Privacy-by-design based on quantitative threat modeling

Luna, Jesús; Suri, Neeraj; Krontiris, Ioannis

doi:10.1109/crisis.2012.6378941

Cited by 22 publications

(29 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Once the initial attack trees have been built an iterative process of choosing mitigation techniques begins until each risk is either avoided, optimized or completely accepted. This is an advantage since it builds the base for automating the process [16].…”

Section: Quantitative Threat Modelingmentioning

confidence: 99%

The IoT security gap: a look down into the valley between threat models and their implementation

Aufner¹

2019

Int. J. Inf. Secur.

View full text Add to dashboard Cite

We claim to have identified gaps between threat modeling frameworks, threat model use in IoT security research and attacks that may be missed by current research. While security research includes sections known as 'threat models', these models are not supported by the categorization and standardization that threat modeling frameworks would have to offer. Then again, if existing threat modeling frameworks were used, they would still allow many vulnerabilities to pass through undetected, since they are meant for software-only projects. This work will explain the origins of IoT research, enumerate common threat modeling frameworks and give an insight into the state of IoT security research. In the course of this, it will become clear how these gaps came to be and what research directions would help to close them.

show abstract

Section: Quantitative Threat Modelingmentioning

confidence: 99%

The IoT security gap: a look down into the valley between threat models and their implementation

Aufner¹

2019

Int. J. Inf. Secur.

View full text Add to dashboard Cite

show abstract

“…Though several solutions have extended STRIDE to accommodate more complex systems [62], and cover other security requirements, e.g., privacy [45,56], its model does not fit cryptocurrencies. Another study [71], in which the authors extended STRIDE's threat categories to handle Bitcoin-like community currencies, bears out this premise.…”

Section: Related Workmentioning

confidence: 99%

ABC: A Cryptocurrency-Focused Threat Modeling Framework

Almashaqbeh

Bishop

Cappos

2019

IEEE INFOCOM 2019 - IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS)

View full text Add to dashboard Cite

Cryptocurrencies are an emerging economic force, but there are concerns about their security. This is due, in part, to complex collusion cases and new threat vectors that could be missed by conventional security assessment strategies. To address these issues, we propose ABC, an Asset-Based Cryptocurrency-focused threat modeling framework capable of identifying such risks. ABC's key innovation is the use of collusion matrices. A collusion matrix forces a threat model to cover a large space of threat cases while simultaneously manages this process to prevent it from being overly complex. Moreover, ABC derives a systemspecific threat categories that account for the financial aspects and the new asset types that cryptocurrencies introduce. We demonstrate that ABC is effective by conducting a user study and by presenting realworld use cases. The user study showed that around 71% of those who used ABC were able to identify financial security threats, as compared to only 13% of participants who used the popular framework STRIDE. The use cases further attest to the usefulness of ABC's tools for both cryptocurrency-based systems, as well as a cloud native security technology. This shows the potential of ABC as an effective security assessment technique for various types of large-scale distributed systems.

show abstract

“…In the area of information systems development, these methods of support have begun to appear for implementing the concept of privacy by design, as seen in Compagna, Khoury, Krausová, Massacci and Zannone (2009); Tschantz and Wing (2009); Deng, Wuyts, Scandariato, Preneel and Joosen (2011); Gürses Troncoso and Diaz (2011); Rubenstein and Good (2013); Hoepman (2014), Luna, Suri and Krontiris (2012);and Le Métayer (2013). Different European projects have been undertaken or are underway with the aim of helping to apply concepts related to PbD, including EuroPriSe (2007), PICOS (2009), PRISMS (2012), SurPRISE (2012), PACT (2012), CAPPRIS (2013) andPRIPARE (2014).…”

Section: Data Protection By Designmentioning

confidence: 99%

Data protection by design: Organizational integration

Romero¹,

De-Pablos-Heredero

2018

hdbr

View full text Add to dashboard Cite

Firms perform the processing of physical personal data and are obliged to protect them according to the Acts. In the European Union, the General Regulation for Data Protection (GDPR) obliges firms to be proactive in the protection of the personal data they process, through data protection from the design. In this research, a group of technical and organizational measures to include in processing, under the focus of data protection from the design is determined from the definition of the processes in which data are processed. These activities, realized by making use of different firm’s profiles, promote the need to develop a proper organizational integration amongst participants. The activities done by different profiles at firms promote the need to develop an organizational integration amongst participants, activities performed by different agents, results interchanged and common products used.

show abstract

Privacy-by-design based on quantitative threat modeling

Cited by 22 publications

References 12 publications

The IoT security gap: a look down into the valley between threat models and their implementation

The IoT security gap: a look down into the valley between threat models and their implementation

ABC: A Cryptocurrency-Focused Threat Modeling Framework

Data protection by design: Organizational integration

Contact Info

Product

Resources

About