Skip navigation

Optimizing investments in cyber hygiene for protecting healthcare users

Optimizing investments in cyber hygiene for protecting healthcare users

Panda, Sakshyam, Panaousis, Emmanouil ORCID: 0000-0001-7306-4062, Loukas, George ORCID: 0000-0003-3559-5182 and Laoudias, Christos (2020) Optimizing investments in cyber hygiene for protecting healthcare users. In: Di Pierro, Alessandra, Malacaria, Pasquale and Nagarajan, Rajagopal, (eds.) From Lambda Calculus to Cybersecurity Through Program Analysis: Essays Dedicated to Chris Hankin on the Occasion of His Retirement. Lecture Notes in Computer Science, 12065 . Springer, pp. 268-291. ISBN 978-3030411022 (doi:

PDF (Author's Accepted Manuscript)
28152 PANAOUSIS_Optimizing_Investments_In_Cyber_Hygiene_(AAM)_2020.pdf - Accepted Version

Download (1MB) | Preview


Cyber hygiene measures are often recommended for strengthening an organization’s security posture, especially for protecting against social engineering attacks that target the human element. However, the related recommendations are typically the same for all organizations and their employees, regardless of the nature and the level of risk for different groups of users. Building upon an existing cybersecurity investment model, this paper presents a tool for optimal selection of cyber hygiene safeguards, which we refer as the Optimal Safeguards Tool (OST). The model combines game theory and combinatorial optimization (0-1 Knapsack) taking into account the probability of each user group to being attacked, the value of assets accessible by each group, and the efficacy of each control for a particular group. The model considers indirect cost as the time employees could require for learning and trainning against an implemented control. Utilizing a game-theoretic framework to support the Knapsack optimization problem permits us to optimally select safeguards’ application levels minimizing the aggregated expected damage within a security investment budget.

We evaluate OST in a healthcare domain use case. In particular, on the Critical Internet Security (CIS) Control group 17 for implementing security awareness and training programs for employees belonging to the ICT, clinical and administration personnel of a hospital. We compare the strategies implemented by OST against alternative common-sense defending approaches for three different types of attackers: Nash, Weighted and Opportunistic. Our results show that Nash defending strategies are consistently better than the competing strategies for all attacker types with a minor exception where the Nash defending strategy, for a specific game, performs at least as good as other common-sense approaches. Finally, we illustrate the alternative investment strategies on different Nash equilibria (called plans) and discuss the optimal choice using the framework of 0-1 Knapsack optimization.

Item Type: Book Section
Uncontrolled Keywords: cybersecurity, cyber hygiene healthcare, optimization, training and awareness, CIS control, game theory
Subjects: Q Science > QA Mathematics > QA75 Electronic computers. Computer science
Faculty / School / Research Centre / Research Group: Faculty of Engineering & Science > Internet of Things and Security Research Centre (ISEC)
Faculty of Engineering & Science > School of Computing & Mathematical Sciences (CMS)
Faculty of Engineering & Science
Related URLs:
Last Modified: 04 Mar 2022 13:06

Actions (login required)

View Item View Item


Downloads per month over past year

View more statistics