Research on Privacy Security Risk Assessment Method of Mobile Commerce Based on Information Entropy and Markov

To obtain precise personalized services in mobile commerce, the users have to disclose their personal information to the operator, which constitutes a potential threat to their privacy security. In this paper, a mobile commerce privacy security risk assessment model is established based on information entropy and Markov chain, and effective security risk measurement, and assessment method is put forward. Our method can provide accurate and quantitative results in assessing privacy disclosure risk to guide the users’ selection of safe mobile commerce applications and protect their privacy security.


Introduction
In the mobile internet age, mobile commerce (m-commerce for short) has gained a high market share by virtue of its portable characteristics, and various precise services like web access, e-shopping, tourism consumption, and near-field payment are rendered to the public. With the popularization of m-commerce, the users can access more and more precise services, but meanwhile, their privacy and security are facing serious threats [1]. To obtain and enjoy more precise personalized services, the users have to disclose more personal information to the service operator, and the operator requires more details of such information to maintain the operation of the commercial platform and render the so called diverse personalized services. Then, the private information of users may be disclosed, abused, stolen, or exposed to other risks when being acquired, used, transmitted, and stored by the operator, and multiple data, including social security number, credit card number, protected health information, and user name, may be disclosed unintentionally. Meanwhile, the private information can also be stolen via internal theft, external hacking, employee negligence, or in other ways. As learned by the Identity Theft Resource Center and the US Department of Health and Human Services, the top 10 data breaches of 2019, where more than 137 million records were leaked, were all related to the government, medical institutions, and corporate websites or apps [2]. The academia and industry are paying more attention to the security risk of users' private information in mobile commerce.
At present, most researchers focus on the risk assessment of private information in information system, cloud computing, and big data, and the risk assessment of user private information disclosure in m-commerce is rarely studied. Given the vital importance of risk assessment for information security to the ecosystem and sustainable development of mcommerce platform [3], the risks of users' private information in m-commerce are explored in this paper from the perspective of private information disclosure. Compared with the traditional information system security risk factors, the risk hierarchy structure of users' privacy information in m-commerce is more complex. These risks include traditional information system security risk, user behavior risk, third-party application risk, and special risks of mcommerce services, like the risk in location-based services in mobile networks [4]. Therefore, in this paper, various risk factors are comprehensively analyzed by reference to some literature, and a risk indicator system for user private information disclosure in m-commerce is built based on the security model of information system [5]. Moreover, the privacy security of users is still assessed, and effective risk assessment model is built based on the theories of information entropy and Markov chain, to provide accurate risk assessment results to the users and protect their privacy security in mcommerce.
This paper can divided into the following parts: in Section 1, the background, content, and significance of the research are presented; in Section 2, we summarize and discuss the privacy security risk index, measurement and assessment methods in m-commerce are summarized and expounded, and the existing problems in the current researches on privacy security of m-commerce are revealed; in Section 3, we apply information entropy and Markov chain in the research of privacy security risk of m-commerce users, the user privacy security is described based on the information entropy, and the random state of privacy security risk of m-commerce is restored in accordance with Markov chain; in Section 4, a risk assessment model for m-commerce user privacy disclosure is established based on information entropy and Markov chain, effective assessment method is put forward, and the whole assessment process is specified; in Section 5, a detailed case study is carried out by substituting the proposed model into a specific m-commerce application, and the quantitative assessment results for three applications are presented and compared with each other. And finally, in Section 6, the research of this paper is summarized, and the future research direction is pinpointed.

Related Work
Recent researches on privacy security risk of m-commerce can be generally classified into two aspects, identification of risk factor and method development for risk assessment.
2.1. Research on Risk Factors of User Privacy Disclosure. Risk assessment depends on the identification of risk factors. In order to properly define the privacy risks of m-commerce users, we conclude the risk factors that have been widely studied by researchers in Table 1. 2.1.1. Technology Risk. Shirazi and Iqbal [6] studied the community clouds in m-commerce and pointed out that the privacy security of users in m-commerce mainly relies on data encryption, intrusion detection, identity management, security awareness, privacy protocol, privacy principle, privacy practice, and effective database utilization. Erfan et al. [7] suggested that anonymous technology could help reduce the personal privacy risk of m-commerce users. Zhang et al. [8] proposed a security policy based on identity authentication and access control to protect private information stored in the edge cloud. Yosef and Mahmoud [9] analyzed the security issues at various levels of the cyber physical system (CPS) architecture and pointed out that to improve its safety, attention should be paid to the influence of relevant technologies, such as authentication, access control, data encryption, environment monitoring, security routing protocol, network access control, attack detection mechanism, and user authentication and authorization.

