Information Security Risk Assessment of Smartphones Using Bayesian Networks
DOI:
https://doi.org/10.13052/2245-1439.424Keywords:
MobileAbstract
This study comprises an information security risk assessment of smartphone use in Finland using Bayesian networks. The primary research method is a knowledge-based approach to build a causal Bayesian network model of information security risks and consequences. The risks, consequences, probabilities and impacts are identified from domain experts in a 2-stage interview process with 8 experts as well as from existing research and statistics. This information is then used to construct a Bayesian network model which lends itself to different use cases such as sensitivity and scenario analysis. The identified risks’probabilities follow a long tail wherein the most probable risks include unintentional data disclosure, failures of device or network, shoulder surfing or eavesdropping and loss or theft of device. Experts believe that almost 50% of users share more information to other parties through their smartphones than they acknowledge or would be willing to share. This study contains several implications for consumers as well as indicates a clear need for increasing security awareness among smartphone users.
Downloads
References
Fenton, N., Neil, M. Risk Assessment and Decision Analysis with
Bayesian Networks. Noca Raton: CRC Press, 2013.
Nadkarni, S., Shenoy, P. A causal mapping approach to constructing
Bayesian networks. Decision Support Systems, 2004, volume 38,
p. 259–181.
Weber, P., Medina-Oliva, G., Simon, C., Iung, B. Overview on Bayesian
networks applications for dependability, risk analysis and maintenance
areas. Engineering Applications of Artificial Intelligence, 2012,
volume 25 (4), p. 671682.
Gulvanessian, H., Holicky, M. Determination of actions due to fire:
recent developments in Bayesian risk assessment of structures under fire.
Progress in Structural Engineering and Materials, 2002, volume 3 (4),
p. 346–352.
Hudson, L., Ware, B., Laskey, K., Mahoney, S. An Application of
Bayesian Networks to Antiterrorism Risk Management for Military
Planners, 2002. [Online] Available from: http://www.mathcs.emory.
edu/∼whalen/Papers/BNs/KathyLanskey/Antiterrorism.pdf [Accessed
March 2015]
Kim, M., Seong, P. A computational method for probabilistic safety
assessment of I&C systems and human operators in nuclear power
plants. Reliability Engineering & System Safety, 2006, volume 91 (5),
p. 580–593.
Cornalba, C., Giudici, P. Statistical models for operational risk management.
Physica A: Statistical Mechanics and its Applications, 2004,
volume 338 (1–2), p. 166–172.
Russel A., Quigley J., Van der Meer R. Modelling the reliability of
search and rescue operations with Bayesian Belief Networks. Reliability
Engineering & System Safety, 2008, volume 93 (7), p. 940–949.
Trucco P., Cagno E., Ruggeri F., Grande O. A Bayesian Belief Network
modelling of organisational factors en risk analysis: A case study in
maritime transportation. Reliability Engineering&System Safety, 2008,
volume 93 (6), p. 845–856.
Hanea D., Ale B. Risk of human fatality in building fires: A decision
tool using Bayesian networks. Fire Safety Journal, 2009, volume 44 (5),
p. 704–710.
Cheon S-P., Kim S., Lee S-Y., Lee, C-B. Bayesian networks based rare
event prediction with sensor data. Knowledge-Based Systems, 2009,
volume 22 (5), p. 336–343.
Mo, S. Beling, P. Member, Crowther, K. Quantitative Assessment of
Cyber Security Risk using Bayesian Network-based model. In Systems
and Information Engineering Design Symposium, Charlottesville, VA,
, p. 183–187.
Noel, S., Jajodia, S., Wang, L., Singhal, A. Measuring Security Risk of
Networks Using Attack Graphs. International Journal of Next Generation
Computing, 2010, volume 1 (1), p. 1–11.
Khosravi-Farmad, M., Rezace, R., Harati, A., Bafghi, A. Network
Security Risk Mitigation Using Bayesian Decision Networks. In 4th
International eConference on Computer and Knowledge Engineering
(ICCKE), Mashhad, Iran, 2014, p. 267–272.
Dantu, R., Kolan, P. Risk Management Using Behavior Based Bayesian
Networks. Intelligence and Security Informatics, 2005, volume 3495,
p. 115–126.
Sommestad, T., Ekstedt, M., Johnson, P. Cyber Security Risks Assessment
with Bayesian Defense Graphs and Architectural Models. In 42nd
Hawaii International Conference on System Sciences, Big Island, HI,
USA, 2009, p. 1–10.
Cie, P., Li, J., Ou, X., Liu, P., Levy, R. Using Bayesian Networks for
Cyber Security Analysis. In IEEE/IFIP International Conference on
Dependable Systems and Networks (DSN), Chicago, IL, USA, 2010,
–220.
