论文信息 - Multi-Stakeholder Cybersecurity Risk Assessment for Data Protection

Multi-Stakeholder Cybersecurity Risk Assessment for Data Protection

To ensure the effectiveness of the adopted security measures and minimize the impact of security issues on the rights and freedom of individuals, the General Data Protection Regulation (GDPR) requires to carry out a Data Processing Impact Assessment (DPIA). Such an assessment differs from traditional risk analyses in which the actor carrying out the evaluation is also the one interested in reducing its risk. Conflicts may thus arise between the need of protecting data subjects rights and organizations that shall provide adequate security measures while struggling with various types of constraints (e.g., budget). To alleviate this problem, we introduce the Multi-Stakeholder Risk Trade-off Analysis Problem, (MSRToAP) and propose an automated technique to solve their instances. We then show how this can help data controllers make more informed decisions about which security mechanisms allow for a better trade-off between their requirements and those of the data subjects. For concreteness, we illustrate the proposed on a simple yet realistic use case scenario.

Alberto Siena | Silvio Ranise | Majid Mollaeefar

[1] Roger Clarke,et al. Privacy impact assessment: Its origins and development , 2009, Comput. Law Secur. Rev..

[2] Lisa Rajbhandari,et al. Intended Actions: Risk Is Conflicting Incentives , 2012, ISC.

[3] Marit Hansen,et al. A Process for Data Protection Impact Assessment Under the European General Data Protection Regulation , 2016, APF.

[4] Norbik Bashah Idris,et al. Security risk assessment framework for cloud computing environments , 2014, Secur. Commun. Networks.

[5] Rose-Mharie Åhlfeldt,et al. Mobile Health Systems for Community-Based Primary Care: Identifying Controls and Mitigating Privacy Threats , 2019, JMIR mHealth and uHealth.

[6] David Wright,et al. The state of the art in privacy impact assessment , 2012, Comput. Law Secur. Rev..

[7] Sarah Spiekermann,et al. A systematic methodology for privacy impact assessments: a design science approach , 2014, Eur. J. Inf. Syst..

[8] Jasbir S. Arora,et al. Survey of multi-objective optimization methods for engineering , 2004 .

[9] Luis Martínez-López,et al. A Dynamic Multi-Expert Multi-Criteria Decision Making Model for Risk Analysis , 2013, MICAI.