A framework managing conflicts between security and privacy requirements

Alkubaisy, Duaa

doi:10.1109/rcis.2017.7956571

Cited by 12 publications

(8 citation statements)

References 124 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This research is an extension of the study conducted by Alkubaisy et al[1] -which itself is a continuation of earlier studies[2,3] and aims to aid the reader in comprehensively grasping the concepts laid out.…”

mentioning

confidence: 85%

“…Based on the motivation example, we will illustrate the security and privacy requirements, following the phases of the ConfIS framework to resolve conflicts, using the extended supported tool. The first phase aims to map the security and privacy requirements [2]. This assumes the existence of a matrix to find out the potential conflicts between security and privacy requirements, based on our recent study [18].…”

Section: Motivation Scenariomentioning

confidence: 99%

See 1 more Smart Citation

A Framework for Privacy and Security Requirements Analysis and Conflict Resolution for Supporting GDPR Compliance Through Privacy-by-Design

Alkubaisy

Piras

Al-Obeidallah

et al. 2022

Communications in Computer and Information Science

View full text Add to dashboard Cite

Requirements elicitation, analysis, and, above all, early detection of conflicts and resolution, are among the most important, strategic, complex and crucial activities for preventing software system failures, and reducing costs related to reengineering/fixing actions. This is especially important when critical Requirements Classes are involved, such as Privacy and Security Requirements. Recently, organisations have been heavily fined for lack of compliance with data protection regulations, such as the EU General Data Protection Regulation (GDPR). GDPR requires organisations to enforce privacy-by-design activities from the early stages and for the entire software engineering cycle. Accordingly, requirements engineers need methods and tools for systematically identifying privacy and security requirements, detecting and solving related conflicts. Existing techniques support requirements identification without detecting or mitigating conflicts. The framework and tool we propose in this paper, called ConfIs, fills this gap by supporting engineers and organisations in these complex activities, with its systematic and interactive process. We applied ConfIs to a realistic GDPR example from the DEFeND EU Project, and evaluated its supportiveness, with positive results, by involving privacy and security requirements experts 1 .

show abstract

mentioning

confidence: 85%

Section: Motivation Scenariomentioning

confidence: 99%

A Framework for Privacy and Security Requirements Analysis and Conflict Resolution for Supporting GDPR Compliance Through Privacy-by-Design

Alkubaisy

Piras

Al-Obeidallah

et al. 2022

Communications in Computer and Information Science

View full text Add to dashboard Cite

show abstract

“…Besides, we now live in an unrivaled and growing hyper connected world that there is a clear awareness of the magnitude of privacy issues that must be rigorously addressed in the different fields [21,18,36], where people are increasingly sensitive to their privacy and firm about the handling of their private data [16,31,38]. Thus, conflicting security requirements and privacy issues gain more attention from researchers in the last years [4,3,27] and should be taken into account when designing a security solution.…”

Section: Toward Public Key Systems Aggregationmentioning

confidence: 99%

Certificateless Public Key Systems Aggregation: An enabling technique for 5G multi-domain security management and delegation

2021

View full text Add to dashboard Cite

“…However, conflicts are discussed on the conceptual level, abstracting from concrete systems, while we show that the specific conflicts arising in a system can be identified by analyzing the data system's minimization and security requirements. The perspective papers of Ganji et al [27] and Alkubaisy [5] highlight the importance of detecting conflicts between security and privacy requirements, specifically for dataminimization requirements. Both papers discuss the components required for a potential approach, however, without providing a complete solution.…”

Section: Conflicts Between Data-protection Requirementsmentioning

confidence: 99%

A semi-automated BPMN-based framework for detecting conflicts between security, data-minimization, and fairness requirements

et al. 2020

View full text Add to dashboard Cite

Requirements are inherently prone to conflicts. Security, data-minimization, and fairness requirements are no exception. Importantly, undetected conflicts between such requirements can lead to severe effects, including privacy infringement and legal sanctions. Detecting conflicts between security, data-minimization, and fairness requirements is a challenging task, as such conflicts are context-specific and their detection requires a thorough understanding of the underlying business processes. For example, a process may require anonymous execution of a task that writes data into a secure data storage, where the identity of the writer is needed for the purpose of accountability. Moreover, conflicts not arise from trade-offs between requirements elicited from the stakeholders, but also from misinterpretation of elicited requirements while implementing them in business processes, leading to a non-alignment between the data subjects' requirements and their specifications. Both types of conflicts are substantial challenges for conflict detection. To address these challenges, we propose a BPMN-based framework that supports: (i) the design of business processes considering security, data-minimization and fairness requirements, (ii) the encoding of such requirements as reusable, domain-specific patterns, (iii) the checking of alignment between the encoded requirements and annotated BPMN models based on these patterns, and (iv) the detection of conflicts between the specified requirements in the BPMN models based on a catalog of domain-independent anti-patterns. The security requirements were reused from SecBPMN2, a security-oriented BPMN 2.0 extension, while the fairness and data-minimization parts are new. For formulating our patterns and anti-patterns, we extended a graphical query language called SecBPMN2-Q. We report on the feasibility and the usability of our approach based on a case study featuring a healthcare management system, and an experimental user study.

show abstract

A framework managing conflicts between security and privacy requirements

Abstract: A thesis submitted in partial fulfilment of the requirements of the University of Brighton for the degree of Doctor of Philosophy

Cited by 12 publications

References 124 publications

A Framework for Privacy and Security Requirements Analysis and Conflict Resolution for Supporting GDPR Compliance Through Privacy-by-Design

A Framework for Privacy and Security Requirements Analysis and Conflict Resolution for Supporting GDPR Compliance Through Privacy-by-Design

Certificateless Public Key Systems Aggregation: An enabling technique for 5G multi-domain security management and delegation

A semi-automated BPMN-based framework for detecting conflicts between security, data-minimization, and fairness requirements

Contact Info

Product

Resources

About