Privacy Risk Assessment Case Studies in Support of SQUARE

Abstract : This report contributes to further development of the Security Quality Requirements Engineering (SQUARE) method to support privacy. Risk assessment is Step 4 in the standard SQUARE process. The report examines privacy definitions, privacy regulations, and risk assessment techniques for privacy. The risk assessment techniques are classified using a standard method, and promising techniques are applied to two case studies. The case study results are provided along with future plans for SQUARE in support of Privacy. Software-intensive systems are widely used for the rapid storage and retrieval of data. We trust that all types of data will reside in these systems and easily be transferred to other systems. This high level of trust poses certain privacy risks for sensitive information. If these risks are identified, we will be able to understand the potential consequences and establish the necessary preventative measures. This report summarizes the assessment of risks while focusing primarily on privacy concerns.

[1]  Colin Potts,et al.  Experimental evaluation of a lightweight method for augmenting requirements analysis , 2007, WEASELTech '07.

[2]  James A. Landay,et al.  Personal privacy through understanding and action: five pitfalls for designers , 2004, Personal and Ubiquitous Computing.

[3]  Nancy R. Mead,et al.  Security quality requirements engineering (SQUARE) methodology , 2005, SESS@ICSE.

[4]  M. Pursley Report Documentation Page Form Approved Omb No. 0704-0188 Please Do Not Return Your Form to the above Address. 1. Report Date (dd-mm-yyyy) Final Technical Report Receiver Statistics for Cognitive Radios in Dynamic Spectrum Access Networks Onr , 2007 .

[5]  Christopher J. Alberts,et al.  OCTAVE Catalog of Practices, Version 2.0 , 2001 .

[6]  Louis D. Brandeis,et al.  The Right to Privacy , 1890 .

[7]  Scott Buffett,et al.  Towards a Model for Risk and Consent Management of Private Health Information * , 2006 .

[8]  Paul Dourish,et al.  Unpacking "privacy" for a networked world , 2003, CHI '03.

[9]  Stephen Fickas,et al.  Goal-Directed Requirements Acquisition , 1993, Sci. Comput. Program..

[10]  I. Altman,et al.  Culture and Environment , 1984 .

[11]  Lara Khansa,et al.  How significant is human error as a cause of privacy breaches? An empirical study and a framework for error management , 2009, Computers & security.

[12]  David E. Kieras,et al.  The GOMS family of user interface analysis techniques: comparison and contrast , 1996, TCHI.

[13]  Abigail Sellen,et al.  Design for Privacy in Ubiquitous Computing Environments , 1993, ECSCW.

[14]  Seiya Miyazaki,et al.  Computer-Aided Privacy Requirements Elicitation Technique , 2008, 2008 IEEE Asia-Pacific Services Computing Conference.

[15]  Gregory D. Abowd,et al.  From privacy methods to a privacy toolbox: Evaluation shows that heuristics are complementary , 2008, TCHI.

[16]  Abdulsalam Yassine,et al.  Privacy and the market for private data: A negotiation model to capitalize on private data , 2008, 2008 IEEE/ACS International Conference on Computer Systems and Applications.

[17]  Karen Holtzblatt,et al.  Contextual design , 1997, INTR.

[18]  Gregory D. Abowd,et al.  Privacy and proportionality: adapting legal evaluation techniques to inform design in ubiquitous computing , 2005, CHI.

[19]  James A. Landay,et al.  Privacy risk models for designing privacy-sensitive ubiquitous computing systems , 2004, DIS '04.

[20]  B. Boehm Software risk management: principles and practices , 1991, IEEE Software.

[21]  J. Rubenfeld The Right of Privacy , 1989 .

[23]  Jin H. Im,et al.  Privacy , 2002, Encyclopedia of Information Systems.

[24]  Scott Buffett,et al.  Towards a model for risk and consent management of personal health information , 2006, PST.

[25]  Colin Potts,et al.  Designing for privacy in interactive systems , 2005 .