Platform Environmental
Risk. According to literature [10,11], location information was extremely sensitive in m-commerce, and the exposure of location information might cause the risk of information abuse in m-commerce. In reference [12], it was found that advertisements in m-commerce were intrusive to the users' privacy, for the users' location, and other information may be mandatorily acquired. Reference [13] reveals that users are required to accept some privacy clauses before using some m-commerce applications and have no autonomy over whether to share their own information in utilization.

User Vulnerability Risk.
Ampong et al. [14] noted that privacy awareness, privacy concerns, and privacy intrusion experiences were important factors that affected the disclosure of user privacy. Reference [15] conducted a qualitative analysis of the privacy risk factors of social networks in the big data environment and suggested that privacy association setting, spatial location sharing, information behavior negligence, and simple password setting constituted the major user behavior risk factors.

Operator Management Risk.
Tian et al. [16] believed that the privacy risks in the management of mobile apps included rigid legal or institutional requirements, imperfect standards for disclosure of privacy information, lack of regulatory and disciplinary systems, and malicious disclosure by internal personnel. In line with the Risk Evaluation Specification for Information Security (GB-T20984-2007) and the behavior characteristics of m-commerce users, Xiang et al. [17] incorporated into their risk evaluation index system such related factors as privacy management mechanism, platform privacy protection input, information sharing risk, third party information collection, and privacy legal differences.

Mobile Terminal Device
Risk. In addition to the risk factors mentioned above, potential privacy risk may arise from the mobile terminal as well. Therefore, corresponding measures, including sensitive data protection [18,19], smear  [20], authority management [21], and malicious event monitoring [22], need to be taken to ensure the security at the mobile terminal.

Research on Assessment Method for Privacy Security Risk.
At present, fruitful achievements have been made in the research of risk assessment, but only a few researches focus on privacy risk assessment, and researches on privacy assessment for m-commerce applications are rare. In references [23][24][25][26], the risks were evaluated based on the concept of information entropy; a feasible program was proposed for the assessment of security risk in cloud computing, but the privacy security was not analyzed. In reference [27], a privacy-considered information security assessment model was built with the risk recommendation system based on the identifiability, context of use, quantity, sensitivity, and freshness of the personal identity information data. The likelihood of risk evaluation was calculated taking into account the impact assessment of existing control measures and risks, and privacy security was evaluated from the perspective of the frequency of risk occurrence. Oetzel and Spiekermann [28] proposed a system approach for privacy impact evaluation, and divided the entire privacy impact assessment (PIA) process into seven steps, namely, characterization of the system, definition of privacy objectives, evaluation of protection requirements, identification of threats, identification and recommendations of controls, evaluation of residual risks, and PIA documentation. Taking into account the new challenges of user privacy management, Lo et al. [29] worked out LRPdroid, a user privacy analysis framework for the Android platform, to detect the information leak and evaluate user privacy leak and privacy risks for applications installed on android-based mobile devices. These methods have signifi-cant reference value for the risk assessment of this paper. However, only a certain class of privacy security risk was evaluated with above methods, taking into account neither the interaction between various risks nor the risk characteristics of m-commerce applications.
In order to be able to put forward an effective mcommerce privacy security assessment method, this paper will collate relevant risk factors, establish a multilevel and multiangle assessment model, which constructs the hierarchy analysis model of privacy risk, uses information entropy to describe privacy risks, simulates and analyses a real risk environment of m-commerce application based on Markov chain, and realizes the effective assessment of the privacy security of m-commerce users. The privacy security risk assessment method proposed in this paper aim to provide a comprehensive method for the accurate and quantitative evaluation of privacy disclosure risk in real risk environment of m-commerce application.

