Privacy threats in a mobile enterprise social network

The 'Instant Knowledge' system is an enterprise based social network that aims to introduce employees of the enterprise to contacts within the organization who may have skills relevant to particular tasks. The skills database is maintained through context-aware devices, and mobile devices in particular. The aim is to populate the database automatically based on user context data and to provide automatic introductions, again based on context data. This paper examines the security and privacy implications of this system and shows that while threat modelling on its own provides a solid base from which to secure the system, this is not enough to ensure that all privacy issues are considered. This is demonstrated by applying a mis-use case analysis that shows how personal identifying information can be inadvertantly leaked to malicious parties.

[1]  Sara Kiesler Culture of the Internet , 1997 .

[2]  David Taniar,et al.  Computational Science and Its Applications - ICCSA 2006, International Conference, Glasgow, UK, May 8-11, 2006, Proceedings, Part I , 2006, ICCSA.

[3]  Andreas L. Opdahl,et al.  Eliciting security requirements with misuse cases , 2004, Requirements Engineering.

[4]  D. M. Pedersen Cross-Validation of Privacy Factors , 1982 .

[5]  Donald Firesmith,et al.  Security Use Cases , 2003, J. Object Technol..

[6]  N. J. Marshall DIMENSIONS OF PRIVACY PREFERENCES. , 1974, Multivariate behavioral research.

[7]  Barbara Paech,et al.  MOQARE: misuse-oriented quality requirements engineering , 2008, Requirements Engineering.

[8]  D. M. Pedersen Dimensions of Privacy , 1979 .

[9]  John Leubsdorf,et al.  Privacy and Freedom , 1968 .

[10]  Alistair Cockburn,et al.  Writing Effective Use Cases , 2000 .

[11]  Sang-soo Choi,et al.  Enhanced Misuse Case Model: A Security Requirement Analysis and Specification Model , 2006, ICCSA.

[12]  Ivar Jacobson,et al.  Object-oriented software engineering - a use case driven approach , 1993, TOOLS.

[13]  Frank Swiderski,et al.  Threat Modeling , 2018, Hacking Connected Cars.

[14]  B. Wellman An electronic group is virtually a social network. , 1997 .

[15]  E. Dyson Reflections on privacy 2.0. , 2008, Scientific American.

[16]  Allan Tomlinson,et al.  Instant knowledge : a secure mobile context-aware distributed recommender system , 2009 .

[17]  Monica T. Whitty,et al.  Truth, Lies and Trust on the Internet , 2008 .

[18]  N. J. Marshall Privacy and environment , 1972 .

[19]  L. Laursen Listening to a mix. , 2008, Scientific American.