Towards Privacy Taxonomy-Based Attack Tree Analysis for the Protection of Consumer Information Privacy

There is a strong legal and ethical imperative for organisations to protect consumer information privacy. In this paper we present a method called privacy taxonomy-based attack tree analysis (PTATA). PTATA involves the combination of privacy violation taxonomies and attack trees. It assists organisations in protecting information privacy by providing a means to analyze weaknesses in their protective measures. We define privacy violation taxonomies, as well as review attack trees, and illustrate the practical implementation of PTATA through example scenarios. The advantages and drawbacks to our method are also discussed. The paper ends with future research which may build on this work.

[1]  Markus Schumacher,et al.  Collaborative attack modeling , 2002, SAC '02.

[2]  A. Daniel Oliver-Lalana,et al.  Consent as a Threat. A Critical Approach to Privacy Negotiation in e-Commerce Practices , 2004, TrustBus.

[3]  Lorrie Faith Cranor,et al.  Searching for Privacy: Design and Implementation of a P3P-Enabled Search Engine , 2004, Privacy Enhancing Technologies.

[4]  R.F. Mills,et al.  Using Attack and Protection Trees to Analyze Threats and Defenses to Homeland Security , 2006, MILCOM 2006 - 2006 IEEE Military Communications conference.

[5]  Sjouke Mauw,et al.  Foundations of Attack Trees , 2005, ICISC.

[6]  Michael R. Grimaila,et al.  The Use of Attack and Protection Trees to Analyze Security for an Online Banking System , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[7]  Stefanos Gritzalis,et al.  Using Privacy Process Patterns for Incorporating Privacy Requirements into the System Design Process , 2007, The Second International Conference on Availability, Reliability and Security (ARES'07).

[8]  George R. Milne The Effectiveness of Self-Regulated Privacy Protection: A Review and Framework for Future Research , 2001 .

[9]  Amer Aijaz,et al.  Attacks on Inter Vehicle Communication Systems-an Analysis , 2005 .

[10]  P. Agre,et al.  Technology and privacy: The new landscape , 1998 .

[11]  Annie I. Antón,et al.  Analyzing Website privacy requirements using a privacy goal taxonomy , 2002, Proceedings IEEE Joint International Conference on Requirements Engineering.

[12]  Günter Karjoth,et al.  A privacy policy model for enterprises , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[13]  J. Borges,et al.  A TAXONOMY OF PRIVACY , 2006 .

[14]  G. G. Stokes "J." , 1890, The New Yale Book of Quotations.

[15]  Robert Gellman,et al.  Does privacy law work , 1997 .