Method Development for Risk Assessment Based on Information Entropy and Markov Chain
For the purpose of risk assessment, this paper proposes to integrate information entropy and Markov chain into the privacy risk assessment of m-commerce users; the framework of our work is shown in Figure 1. As shown in Figure 1, our proposed assessment method is developed to integrate the works on the three parts.
where X i is the information source variable and PðX i Þ is the probability of the information source. In information theory, information entropy is used to represent the amount of information content and quantify the uncertainty of things.
Privacy security is not so objective to be easily measured. However, with the method of information entropy, it can be described from the perspective between known to unknown, the two opposite extremes. That is, the privacy risks of users are described with the characteristics of information entropy uncertainty, as shown in Figure 2. Figure 2(a) shows the mobile business environment with n unknown risks X i , i.e., X = fX 1 , X 2 , ⋯, X n g; according to the information entropy theory, its entropy value HðXÞ will reach its maximum, HðXÞ = log 2 n, when all the risks occur with the same probability, that is PðX 1 Þ = PðX 2 Þ = , ⋯, = PðX n Þ. This idea also suggests that the higher the user privacy risk uncertainty, the lower the controllability of the risks, and the lower the security. Figure 2(b) shows the opposite case, when there is only one unknown risk in the m-commerce environment and the other risks are controllable, the entropy value HðXÞ will reach its minimum according to the information entropy theory, indicating that the lower the privacy security risk uncertainty of the application, the higher the security, namely, the risk is substantially controllable.

Simulation of Risk Environment Based on Markov Chain.
Markov chain [30,31] is a discrete time random process of continuous transition from one state to another in the finite state space. It can describe the state space of the change of state of things and calculate the probability of occurrence of each random state of things by establishing Markov chain transfer matrix.
In addition to effective risk measurement method, the user privacy disclosure risk of m-commerce still needs to be assessed, and the random state in the practical application shall be analyzed, so as to ensure the validity of the assessment results. Therefore, the complex environment of user privacy disclosure risk in m-commerce is described in line with Markov chain, to achieve effective assessment of the user privacy security based on the practical conditions.
Assuming that there are n risk factors X i in an mcommerce environment, according to Markov chain, this complex risk environment can be described as the following matrix taking into account the mutual influence between every two factors: Matrix R is an m-commerce privacy risk matrix, where the elements X ii on the diagonal line represent the separate occurrence of risk factors X i , and X ij represent simultaneous occurrence of risk factors X i and X j in the actual application process. The matrix R represents the complex privacy risk environment of m-commerce users by mathematical method, which provides a guarantee for the simulation analysis of this paper.   Wireless Communications and Mobile Computing on information entropy, and we develop a Markov matrix to simulate the complexity of risk environment for mcommerce. In our framework, it is still necessary to further establish a risk hierarchy to allow for multidimensional and multilevel simulation analysis of m-commerce user privacy risk, which is shown in Figure 3. This hierarchy consists of three levels, target level A, risk class level β, and risk factor level X. Each risk class β j includes multiple risk factors X i . Different from the traditional user privacy risk analysis, our proposed analyzing framework presents a cross relationship between risk factors and risk class, which is more consistent with the real risk environment of m-commerce.

Development of the Proposed Assessment Method.
A bottom-up process is used to the hierarchy in our method. In the following discussions, we use PðX i Þ to represent the probability of occurrence of risk X i at level 3, and normalization process is carried out based on the classified categories, to calculate the probabilities PðX ij Þ i, j = 1, 2, ⋯, n of risk occurrence under different categories, which are substituted into the matrix R to further obtain the state transition matrix PðRÞ of the m-commerce privacy.
The calculation process is as shown in the following example: it is assumed that there are two risk classes, namely, β 1 and β 2 , which include risk factors as shown in Table 2.
As shown in Table 1, class β 1 includes particular risk factor X 1 , class β 2 includes particular risk factor X 4 , while risk factor X 3 is included in both β 1 and β 2 , then their transition state matrix can be derived through calculation.
Similarly, according to formula (2), it is assumed that there are m risk classes β i and n risk factors X i in an mcommerce, then the privacy risk transfer matrix PðRÞ for this m-commerce application can be derived based on the classified classes.
It is assumed that in the long utilization, the steadystate probability of class β i isPðβ i Þ, i = 1, 2, ⋯, m. It is a

Risk class
Risk factors included risk class β 1 X 1 , X 2 , X 3 β 2 X 3 , X 4 5 Wireless Communications and Mobile Computing possible probability of a certain risk class in the long stable utilization and a stable probability calculated by the Markov method. According to this method, the relation betweenP ðβ i Þ and sate transition matrix PðRÞ satisfies the following equation: The occurrence probability of various risksPðβ i Þ = fP ðβ 1

