nach oben

Erschienen in:

2018 | OriginalPaper | Buchkapitel

Privacy Risk Assessment: From Art to Science, by Metrics

verfasst von : Isabel Wagner, Eerke Boiten

Erschienen in: Data Privacy Management, Cryptocurrencies and Blockchain Technology

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Privacy risk assessments aim to analyze and quantify the privacy risks associated with new systems. As such, they are critically important in ensuring that adequate privacy protections are built in. However, current methods to quantify privacy risk rely heavily on experienced analysts picking the “correct” risk level on e.g. a five-point scale. In this paper, we argue that a more scientific quantification of privacy risk increases accuracy and reliability and can thus make it easier to build privacy-friendly systems. We discuss how the impact and likelihood of privacy violations can be decomposed and quantified, and stress the importance of meaningful metrics and units of measurement. We suggest a method of quantifying and representing privacy risk that considers a collection of factors as well as a variety of contexts and attacker models. We conclude by identifying some of the major research questions to take this approach further in a variety of application scenarios.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel Towards an Effective Privacy Impact and Risk Assessment Methodology: Risk Analysis

Nächstes Kapitel Bootstrapping Online Trust: Timeline Activity Proofs

For example, Recital 47 on the legal basis of “legitimate interest” requires“taking into consideration the reasonable expectations of data subjects based on their relationship with the controller.”

See GDPR Recital 75: “The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from data processing which could lead to physical, material or non-material damage, in particular: where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorized reversal of pseudonymization, or any other significant economic or social disadvantage; where data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data” [11].

Albakri, A., Boiten, E., de Lemos, R.: Risks of sharing cyber incident information. In: 1st International Workshop on Cyber Threat Intelligence Management (CyberTIM) (2018, to appear)

Boiten, E.: What is the unit of security? (2016). FOSAD Summer School 2016. http://www.sti.uniurb.it/events/fosad16/Programme.html

Brooks, S., Garcia, M., Lefkovitz, N., Lightman, S., Nadeau, E.: An introduction to privacy engineering and risk management in federal systems. Technical report NIST IR 8062, National Institute of Standards and Technology, Gaithersburg, MD, January 2017. https://doi.org/10.6028/NIST.IR.8062

Calder, A., Watkins, S.: IT Governance: An International Guide to Data Security and ISO27001/ISO27002. Kogan Page, London (2015)

Cavoukian, A.: Privacy by design: the 7 foundational principles (2011). https://www.ipc.on.ca/wp-content/uploads/Resources/7foundationalprinciples.pdf

Commission Nationale de l’Informatique et des Libertés: Methodology for privacy risk management: How to implement the data protection act (2012). https://www.goo.gl/o3aN85

Commission Nationale de l’Informatique et des Libertés: Privacy impact assessment (PIA) 1: Methodology (2018). https://www.cnil.fr/sites/default/files/atoms/files/cnil-pia-1-en-methodology.pdf

Commission Nationale de l’Informatique et des Libertés: Privacy impact assessment (PIA) 3: Knowledge bases (2018). https://www.cnil.fr/sites/default/files/atoms/files/cnil-pia-3-en-knowledgebases.pdf

Deng, M., Wuyts, K., Scandariato, R., Preneel, B., Joosen, W.: A privacy threat analysis framework: supporting the elicitation and fulfillment of privacy requirements. Requirements Eng. 16(1), 3–32 (2011). https://doi.org/10.1007/s00766-010-0115-7CrossRef

10.

Eckhoff, D., Wagner, I.: Privacy in the smart city - applications, technologies, challenges and solutions. IEEE Commun. Surv. Tutorials 20(1), 489–516 (2018). https://doi.org/10.1109/COMST.2017.2748998CrossRef

11.

European Parliament and Council of the European Union: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ENG&toc=OJ:L:2016:119:TOC

12.

Evans, K.: Vidal-hall and risk management for privacy breaches. IEEE Secur. Priv. 13(5), 80–84 (2015). https://doi.org/10.1109/MSP.2015.94CrossRef

13.

Information Commissioner’s Office: Data Protection Impact Assessments (DPIAs) (2018). https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/data-protection-impact-assessments-dpias/

14.

Information Commissioner’s Office (ICO): Guide to the General Data Protection Regulation (GDPR), May 2018. https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/

15.

Lin, J., Amini, S., Hong, J.I., Sadeh, N., Lindqvist, J., Zhang, J.: Expectation and purpose: understanding users’ mental models of mobile app privacy through crowdsourcing. In: Proceedings of the 2012 ACM Conference on Ubiquitous Computing, pp. 501–510. ACM, Pittsburgh (2012)

16.

Liu, K., Terzi, E.: A framework for computing the privacy scores of users in online social networks. ACM Trans. Knowl. Discov. Data 5(1), 6:1–6:30 (2010). https://doi.org/10.1145/1870096.1870102CrossRef

17.

Meng, W., Ding, R., Chung, S.P., Han, S., Lee, W.: The price of free: privacy leakage in personalized mobile in-app ads. In: NDSS. Internet Society (2016). https://doi.org/10.14722/ndss.2016.23353

18.

National Institute of Standards and Technology (NIST): Guide for Conducting Risk Assessments. NIST Special Publication 800-30 r1, September 2012. https://doi.org/10.6028/NIST.SP.800-30r1

19.

Nissenbaum, H.: Privacy as contextual integrity. Wash. L. Rev. 79, 119 (2004)

20.

Open Web Application Security Project: OWASP Risk Rating Methodology (2018). https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology

21.

Pérez-Peña, R., Rosenberg, M.: Strava Fitness App Can Reveal Military Sites, Analysts Say. https://www.nytimes.com/2018/01/29/world/middleeast/strava-heat-map.html

22.

SnoopWall: Flashlight apps threat assessment report (2014). https://lintvwish.files.wordpress.com/2014/10/flashlight-spyware-appendix-2014.pdf

23.

Solove, D.J.: A taxonomy of privacy. Univ. Pennsylvania Law Rev. 154(3), 477–564 (2006). https://doi.org/10.2307/40041279CrossRef

24.

Stahl, F., Burgmair, S.: OWASP Top 10 Privacy Risks Project (2017). https://www.owasp.org/index.php/OWASP_Top_10_Privacy_Risks_Project

25.

Stevens, S.S.: On the theory of scales of measurement. Science 103(2684), 677–680 (1946)CrossRef

26.

Sweeney, L.: k-anonymity: a model for protecting privacy. Int. J. Uncertainty Fuzziness Knowl. Based Syst. 10(05), 557–570 (2002)MathSciNetCrossRef

27.

Wagner, I.: Evaluating the strength of genomic privacy metrics. ACM Trans. Priv. Secur. 20(1), 2:1–2:34 (2017). https://doi.org/10.1145/3020003CrossRef

28.

Wagner, I., Eckhoff, D.: Technical privacy metrics: a systematic survey. ACM Comput. Surv. (CSUR) 51(3) (2018)

Titel: Privacy Risk Assessment: From Art to Science, by Metrics
verfasst von: Isabel Wagner
Eerke Boiten
Verlag: Springer International Publishing
Buch: Data Privacy Management, Cryptocurrencies and Blockchain Technology
Print ISBN: 978-3-030-00304-3

Electronic ISBN: 978-3-030-00305-0

Copyright-Jahr: 2018
DOI: https://doi.org/10.1007/978-3-030-00305-0_17

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"