Strategy Analytics. Worldwide Smartphone Population Tops 1 Billion in
Q3 2012, 17 Oct 2012. [Online] Available from: http://www.businesswi
re.com/news/home/20121017005479/en/StrategyAnalytics-Worldwide-
Smartphone-Population-Tops-1 [Accessed 4 March 2015]
Strategy Analytics. Global Mobile Phone Shipments Reach 460 Million
Units in Q3 2014, 30 Oct 2014. [Online] Available from:
http://blogs.strategyanalytics.com/WDS/post/2014/10/30/
StrategyAnalytics-Global-Mobile-Phone-Shipments-Reach-460-Million
-Unitsin-Q3-2014.aspx [Accessed 4 March 2015]
Omlis, Global Mobile Payment Snapshot 2014, 5 Aug 2014. [Online]
Available from: http://www.omlis.com/omlis-media-room/worldwideuse-
ofmobile-payments/ [Accessed 4 March 2015]
Rausand, M. Risk Assessment: Theory, Methods, and Applications. New
Jersey:Wiley, 2011.
Bayraktarli Y., Ulfkjaer J., Yazgan U., Faber M. On the application of
bayesian probabilistic networks for earthquake risk management. In 9th
International Conference on Structural Safety and Reliability (ICOSSAR
, Rome, Italy, 2005.
Straub D. Natural hazards risk assessment using Bayesian networks.
In 9th International Conference on Structural Safety and Reliability
(ICOSSAR 05), Rome, Italy, 2005.
Eunchang, L., Park, Y., Shin, J. Large engineering project risk management
using a Bayesian belief network. Expert Systems with Applications,
, volume 36 (3), p. 5880–5887.
Fenton, N., Neil, M., Caballero, J. Using Ranked Nodes to Model
Qualitative Judgments in Bayesian Networks. IEEE Transactions on
Knowledge and Data Engineering, 2007, volume 19 (10), p. 1420–1432.
Vesselkov, A., Riikonen, A., Hämmäinen, H. Mobile Handset Population
in Finland 2005–2013, Aalto University Department of
Communications and Networking, 2014. [Online] Available from:
https://research.comnet.aalto.fi/ public/Mobile Handset Population 200
-2013.pdf [Accessed 5 April 2015]
Huang, K., Henrion, M. Efficient Search-Based Inference for Noisy-
OR BeliefNetworks. In Twelfth Conference on Uncertainty in Artificial
Intelligence, Portland, OR, 1996, 325–331.
Díez, F.J. Parameter adjustment in Bayes networks: the generalized noisy
orgate. In Ninth Conference on Uncertainty in Artificial Intelligence,
Washington D.C, 1993, 99–105.
Felt, A., Wagner, D. Phishing on Mobile Devices, Workshop
on Web Security and Privacy (W2SP), 2011. [Online] Available
from: http://w2spconf.com/2011/papers/felt-mobilephishing.pdf
[Accessed 1.7.2015]
Peltola, M., Kekolahti, P. Risk Assessment of Public Safety and Security
Mobile Service. In International Conference on Availability, Reliability
and Security (“ARES”), Toulouse, France, 2015.
Wang, J., Guo, M. Vulnerability Categorization Using Bayesian Networks.
In Proceedings of the Sixth Annual Workshop on Cyber Security
and Information Intelligence Research, Oak Ridge, Tennessee, USA,
, no. 29, p. 1–4.
Fischhoff, B., Slovic, P., Lichtenstein, S. Fault trees: Sensitivity of
estimated failure probabilities to problem representation. Journal of
Experimental Psychology: Human Perception and Performance, 1978,
volume 4(2), p. 330–344.
Kemeny, J.G., Snell, J.L. Finite markov chains. Princeton, NJ: van
Nostrand, 1960.
Murata, T. Petri nets: Properties, analysis and applications. Proceedings
of the IEEE, 1989, volume 77(4), p. 541–580.
Uusitalo, L. Advantages and challenges of Bayesian networks in environmental
modelling. Ecological Modelling, 2007, volume 203(3–4),
p. 312–318.
Symantec, The Symantec Smartphone Honey Stick Project, 2012. [Online]
Available from: http://www.symantec.com/content/en/us/about/
presskits/b-symantec-smartphone-honey-stick-project.en-us.pdf
[Accessed 17.7.2015]
Hänninen, M., Kujala, P. Influences of variables on ship collision probability
in a Bayesian belief network model. Reliability Engineering &
System Safety, 2012, volume 102, p. 27–40.
Helle, I., Lecklin, T., Jolma, A., Kuikka, S. Modeling the effectiveness
of oil combating from an ecological perspective – A Bayesian network
for the Gulf of Finland; the Baltic Sea. Journal of Hazardous Materials,
, volume 185(1), p. 182–192.
Singh, M., Valtorta, M. Construction of Bayesian network structures
from data. International Journal of Approximate Reasoning,
, volume 12(2), p. 111–131. [Online] Available from:
http://www.sciencedirect.com/science/article/pii/0888613X9400016V
[Accessed 17.7.2015]
Kjaerulff, U. B., Madsen, A. L. Bayesian networks and influence
diagrams. New York: Springer, 2008.
Scutari, M. Learning Bayesian Networks with the bnlearn R Package.
Journal of Statistical Software, 2010, volume 35(3), p. 1–22.
