Towards Legal Privacy Risk Assessment and Specification

This article focuses on privacy risk assessment from a legal perspective. We focus on how to estimate legal privacy risk with legal norms instead of quantitative values. We explain the role of normative values in legal risk assessment and introduce a specification for legal privacy risk using a modal language. We examine the difference between legal privacy risk assessment and Information Technology (IT) security risk assessment. IT security risk assessment supports the decision-making processes of system stakeholders - individuals, managers, groups or organizations. It supports both quantitative and qualitative risk analyses and may rely on the knowledge of security experts to estimate the risk. The application of an IT security risk assessment method for legal privacy risk assessment may lead to poor communication and high uncertainties in the risk estimation because legal reasoning is based on normative values and requires legal knowledge. This article proposes legal privacy risk assessment in the knowledge domain of a legal risk assessor.

[1]  Virginie Thion,et al.  A first step towardsmodeling semistructured data in hybrid multimodal logic , 2004, J. Appl. Non Class. Logics.

[2]  Giovanni Sartor,et al.  Fundamental legal concepts: A formal and teleological characterisation* , 2006, Artificial Intelligence and Law.

[3]  Frank Wolter,et al.  Handbook of Modal Logic , 2007, Studies in logic and practical reasoning.

[4]  Tobias Mahler,et al.  Risk, responsibility and compliance in 'Circles of Trust' - Part I , 2007, Comput. Law Secur. Rev..

[5]  Patrick Blackburn,et al.  Modal logic: a semantic perspective , 2007, Handbook of Modal Logic.

[6]  Ketil Stølen,et al.  Model-Driven Risk Analysis - The CORAS Approach , 2010 .

[7]  M. de Rijke,et al.  Modal Logic , 2001, Cambridge Tracts in Theoretical Computer Science.

[8]  Tobias Mahler,et al.  Identity management and data protection law: Risk, responsibility and compliance in 'Circles of Trust' - Part II , 2007, Comput. Law Secur. Rev..

[9]  Balder ten Cate,et al.  Hybrid logics , 2007, Handbook of Modal Logic.

[10]  S. Blackburn,et al.  Attitudes and Contents , 1988, Ethics.

[11]  Lilian Edwards The New Legal Framework For E-commerce In Europe , 2006 .

[12]  John Mylopoulos,et al.  Extracting rights and obligations from regulations: toward a tool-supported process , 2007, ASE.

[13]  Marc Langheinrich,et al.  The platform for privacy preferences 1.0 (p3p1.0) specification , 2002 .

[14]  E. Bulygin On norms of competence , 1992 .

[15]  J. Eber,et al.  How to write a financial contract , 2003 .

[16]  Lorrie Faith Cranor,et al.  The platform for privacy preferences , 1999, CACM.

[17]  Xavier Parent,et al.  Specifying Legal Risk Scenarios Using the CORAS Threat Modelling Language , 2005, iTrust.

[18]  Stefan Strecker,et al.  RiskM: A multi-perspective modeling method for IT risk assessment , 2011, Inf. Syst. Frontiers.

[19]  Stefan Berthold Towards a Formal Language for Privacy Options , 2010, PrimeLife.

[20]  Andy Ju An Wang Information security models and metrics , 2005, ACM-SE 43.

[21]  Terje Aven,et al.  A semi-quantitative approach to risk analysis, as an alternative to QRAs , 2008, Reliab. Eng. Syst. Saf..

[22]  G. Stoneburner,et al.  Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology , 2002 .

[23]  Haralambos Mouratidis,et al.  Adapting Secure Tropos for Security Risk Management in the Early Phases of Information Systems Development , 2008, CAiSE.

[24]  Marek J. Sergot,et al.  A Formal Characterisation of Institutionalised Power , 1996, Log. J. IGPL.

[25]  Balder ten Cate,et al.  Pure Extensions, Proof Rules, and Hybrid Axiomatics , 2006, Stud Logica.

[26]  Emmanuel Aroms,et al.  NIST Special Publication 800-30 Risk Management Guide for Information Technology Systems , 2012 .

[27]  P. Samarati,et al.  PrimeLife Policy Language , 2010 .