Level
Definition and description (8,10) This factor has a great risk and a direct threat to the user's privacy (6,8) This risk has a high probability of occurrence and exists in most m-commerce environments (4,6) This risk is a common risk, which exists in some m-commerce (2,4) This risk exists and only occurs when special conditions are met (0, 2) This factor has high security and hardly causes user privacy risk 6 Wireless Communications and Mobile Computing substitutingPðβ i Þ into the following information entropy formula (5): where H represents the entropy value for privacy security of the m-commerce users, and the greater its value, the lower the privacy security of the m-commerce. The entropy value of the risk class β i can be derived by normalizing the occurrence probability of risk factors included in such class following the information entropy calculation method, and the greater this value, the lower the privacy security of this risk class.

Risk Attribute Model for Privacy
Disclosure of mcommerce Users. According to the assessment method proposed in Section 3, 24 risk evaluation indicators for privacy information disclosure of m-commerce users are selected, and these indicators are divided into 5 classes, i.e., technology risk, platform environmental risk, platform operation manage risk, user vulnerability risk, and mobile terminal device risk. According to the hierarchical structure in Figure 3, a hierarchical attribute model for privacy disclosure risk is built, as shown in Figure 4.

Measurement and Assessment of Privacy Disclosure Risks.
Based on the m-commerce user privacy risk attribute model in Figure 4 and in accordance with the assessment method proposed herein, the detailed calculation process is as follows: Step 1. Table 3 "the level of probability of risk factors occurrence" is prepared, and the occurrence probability level of the lowest-level risk factors is obtained through scoring by experts, and the values of PðX i Þ obtained through normalization processing.
Step 2. Based on the hierarchical structure in Figure 4 and according to Markov chain, use Equation (2) to calculate the state transition matrix PðRÞ.

Wireless Communications and Mobile Computing
Step 3. Use Equation (4) to calculate the stability probabilitŷ Pðβ i Þ of various risks.
Step 4. Use formula (5) to calculate H, so as to evaluate the privacy security of the entire m-commerce environment.
Step 5. Normalize the probability of occurrence of these risk factors to obtain their weight coefficients PðX j , β i Þ in different risk classes. Then, calculate various risk entropy Hðβ i Þ in combination with the information entropy formula with the following.
where m is the number of risk factors included in risk class β i . The larger this value is, the more difficult it is to control such risks, and the greater the privacy security risk will be.

Assessment Process.
In order to verify the feasibility of the proposed method, three companies with different nature in m-commerce applications background are selected and assessed from bottom to top in details, where company A provides food delivery m-commerce service, company B provides financial m-commerce service, and company B provides map navigation service. The three applications all carry the users' privacy data like information of finance, identity, location, and device. The assessment is specifically carried out for these three companies as follows: Step 1. First of all, the bottom risk factors x i of three mcommerce applications are scored by a panel of 10 experts with AHP [32] method according to the definitions in Table 3. After the scoring is completed, the scores of 10 experts are summed up, averaged to obtain their level, and the level is further normalized to obtain the value of Pðx i Þ, and the results are shown in Table 4.
Step 2. Based on the hierarchical structure in Figure 4, the results of Table 4 are substituted into formula (2), to obtain the following state transition matrices P A ðRÞ, P B ðRÞ, and P C ðRÞ for privacy disclosure risk of m-commerce users of the three companies.
Step 3. The data in the above transition matrices are substituted into formula (4) to calculate the steady-state probability of various risks, as shown in Table 5.
Step 4. The calculated results of Table 5 are substituted into formula (5) to obtain the user privacy security evaluation results of three companies' m-commerce applications, as shown in Table 6.
Step 5. The risk factors included in different risk classes are further normalized. The known risk classes and the contained risk factors are shown in Table 7.
Based on the division of Table 7, the level-2 risk classes of three different m-commerce companies are evaluated in this paper, and the calculated entropy values of various risks are shown in Figure 5.    Table 6 shows that HðAÞ > HðCÞ > HðBÞ, indicating that the food delivery m-commerce application of company A has higher privacy risk compared with the other two applications; on the contrary, company B's financial m-commerce application enjoys the highest privacy security. However, the privacy security evaluation results of the three companies are not very different in data size, indicating that on the whole, the three companies have similar privacy security performance and certain privacy and security factors.

