A Practical Approach to Stakeholder-driven Determination of Security Requirements based on the GDPR and Common Criteria

Zinsmaier, Sandra Domenique; Langweg, Hanno; Waldvogel, Marcel

doi:10.5220/0008960604730480

Cited by 9 publications

(5 citation statements)

References 0 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The GDPR is a strong regulation on privacy and provides detailed explanations for each role of a stake holder [11]. Stakeholders related to privacy and de-identification are well represented in the GDPR.…”

Section: Stakeholdermentioning

confidence: 99%

Data De-identification Framework

Oh¹,

Lee²

2023

Computers, Materials &Amp; Continua

View full text Add to dashboard Cite

As technology develops, the amount of information being used has increased a lot. Every company learns big data to provide customized services with its customers. Accordingly, collecting and analyzing data of the data subject has become one of the core competencies of the companies. However, when collecting and using it, the authority of the data subject may be violated. The data often identifies its subject by itself, and even if it is not a personal information that infringes on an individual's authority, the moment it is connected, it becomes important and sensitive personal information that we have never thought of. Therefore, recent privacy regulations such as GDPR (General Data Protection Regulation) are changing to guarantee more rights of the data subjects. To use data effectively without infringing on the rights of the data subject, the concept of de-identification has been created. Researchers and companies can make personal information less identifiable through appropriate de-identification/pseudonymization and use the data for the purpose of statistical research. De-identification/pseudonymization techniques have been studied a lot, but it is difficult for companies and researchers to know how to de-identify/pseudonymize data. It is difficult to clearly understand how and to what extent each organization should take deidentification measures. Currently, each organization does not systematically analyze and conduct the situation but only takes minimal action while looking at the guidelines distributed by each country. We solved this problem from the perspective of risk management. Several steps are required to secure the dataset starting from pre-processing to releasing the dataset. We can analyze the dataset, analyze the risk, evaluate the risk, and treat the risk appropriately. The outcomes of each step can then be used to take appropriate action on the dataset to eliminate or reduce its risk. Then, we can release the dataset under its own purpose. These series of processes were recon-

show abstract

Section: Stakeholdermentioning

confidence: 99%

Data De-identification Framework

Oh¹,

Lee²

2023

Computers, Materials &Amp; Continua

View full text Add to dashboard Cite

show abstract

“…It facilitates the process of identifying and analyzing six types of threats, namely Spoofing, Tampering, Repudiation, Information disclosure, Denial of Service, and Elevation of privileges, in which the initials form the acronym STRIDE. Each of these threats corresponds to the violation of a desirable property (security objective) of the system under study, as follows: STRIDE can be used to analyze threats for systems being in a variety of development phases, even for systems at the design phase; thus, it enables adherence to security-bydesign principles [41]. Furthermore, even though originally designed for software systems, STRIDE has been also used in ecosystem environments where CPSs are prominently present [42][43][44].…”

Section: Stridementioning

confidence: 99%

“…STRIDE can be used to analyze threats for systems being in a variety of development phases, even for systems at the design phase; thus, it enables adherence to security-by-design principles [ 41 ]. Furthermore, even though originally designed for software systems, STRIDE has been also used in ecosystem environments where CPSs are prominently present [ 42 , 43 , 44 ].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Cyber Risk Propagation and Optimal Selection of Cybersecurity Controls for Complex Cyberphysical Systems

Kavallieratos

Σπαθούλας

Katsikas

2021

Sensors

View full text Add to dashboard Cite

The increasingly witnessed integration of information technology with operational technology leads to the formation of Cyber-Physical Systems (CPSs) that intertwine physical and cyber components and connect to each other to form systems-of-systems. This interconnection enables the offering of functionality beyond the combined offering of each individual component, but at the same time increases the cyber risk of the overall system, as such risk propagates between and aggregates at component systems. The complexity of the resulting systems-of-systems in many cases leads to difficulty in analyzing cyber risk. Additionally, the selection of cybersecurity controls that will effectively and efficiently treat the cyber risk is commonly performed manually, or at best with limited automated decision support. In this work, we propose a method for analyzing risk propagation and aggregation in complex CPSs utilizing the results of risk assessments of their individual constituents. Additionally, we propose a method employing evolutionary programming for automating the selection of an optimal set of cybersecurity controls out of a list of available controls, that will minimize the residual risk and the cost associated with the implementation of these measures. We illustrate the workings of the proposed methods by applying them to the navigational systems of two variants of the Cyber-Enabled Ship (C-ES), namely the autonomous ship and the remotely controlled ship. The results are sets of cybersecurity controls applied to those components of the overall system that have been identified in previous studies as the most vulnerable ones; such controls minimize the residual risk, while also minimizing the cost of implementation.

show abstract

“…Finally, literature related to the GDPR and RE (RQ3) charts possibilities of utilizing NLP to assist with manual tasks. The literature discusses, among other things, methods and approaches towards achieving GDPR-compliance during the requirements engineering process, which include the manual processing of textual data forms [14], matching related requirements to avoid duplication and tracking requirements [53]. NLP can assist industry professionals with these manual and potentially repetitive tasks.…”

Section: Bridging the Gapmentioning

confidence: 99%

Exploring Automated GDPR-Compliance in Requirements Engineering: A Systematic Mapping Study

2021

View full text Add to dashboard Cite

The General Data Protection Regulation (GDPR), adopted in 2018, profoundly impacts information processing organizations as they must comply with this regulation. In this research, we consider GDPR-compliance as a high-level goal in software development that should be addressed at the outset of software development, meaning during requirements engineering (RE). In this work, we hypothesize that natural language processing (NLP) can offer a viable means to automate this process. We conducted a systematic mapping study to explore the existing literature on the intersection of GDPR, NLP, and RE. As a result, we identified 448 relevant studies, of which the majority (420) were related to NLP and RE. Research on the intersection of GDPR and NLP yielded nine studies, while 20 studies were related to GDPR and RE. Even though only one study was identified on the convergence of GDPR, NLP, and RE, the mapping results indicate opportunities for bridging the gap between these fields. In particular, we identified possibilities for introducing NLP techniques to automate manual RE tasks in the crossing of GDPR and RE, in addition to possibilities of using NLP-based machine learning techniques to achieve GDPR-compliance in RE.

show abstract

A Practical Approach to Stakeholder-driven Determination of Security Requirements based on the GDPR and Common Criteria

Cited by 9 publications

References 0 publications

Data De-identification Framework

Data De-identification Framework

Cyber Risk Propagation and Optimal Selection of Cybersecurity Controls for Complex Cyberphysical Systems

Exploring Automated GDPR-Compliance in Requirements Engineering: A Systematic Mapping Study

Contact Info

Product

Resources

About