nach oben

Erschienen in:

2020 | OriginalPaper | Buchkapitel

A Proposed Privacy Impact Assessment Method Using Metrics Based on Organizational Characteristics

verfasst von : Eleni-Laskarina Makri, Zafeiroula Georgiopoulou, Costas Lambrinoudakis

Erschienen in: Computer Security

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

The assessment of the potential impact for an organization from a privacy violation incident is important for three main reasons: the organization will have a justified estimate of the cost (financial, reputation or other) that may be raised, will facilitate the selection of the appropriate technical, procedural and organizational protection mechanisms and also will be compliant with the new General Data Protection Regulation that will be in effect from May 2018. Today, there are several methods to do a Privacy Impact Assessment but none of these quantifies the results according to specific metrics and thus can be significantly affected by various subjective parameters. Furthermore, the specific organizational characteristics (size, activities, number of clients, type of offered services etc.) are very rarely accounted, a fact that also affects the accuracy of the results. In this paper, a privacy impact assessment method that explicitly takes into account the organizational characteristics and employs a list of well-defined metrics as input, is presented.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel How Not to Use a Privacy-Preserving Computation Platform: Case Study of a Voting Application

Nächstes Kapitel A Conceptual Redesign of a Modelling Language for Cyber Resiliency of Healthcare Systems

Hong, W., Thong, J.Y.L.: Internet privacy concerns an integrated conceptualization and four empirical studies. MIS Q. 37(1), 275–298 (2013). https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2229627CrossRef

Regulation (EU) 2016/679 of the European Parliament and of the Council: The European Parliament and the Council of the European Union, 27 April 2016. http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&qid=1485368166820&from=en

OECD Privacy Principles: OECDprivacy.org, 1980. http://oecdprivacy.org/

Makri, E.L., Lambrinoudakis, C.: Towards a common security and privacy requirements elicitation methodology. In: Jahankhani, H., Carlile, A., Akhgar, B., Taal, A., Hessami, A., Hosseinian-Far, A. (eds.) ICGS3 2015. CCIS, vol. 534, pp. 151–159. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-23276-8_13

Makri, E.L., Lambrinoudakis, C.: Privacy principles: towards a common privacy audit methodology. In: Fischer-Hübner, S., Lambrinoudakis, C., López, J. (eds.) TrustBus 2015. LNCS, vol. 9264, pp. 219–234. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-22906-5_17CrossRef

Bélanger, F., Crossler, R.E.: Privacy in the digital age: a review of information privacy research in information systems. J. MIS Q. 35(4), 1017–1042 (2011). http://dl.acm.org/citation.cfm?id=2208951CrossRef

Wright, D., De Hert, P.: Introduction to privacy impact assessment. In: Wright, D., De Hert, P. (eds.) Privacy Impact Assessment. Law, Governance and Technology Series, vol. 6, pp. 3–32. Springer, Dordrecht (2012). https://doi.org/10.1007/978-94-007-2543-0_1CrossRef

ISO/IEC FDIS 29134: Information technology—Security techniques—Privacy impact assessment—Guidelines, Target publication, 30 May 2017. http://www.iso.org/iso/catalogue_detail.htm?csnumber=62289, https://www.iso.org/obp/ui/#iso:std:iso-iec:29134:dis:ed-1:v1:en

Information Commissioner’s Office (ICO): Privacy Impact Assessment Handbook, Wilmslow, Cheshire, December 2007, Version 2.0, June 2009

10.

European Commission: Recommendation on the implementation of privacy and data protection principles in applications supported by radio-frequency identification, C (2009) 3200 final, Brussels, 12 May 2009. http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32009H0387&from=EN

11.

Information Commissioner’s Office (ICO): Data Protection Act, Conducting privacy impact assessments code of practice, February 2014. https://ico.org.uk/media/for-organisations/documents/1595/pia-code-of-practice.pdf

12.

Wang, Y., Kobsa, A.: Privacy-Enhancing Technologies (2008). http://www.cs.cmu.edu/afs/cs/Web/People/yangwan1/papers/2008-Handbook-LiabSec-AuthorCopy.pdf

13.

Cavoukian, A.: Creation of a Global Privacy Standard, November 2006. http://www.ipc.on.ca/images/Resources/gps.pdf

14.

Cavoukian, A., Taylor, S., Abrams, M.E.: Privacy by design: essential for organizational accountability and strong business practices. In: Identity in the Information Society, Springer (2010). http://link.springer.com/article/10.1007/s12394-010-0053-z

15.

Cavoukian, A.: Privacy by design – the 7 foundational principles, Technical report, In-formation and Privacy Commissioner of Ontario, January 2011. (revised version)

16.

Oetzel, M.C., Spiekermann, S.: Privacy-by-design through systematic privacy impact assessment - a design science approach. In: ECIS 2012 Proceedings, Paper 160 (2012). http://aisel.aisnet.org/ecis2012/160

17.

Oetzel, M.C., Spiekermann, S.: A systematic method for privacy impact assessments: a design science approach. Eur. J. Inf. Syst. 23(2), 1–25 (2013)

18.

van Blarkom, G.W., Borking, J.J., Olk, J.G.E.: PET, Handbook of Privacy and Privacy-Enhancing Technologies, The Case of Intelligent Software Agents (2003). ISBN 90-74087-33-7. http://www.andrewpatrick.ca/pisa/handbook/Handbook_Privacy_and_PET_final.pdf

19.

