Privacy Risk Assessment: From Art to Science, by Metrics

Wagner, Isabel; Boiten, Eerke Albert

doi:10.1007/978-3-030-00305-0_17

Cited by 29 publications

(24 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Many privacy harms are well‐known and well‐documented. For example, IETF RFC 6973 describes privacy harms in the context of internet protocol engineering, including “harms to financial standing, reputation, solitude, autonomy, and safety.” Regulators as well as researchers have published lists of known privacy harms, often grouped along Solove's taxonomy into harms caused by information collection, information processing, information dissemination, and invasion …”

Section: Related Workmentioning

confidence: 99%

“…The use of these coarse three‐point or five‐point scales means that the resulting assessment of privacy risk may be more like a rough guess than an accurate measurement. We have previously argued that these rough guesses for privacy risk are of limited value and not informative enough, in particular for the five purposes of (a) quantifying the effect of privacy controls, (b) comparing the effects of different controls, (c) analyzing trends in privacy risk over time, (d) computing a system's aggregate privacy risk from its components, and (e) ranking privacy risks.…”

Section: Related Workmentioning

confidence: 99%

“…We have previously proposed some initial steps toward privacy risk measurement, which clearly showed the need for more research in particular with regard to more fine‐grained measurement, combination of metrics, and validation of metrics.…”

Section: Related Workmentioning

confidence: 99%

“…Appropriately measuring such privacy risks is a prerequisite for managing them systematically . Doing so allows prioritization, aggregation, and triage of risks, and helps in justifying the selection of mitigating controls.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Challenges in assessing privacy impact: Tales from the front lines

Ferra

Wagner

Boiten

et al. 2019

Security and Privacy

Self Cite

View full text Add to dashboard Cite

Data protection impact assessments (DPIAs) aim to identify, rank, and mitigate privacy risks. Even though DPIAs are legally mandated in some cases and privacy professionals perform DPIAs on a daily basis, facilitating the systematic measurement of privacy risks is an open problem. Research on privacy risk measurement often does not take into account the practical needs and requirements for DPIAs in real organizations. In this article, we fill this gap by reporting on focus groups we held with a diverse group of privacy professionals. Through thematic analysis, we identify three themes that emerged from the focus groups: (a) how privacy in the contemporary society affects privacy risk assessment; (b) current practices and procedures in privacy risk assessment; and (c) common issues and challenges. Based on these themes, we identify future research directions for privacy risk measurement. Our article can help to ground research on privacy risk measurement in practical challenges faced by privacy professionals.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Challenges in assessing privacy impact: Tales from the front lines

Ferra

Wagner

Boiten

et al. 2019

Security and Privacy

Self Cite

View full text Add to dashboard Cite

show abstract

“…One is to develop methodology to compare different kinds of endpoints, such as privacy [79] vs. security. Another one is to specify the severity of each hazard since it inevitably involves a value judgment.…”

Section: Appendix B32 Specifying the Endpoints (Proposition 2)mentioning

confidence: 99%

Unintended Side Effects of Digital Transition: Perspectives of Japanese Experts

et al. 2017

View full text Add to dashboard Cite

Abstract:The core of the digital transition is the representation of all kinds of real-world entities and processes and an increasing number of cognitive processes by digital information and algorithms on computers. These allow for seemingly unlimited storage, operation, retrieval, and transmission capacities that make digital tools economically available for all domains of society and empower human action, particularly combined with real-world interfaces such as displays, robots, sensors, 3D printers, etc. Digital technologies are general-purpose technologies providing unprecedented potential benefits for sustainability. However, they will bring about a multitude of potential unintended side effects, and this demands a transdisciplinary discussion on unwanted societal changes as well as a shift in science from analog to digital modeling and structure. Although social discourse has begun, the topical scope and regional coverage have been limited. Here, we report on an expert roundtable on digital transition held in February 2017 in Tokyo, Japan. Drawing on a variety of disciplinary backgrounds, our discussions highlight the importance of cultural contexts and the need to bridge local and global conversations. Although Japanese experts did mention side effects, their focus was on how to ensure that AI and robots could coexist with humans. Such a perspective is not well appreciated everywhere outside Japan. Stakeholder dialogues have already begun in Japan, but greater efforts are needed to engage a broader collection of experts in addition to stakeholders to broaden the social debate.

show abstract

A risk‐based methodology for privacy requirements elicitation and control selection

Manna

Sengupta

Mazumdar

2021

Security and Privacy

View full text Add to dashboard Cite

The purpose of the paper is to provide a comprehensive privacy model for identifying the privacy risks of an enterprise based on its privacy requirements. A risk-based methodology for automated privacy control selection against identified privacy requirements is also proposed. The privacy model has been designed using first order logic and it is semi-formal in nature. Privacy risks are defined using the proposed formalism in terms of privacy properties. Algorithm for assessing privacy risk considering the actual information infrastructure of the enterprise is proposed. Based on the risk assessment, appropriate privacy controls should be selected from a control database. An algorithm for the same is also proposed. This methodology is easy to implement and can be used by any mid or large-scale enterprise for privacy control implementation. The effectiveness of our proposed approach is shown using a case study. From the literature review, it has emerged that there is a dearth of comprehensive privacy models that can identify the privacy requirements emanating from different sources and can eventually help the enterprise to implement privacy controls as per privacy requirements. The proposed model attempts to address this research gap by helping an enterprise to identify the specific privacy requirements and automatically select privacy controls from an appropriate knowledge base. Privacy requirements can be customized as per the needs of the enterprise.

show abstract

Privacy Risk Assessment: From Art to Science, by Metrics

Cited by 29 publications

References 14 publications

Challenges in assessing privacy impact: Tales from the front lines

Challenges in assessing privacy impact: Tales from the front lines

Unintended Side Effects of Digital Transition: Perspectives of Japanese Experts

A risk‐based methodology for privacy requirements elicitation and control selection

Contact Info

Product

Resources

About