Liu, A., Joy, A., & Thompson, R. (2004). A dynamic trust model for mobile ad hoc networks. In Proceedings of 10th IEEE Int'l Workshop Future Trends Of Distributed Computing Systems (Ftdcs '04), 80-85.
Loukas, G., Gan, D., & Vuong, T. (2013). A review of cyber threats and defence approaches in emergency management. Future Internet., 5(2), 205–236.
Lu, X., & Demirbas, M. (2011). Model-based tracking for mobile ad hoc networks. Network Protocols and Algorithms, 3(2), 1–23.
Martí, R., Robles, S., Martín-Campillo, A., & Cucurull, J. (2009). Providing early resource allocation during emergencies: the mobile triage tag. Journal of Network and Computer Applications, 32(6), 1167–1182.
Martín-Campillo, A., Crowcroft, J., Yoneki, E., & Martí, R. (2013). Evaluating opportunistic networks in disaster scenarios. Journal of Network and Computer Applications, 36(2), 870–880.
McQueen, M., Boyer, W, Flynn, M., & Beitel, G. (2006). Quantitative cyber risk reduction estimation methodology for a small SCADA Control System. In Proceedings of 39th Ann. Hawaii Int'l Conf. System Sciences (HICSS 06). track 9, Hawaii, USA.
Mishra, A., Nadkarni, A., & Patcha, A. (2004). Intrusion detection in wireless ad hoc networks. IEEE Wireless Communications, 11(1), 48–60.
Morse, E., & Raval, V. (2008). PCI DSS: payment card industry data security standards in context. Computer Law & Security Review., 24(6), 540–554.
Mukhopadhyay, A., Chatterjee, S., Saha, D., Mahanti, A., & Sadhukhan, S. (2013). Cyber-risk decision models: to insure IT or not? Decision Support Systems, 56, 11–26.
Narula, P., Dhurandher, S., Misra, S., & Woungang, I. (2008). Security in mobile ad-hoc networks using soft encryption and trust-based multi-path routing. Computer Communications, 31(4), 760–769.
NVD (2017). Data Feed and Product Integration, National Vulnerability Database. http://nvd.nist.gov/cvss.cfm?calculator&version=2. Accessed 6 Aug 2014.
Panaousis, E., Politis, C., Birkos, K., Papageorgiou, C., & Dagiuklas, T. (2012). Security model for emergency real-time communications in autonomous networks. Information Systems Frontiers, 14(3), 541–553.
Papadimitratos, P., & Haas, Z. (2003). Secure data transmission in mobile ad hoc networks. In Proceedings of ACM Workshop on Wireless Security (WiSe), San Diego, CA.
Park, I., Sharman, R., & Rao, H. R. (2015). Disaster experience and hospital information systems: an examination of perceived information assurance, risk, resilience, and HIS usefulness. MIS Quarterly, 39(2), 317–344.
Pentland, A., Fletcher, R., & Hasson, A. (2004). Daknet: rethinking connectivity in developing nations. First Mile Solutions Report.
Phillips, C., & Swiler, L. (1998). A graph based system for network vulnerability analysis. In Proceedings of the workshop on new security paradigms, 71-79, New York, USA.
Pursley, M. (1999). Routing for multimedia traffic in wireless frequency-hop communication networks. IEEE Journal on Selected Areas in Communications, 17(5), 784–792.
Qabajeh, L., Kiah, L., & Qabajeh, M. (2009). A qualitative comparison of position-based routing protocols for ad-hoc networks. International Journal of Computer Science and Network Security., 9(2), 131–140.
Ransbotham, S., Mitra, S., & Ramsey, J. (2012). Are markets for vulnerabilities effective? MIS Quarterly, 36(1), 43–64.
Sadhukhan, S., Mandal, S., & Saha, D. (2007). A heuristic technique for solving dual-homing assignment problem of 2.5g cellular networks. In Proceedings of the international conference on computing: theory and applications, March 5-7, Kolkata, India. 66-71.
Sadhukhan, S., Mandal, S., Bhaumik, P., & Saha, D. (2010). A novel direction-based diurnal mobility model for handoff estimation in cellular networks. In Proceedings of India Conference (INDICON), December 17-19, Kolkata, India.