Information Commissioner’s Office (ICO): Privacy Impact Assessment Handbook, Wilmslow, Cheshire, Version 1.0, December 2007

20.

Information Commissioner’s Office (ICO): Privacy impact assessment and risk management, May 2013. https://ico.org.uk/media/1042196/trilateral-full-report.pdf

21.

Information Commissioner’s Office (ICO): Conducting privacy impact assessments code of practice, February 2014. https://ico.org.uk/media/for-organisations/documents/1595/pia-code-of-practice.pdf

22.

Information Commissioner’s Office (ICO): The Guide to Data Protection, January 2017. https://ico.org.uk/media/for-organisations/guide-to-data-protection-2-7.pdf

23.

European Commission PIAF: A Privacy Impact Assessment Framework for data protection and privacy rights, January 2011–October 2012. http://www.piafproject.eu/Index.html

24.

Wright, D., Wadhwa, K.: A step-by-step guide to privacy impact assessment, Second PIAF workshop, Sopot, 24 April 2012. http://www.piafproject.eu/ref/A_step-by-step_guide_to_privacy_impact_assessment-19Apr2012.pdf

25.

Wright, D.: Should privacy impact assessments be mandatory? Commun. ACM 54(8), 121–131 (2011). https://doi.org/10.1145/1978542.1978568. http://cacm.acm.org/magazines/2011/8CrossRef

26.

Wadhwa, K., Rodrigues, R.: Evaluating privacy impact assessments. Innov.: Eur. J. Soc. Sci. Res. 26(1–2), 161–180 (2013). http://www.tandfonline.com/doi/abs/10.1080/13511610.2013.761748, http://www.tandfonline.com/doi/pdf/10.1080/13511610.2013.761748?needAccess=true

27.

Brooks, S., Nadeau, E.: Privacy Risk Management for Federal Information Systems, Information Technology Laboratory, NIST, Internal Report 8062, May 2015. http://csrc.nist.gov/publications/drafts/nistir-8062/nistir_8062_draft.pdf

28.

Ferris, J.M.: The ISO PIA standard for financial services. In: Wright, D., De Hert, P. (eds.) Privacy Impact Assessment. Law, Governance and Technology Series, vol. 6, pp. 307–321. Springer, Dordrecht (2012). https://doi.org/10.1007/978-94-007-2543-0_14CrossRef

29.

Wright, D.: Should privacy impact assessments be mandatory? Trilateral Research & Consulting, 17 September 2009. http://www.ics.forth.gr/nis09/presentations/18-wright.pdf

30.

Agarwal, S.: Developing a structured metric to measure privacy risk in privacy impact assessments. In: Aspinall, D., Camenisch, J., Hansen, M., Fischer-Hübner, S., Raab, C. (eds.) Privacy and Identity 2015. IAICT, vol. 476, pp. 141–155. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-41763-9_10CrossRef

31.

NIST (National Institute of Standards and Technology): Risk management guide for information technology systems, NIST Special Publication 800-30 (2002)

32.

Data Protection Act (1998). http://www.legislation.gov.uk/ukpga/1998/29/contents, http://www.legislation.gov.uk/ukpga/1998/29/pdfs/ukpga_19980029_en.pdf

33.

European Union Agency for Network and Information Security (ENISA): CRAMM (CCTA Risk Analysis and Management Method). https://www.enisa.europa.eu/topics/threat-risk-management/risk-management/current-risk/risk-management-inventory/rm-ra-methods/m_cramm.html

34.

Commission Nationale de l’Informatique et des Libertés (CNIL), Privacy Impact Assessment (PIA) Methodology (how to carry out a PIA), June 2015. https://www.cnil.fr/sites/default/files/typo/document/CNIL-PIA-1-Methodology.pdf

35.

Commission Nationale de l’Informatique et des Libertés (CNIL): The open source PIA software helps to carry out data protection impact assessment, January 2018. https://www.cnil.fr/en/open-source-pia-software-helps-carry-out-data-protection-impact-assesment

36.

De Capitani, S., di Vimercati, S., Foresti, G.L., Samarati, P., Privacy, D.: Definitions and techniques. Int. J. Uncertainty, Fuzziness Knowl.-Based Syst. 20(6), 793–818 (2012)CrossRef

37.

Tancock, D., Pearson, S., Charlesworth, A.: A privacy impact assessment tool for cloud computing. In: Second IEEE International Conference on Cloud Computing, pp. 667–676. Indiana University, USA (2010)

Titel: A Proposed Privacy Impact Assessment Method Using Metrics Based on Organizational Characteristics
verfasst von: Eleni-Laskarina Makri
Zafeiroula Georgiopoulou
Costas Lambrinoudakis
Verlag: Springer International Publishing
Buch: Computer Security
Print ISBN: 978-3-030-42047-5

Electronic ISBN: 978-3-030-42048-2

Copyright-Jahr: 2020
DOI: https://doi.org/10.1007/978-3-030-42048-2_9

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"