Analysis of Middle-Level Evaluation Results
(1) Comparative Analysis of Steady-State Probability Results of Risk Classes. It is found in Table 5 thatPðβ 4 Þ >Pðβ 5 Þ >P ðβ 3 Þ >Pðβ 2 Þ >Pðβ 1 Þ. This result shows that the three companies share one marked characteristic, namely, the valueP ðβ 4 Þ is the greatest, indicating that compared with other risk classes, user vulnerability risk β 4 is most likely to occur in the long utilization of m-commerce application. Secondly, the value ofPðβ 5 Þ is great, which suggests that while user vulnerability risk can easily arise, the terminal device often causes security problems. On the contrary, the value of the technical riskPðβ 1 Þ is the smallest, which indicates that technology risk is not the main cause of the user's privacy information security problem, and compared with other risk classes, it is not likely that the privacy security problems are caused by technology risk.
Thus, it can be seen that when m-commerce users disclose personal information in pursuit of personalized services provided by the m-commerce platform, there are mainly problems such as low awareness of privacy risks, numerous privacy association settings, insufficient experience in privacy invasion, and simple password setting, etc. The above situation poses a great threat to user privacy. Users should strengthen their awareness of privacy protection and improve their ability to deal with risks. While enjoying the convenience brought by m-commerce, users should also understand the risks and avoid excessive disclosure of their private information.
(2) Analysis of Comparison Results of Entropy Value of Risk Classes. Figure 5 shows that the Hðβ 5 Þ values of the three companies are the greatest, indicating that it is most difficult to control the mobile terminal device risk.
Moreover, the evaluation results show high Hðβ 4 Þ of company A and company C, indicating that when utilizing the m-commerce applications of these two companies, the users could hardly control their own privacy risk, giving rise to privacy security issues in these applications (take-away catering, map navigation). By contrast, the value of financial application Hðβ 4 Þ is low, which suggests that the users' behavior and operation are strictly regulated in such application, and its user risk is easier to control compared with other applications. This comparison shows that platform environment risk Hðβ 2 Þ should be mainly blamed for the leakage of such application privacy information.

Analysis of Bottom-Level Evaluation
Results. The above comparison shows that the user vulnerability risk β 4 has the highest probability of occurrence. There is an observation of the bottom factors of such risk class that the security problems of m-commerce applications are mainly caused by the users' weak privacy risk awareness x 17 , excessive privacy association settings x 18 , the lack of privacy invasion experience x 19 , and simple password setting x 20 and so on.
In the financial application, the platform environment risk β 2 has the greater probability of occurrence, it is affected by x 7 , x 8 , x 9 , and so on. This result shows that the privacy security problem is mainly caused by the platform environment risk factors such as the data sharing agreement with the users x 7 , the security routing agreement x 8 , the formulation of privacy law x 9 , and so on.

Suggestions and Remarks.
It is well known that it is not feasible to only improve the privacy security of mcommerce users by the use of technique tools. The current risk problems mainly arise from the weak privacy security awareness of users, and the security issues of m-commerce applications will not be effectively solved until the users are more aware of and better understand the privacy security issues. For this purpose, the operator should more diligently remind the users on privacy security in the utilization of mcommerce applications, standardize their relevant operation as much as possible, and urge them to take security protection measures. On the other hand, for some financial applications, more explicit confidentiality agreement shall be 9 Wireless Communications and Mobile Computing signed with the users, the access to the users' permission shall be reduced, relevant responsibilities shall be clarified, and guarantee the information security of the users through laws and regulations.

Conclusions
In this paper, the risk factors of user privacy disclosure in mcommerce are reviewed, the magnitude of risks is measured based on information entropy, to provide effective data support for risk assessment. We have detailed discussed the complexity of user privacy risk in the real environment, and a complete assessment model for user privacy disclosure risks is established, and reasonable risk measurement and assessment methods are proposed based on Markov chain. In addition, a detailed comparative analysis is carried out based on the actual application that can provide practical reference for the protection of the privacy security of m-commerce users, and enrich and improve the relevant research theory of user privacy security. In the future research, with the update of the m-commerce application service, it is necessary to keep track of the latest research theories and further improve the attribute model of the user privacy risk. Moreover, the risks can be divided in line with actual application into more classes, which can be selected based on relevant risk factors, to realize more accurate assessment and research on user privacy security.

Data Availability
The expert scoring data used to support the findings of this study are included within the article.

Conflicts of Interest
The authors declare that there are no conflicts of interest regarding the publication of this paper.