Sadhukhan, S., Moitra, N., Venkateswaran, P., & Saha, D. (2015). A comparative study of paging techniques for diurnal mobility in dual homed cellular networks. In Proceedings of Applications and Innovations in Mobile Computing (AIMoC). February 12-14, Kolkata, India.
Savola, R., & Abie, H. (2009). On-line and off-line security measurement framework for mobile ad hoc networks. Journal of Networks, 4(7), 565–579.
Saxby, S. (1997). Policies for cyberspace - illegal content on the internet. Network Security, 6, 16–19.
Smith, E., & Eloff, J. (2000). Cognitive fuzzy modeling for enhanced risk assessment in a health care institution. IEEE Intelligent Systems, 15(2), 69–75.
Sneha, S., & Varshney, U. (2013). A framework for enabling patient monitoring via mobile ad-hoc network. Decision Support Systems, 55(1), 218–234.
Song, J., Wong, V., & Leung, V. (2007). Secure position-based routing protocol for mobile ad hoc networks. Ad Hoc Networks, 5(1), 76–86.
Stoneburner, G., Goguen, A., & Feringa A. (2002). Risk management guide for information technology systems. NIST (National Institute of Technical Standards) http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf. Accessed 30 May 2015.
Sumner, M. (2009). Information security threats: a comparative analysis of impact, probability, and preparedness. Information Systems Management, 26(1), 2–12.
Susanto, H., Almunawar, M., & Tuan, Y. (2011). Information security management system standards: a comparative study of the big five. International Journal of Electrical & Computer Science., 11(5), 21–27.
Takagi, H., & Kleinrock, L. (1984). Optimal transmission ranges for randomly distributed packet radio terminals. IEEE Transactions on Communications, 32(3), 246–257.
Vasile, D. (2011). ISO27001 domains, control objectives & controls. http://www.pentest.ro/iso-27001-domains-control-objectives-and-controls/. Accessed 25 May 2013.
von Solms, B. (2005). Information security governance: COBIT or ISO 17799 or both? Computers & Security, 24(2), 99–104.
Wang, S., Zhang, Z., & Kadobayashi, Y. (2013). Exploring attack graph for cost-benefit security hardening: a probabilistic approach. Computers & Security, 32(1), 158–169.
Warren, M. (2001). A risk analysis model to reduce computer security risks among healthcare organizations. Risk Management, 3(1), 27–37.
Wu, B., Wu, J., Fernandez, E., Ilyas, M., & Magliveras, S. (2007). Secure and efficient key management in mobile ad hoc networks. Journal of Network and Computer Applications, 30(3), 937–954.
Younis, O., Kant, L., Chang, K., Young, K., & Graff, C. (2009). Cognitive MANET design for mission-critical networks. IEEE Communications Magazine, 47(10), 64–71.
Zhang, Y., & Lee, W. (2000). Intrusion detection in wireless ad-hoc networks. In Proceedings of the sixth annual international conference on mobile computing and networking, Boston.
Zhao, F., Huang, H., Jin, H., & Zhang, Q. (2011). A hybrid ranking approach to estimate vulnerability for dynamic attacks. Computers and Mathematics with Applications., 62(12), 4308–4321.
Acknowledgments
This work was funded by seed money number 228 at Indian Institute of Management Lucknow.
Author information
Authors and Affiliations
Corresponding author
Appendix
Appendix
1.1 Derivation of distance between two points in a Non Orthogonal Cartesian System inclined at 60°
Let us try to find the distance between two points P1(x1,y1) and P2(x2,y2) in a non-orthogonal Cartesian system where the axes are inclined at an angle of 60° using Fig. 10.
(using Eq. (17))
(using Eq. (18))
Now, using Pythagoras theorem,
Rights and permissions
About this article
Cite this article
Das, S., Mukhopadhyay, A., Saha, D. et al. A Markov-Based Model for Information Security Risk Assessment in Healthcare MANETs. Inf Syst Front 21, 959–977 (2019). https://doi.org/10.1007/s10796-017-9809-4
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10796-017-9809-4