Risk-based design security analysis

2019 IEEE International Conference on Software Architecture (ICSA)

et al. 2019

Self Cite

Data Protection by Design (DPbD) is a truly interdisciplinary effort that involves many stakeholders such as legal experts, requirements engineers, software architects, developers, and system operators. Building software-intensive systems that respect the fundamental rights to privacy and data protection is the result of intensive dialogue and careful trade-off decisions.In practice however, there is a dichotomy between the legal reasoning which is conducted in Data Protection Impact Assessments (DPIA) and software engineering approaches, such as threat modeling, aimed at identifying privacy requirements and privacy risks. These activities are commonly performed in total isolation, which negatively impacts (i) the compliance exercise, (ii) the ability to evolve the system over time, and (iii) the architectural trade-offs made during system design.In this article, we present an architectural viewpoint for describing software architectures from a legal, data protection perspective whose core modeling abstractions are based on an in-depth legal analysis of the EU General Data Protection Regulation. This viewpoint is tied to Data Flow Diagrams -commonly used in threat modeling-through correspondence rules. The proposed viewpoint supports the automation of a number of data protection impact assessment steps through (i) meta-model constraints, (ii) model analysis, and (iii) interaction with the involved stakeholders. This enables a streamlined compliance exercise, reconciling legal privacy and data protection notions with architecture-driven software engineering practices. We validate our approach in the context of a realistic e-health application for a number of complementary development scenarios.Index Terms-privacy by design, data protection, architectural viewpoint, GDPR, data protection by design, data protection impact assessment, accountability

Section: Legal Requirement 3 Automated Decision Making On Special Categories Of Datamentioning

confidence: 99%

“…It does not, however, cover all legal concepts. Other DFD extensions have been proposed in the literature [7], [25], [32], [33]. Examples are security or privacy solutions [7] to take existing countermeasures into account and enable the up-front elimination of inapplicable threats.…”

Section: Related Workmentioning

confidence: 99%

An Architectural View for Data Protection by Design

Sion

Dewitte

2019 IEEE International Conference on Software Architecture (ICSA)

et al. 2019

Self Cite

“…Nevertheless, establishing such thresholds is a challenging task, as it also has to reflect the type of attackers, their capabilities, and the availability of data related to the data set. Profiles of attackers that may be useful for establishing privacy requirements can be found in [16].…”

Section: Knowledge Basementioning

confidence: 99%

A Data Utility-Driven Benchmark for De-identification Methods

Tomashchuk

Trust, Privacy and Security in Digital Business

Pletea

et al. 2019

Self Cite

De-identification is the process of removing the associations between data and identifying elements of individual data subjects. Its main purpose is to allow use of data while preserving the privacy of individual data subjects. It is thus an enabler for compliance with legal regulations such as the EU's General Data Protection Regulation. While many de-identification methods exist, the required knowledge regarding technical implications of different de-identification methods is largely missing. In this paper, we present a data utility-driven benchmark for different de-identification methods. The proposed solution systematically compares de-identification methods while considering their nature, context and de-identified data set goal in order to provide a combination of methods that satisfies privacy requirements while minimizing losses of data utility. The benchmark is validated in a prototype implementation which is applied to a real life data set.

“…This section elaborates on a number of risk perspectives that are relevant in the context of privacy threat modeling. Many existing risk assessment approaches focus on either technical failures (e.g., FMEA [12]) or the manifestation of security threats (e.g., FAIR [13], CORAS [14], security threat risk [15]). In these approaches, the risk impact depends on the value of business assets or the level of criticality of technical components or services.…”

Section: B Perspectives On Privacy Riskmentioning

confidence: 99%

Privacy Risk Assessment for Data Subject-Aware Threat Modeling

Sion

2019 IEEE Security and Privacy Workshops (SPW)

Wuyts

et al. 2019

Self Cite

Regulatory efforts such as the General Data Protection Regulation (GDPR) embody a notion of privacy risk that is centered around the fundamental rights of data subjects. This is, however, a fundamentally different notion of privacy risk than the one commonly used in threat modeling which is largely agnostic of involved data subjects. This mismatch hampers the applicability of privacy threat modeling approaches such as LINDDUN in a Data Protection by Design (DPbD) context. In this paper, we present a data subject-aware privacy risk assessment model in specific support of privacy threat modeling activities. This model allows the threat modeler to draw upon a more holistic understanding of privacy risk while assessing the relevance of specific privacy threats to the system under design. Additionally, we propose a number of improvements to privacy threat modeling, such as enriching Data Flow Diagram (DFD) system models with appropriate risk inputs (e.g., information on data types and involved data subjects). Incorporation of these risk inputs in DFDs, in combination with a risk estimation approach using Monte Carlo simulations, leads to a more comprehensive assessment of privacy risk. The proposed risk model has been integrated in threat modeling tool prototype and validated in the context of a realistic eHealth application.