pISRA: privacy considered information security risk assessment model

“…Privacy data protection standards (e.g., BS 10012:2017 [ 35 ], ISO/IEC 29151:2017 [ 36 ] and ISO/IEC 27018:2014 [ 37 ]), can be found in the literature focusing on PIA as a requirement in the execution of cybersecurity risk assessments. PIA and cybersecurity risk assessments are, however, treated as two different and uncorrelated processes [ 32 , 38 ], with a clear gap on automated tools, methods and models that implement PIA [ 33 ]. Even though standards (e.g., ISO/IEC 29134:2017 [ 39 ]) provide details and guidance to conduct privacy impact assessments, they are very generic, and provide high-level information that in some cases is insufficient to perform an appropriate privacy risk assessment [ 38 ].…”

“…PIA and cybersecurity risk assessments are, however, treated as two different and uncorrelated processes [ 32 , 38 ], with a clear gap on automated tools, methods and models that implement PIA [ 33 ]. Even though standards (e.g., ISO/IEC 29134:2017 [ 39 ]) provide details and guidance to conduct privacy impact assessments, they are very generic, and provide high-level information that in some cases is insufficient to perform an appropriate privacy risk assessment [ 38 ]. Although the literature provides a wide variety of privacy metrics, they mainly consider properties of privacy-enhancing technologies such as the amount of sensitive information leaked or the number of indistinguishable users, instead of the privacy impact [ 40 ].…”

“…In addition to the aforementioned regulatory efforts, academic research has also proposed improvements to DPIA processes. These efforts include making the DPIA process more systematic and structured by proposing formal modelling techniques for privacy threats [ 38 ]. The authors in [ 47 ] proposed a comprehensive methodology for identifying data privacy risks and quantifying them, while the risk values are computed at different levels to help both senior management and operational personnel, in assessing and mitigating privacy risks.…”

“…The authors in [ 47 ] proposed a comprehensive methodology for identifying data privacy risks and quantifying them, while the risk values are computed at different levels to help both senior management and operational personnel, in assessing and mitigating privacy risks. In addition, the work in [ 38 ] proposed a systematic privacy-considered information security risk assessment (pISRA) model, which can take both a privacy impact analysis and risk assessment into consideration. Finally, in [ 48 ], the authors presented an empirically evaluated privacy risk assessment framework, namely DPIA Data Wheel, based on contextual integrity, that practitioners can use to inform decision making around the privacy risks of Cyber Physical Systems (CPS).…”

Automated Cyber and Privacy Risk Management Toolkit

“…Privacy data protection standards (e.g., BS 10012:2017 [ 35 ], ISO/IEC 29151:2017 [ 36 ] and ISO/IEC 27018:2014 [ 37 ]), can be found in the literature focusing on PIA as a requirement in the execution of cybersecurity risk assessments. PIA and cybersecurity risk assessments are, however, treated as two different and uncorrelated processes [ 32 , 38 ], with a clear gap on automated tools, methods and models that implement PIA [ 33 ]. Even though standards (e.g., ISO/IEC 29134:2017 [ 39 ]) provide details and guidance to conduct privacy impact assessments, they are very generic, and provide high-level information that in some cases is insufficient to perform an appropriate privacy risk assessment [ 38 ].…”

“…PIA and cybersecurity risk assessments are, however, treated as two different and uncorrelated processes [ 32 , 38 ], with a clear gap on automated tools, methods and models that implement PIA [ 33 ]. Even though standards (e.g., ISO/IEC 29134:2017 [ 39 ]) provide details and guidance to conduct privacy impact assessments, they are very generic, and provide high-level information that in some cases is insufficient to perform an appropriate privacy risk assessment [ 38 ]. Although the literature provides a wide variety of privacy metrics, they mainly consider properties of privacy-enhancing technologies such as the amount of sensitive information leaked or the number of indistinguishable users, instead of the privacy impact [ 40 ].…”

“…In addition to the aforementioned regulatory efforts, academic research has also proposed improvements to DPIA processes. These efforts include making the DPIA process more systematic and structured by proposing formal modelling techniques for privacy threats [ 38 ]. The authors in [ 47 ] proposed a comprehensive methodology for identifying data privacy risks and quantifying them, while the risk values are computed at different levels to help both senior management and operational personnel, in assessing and mitigating privacy risks.…”

“…The authors in [ 47 ] proposed a comprehensive methodology for identifying data privacy risks and quantifying them, while the risk values are computed at different levels to help both senior management and operational personnel, in assessing and mitigating privacy risks. In addition, the work in [ 38 ] proposed a systematic privacy-considered information security risk assessment (pISRA) model, which can take both a privacy impact analysis and risk assessment into consideration. Finally, in [ 48 ], the authors presented an empirically evaluated privacy risk assessment framework, namely DPIA Data Wheel, based on contextual integrity, that practitioners can use to inform decision making around the privacy risks of Cyber Physical Systems (CPS).…”

Automated Cyber and Privacy Risk Management Toolkit

“…The paper [8] then looks at the privacy and security part under the theme of Internet of Things. Authors propose a privacy considered information security risk assessment model that can take both privacy impact analysis and risk assessment into consideration.…”

Editorial Preface

Security of lightweight mutual authentication protocols