Skip to main content

Sharing Cyber Threat Intelligence Under the General Data Protection Regulation

  • Conference paper
  • First Online:
Privacy Technologies and Policy (APF 2019)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11498))

Included in the following conference series:

Abstract

Sharing Cyber Threat Intelligence (CTI) is a key strategy for improving cyber defense, but there are risks of breaching regulations and laws regarding privacy. With regulations such as the General Data Protection Regulation (GDPR) that are designed to protect citizens’ data privacy, the managers of CTI datasets need clear guidance on how and when it is legal to share such information. This paper defines the impact that GDPR legal aspects may have on the sharing of CTI. In addition, we define adequate protection levels for sharing CTI to ensure compliance with the GDPR. We also present a model for evaluating the legal requirements for supporting decision making when sharing CTI, which also includes advice on the required protection level. Finally, we evaluate our model using use cases of sharing CTI datasets between entities.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Skopik, F., Settanni, G., Fiedler, R.: A problem shared is a problem halved: a survey on the dimensions of collective cyber defense through security information sharing. Comput. Secur. 60, 154–176 (2016)

    Article  Google Scholar 

  2. Albakri, A., Boiten, E., De Lemos, R.: Risks of sharing cyber incident information. In: Proceedings of International Conference on Availability, Reliability and Security, Hamburg, Germany, 10 p. (2018)

    Google Scholar 

  3. Sweeney, L.: Operationalizing american jurisprudence for data sharing, Technical report (2013)

    Google Scholar 

  4. Personal Information Protection Commission: Amended Act on the Protection of Personal Information (2016). https://www.ppc.go.jp/files/pdf/Act_on_the_Protection_of_Personal_Information.pdf. Accessed 03 Jan 2019

  5. European Union: Regulation 2016/679 of the European parliament and the Council of the European Union of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/. Official J. Eur. Communities 59, 1–88 (2016)

    Google Scholar 

  6. ENISA: Directive on security of network and information systems (2017). https://ec.europa.eu/digital-single-market/en/network-and-information-security-nis-directive. Accessed: 13 Dec 2018

  7. ENISA: Information Security Agency, ‘A step-by-step approach on how to set up a CSIRT’, WP2006/5.1, 86 (2006)

    Google Scholar 

  8. Bar-Sinai, M., Sweeney, L., Crosas, M.: DataTags, data handling policy spaces and the tags language. In: Proceedings - 2016 IEEE Symposium on Security and Privacy Workshops, SPW 2016, pp. 1–8 (2016)

    Google Scholar 

  9. Sweeney, L., Crosas, M., Bar-Sinai, M.: Sharing sensitive data with confidence: the datatags system. Technol. Sci. 2015101601 (2015). https://techscience.org/a/2015101601

  10. IFIRST.ORG: Traffic Light Protocol (TLP) (2001). https://www.first.org/tlp/. Accessed 14 Aug 2018

  11. CIRCL: Traffic Light Protocol (TLP) - Classification and Sharing of Sensitive Information (2018). https://www.circl.lu/pub/traffic-light-protocol/. Accessed 29 Sept 2018

  12. Goyal, V., Pandey, O., Sahai, A., Waters, B.: Attribute-based encryption for fine-grained access control of encrypted data. In: Proceedings of the 13th ACM Conference on Computer and Communications Security - CCS 2006, pp. 89–98 (2006)

    Google Scholar 

  13. Bethencourt, J., Sahai, A., Waters, B.: Ciphertext-policy attribute-based encryption. In: Proceedings - IEEE Symposium on Security and Privacy, pp. 321–334 (2007)

    Google Scholar 

  14. Johnson, M.E.: Information risk of inadvertent disclosure: an analysis of file-sharing risk in the financial supply chain. J. Manag. Inf. Syst. 25(2), 97–124 (2008)

    Article  Google Scholar 

  15. Sweeney, L.: k-Anonymity: a model for protecting privacy. Int. J. Uncertainty, Fuzziness Knowl.-Based Syst., 10(05), 557–570 (2002)

    Article  MathSciNet  Google Scholar 

  16. Xiao, X., Tao, Y.: Personalized privacy preservation. In: Proceedings of the 2006 ACM SIGMOD International Conference on Management of Data - SIGMOD 2006, pp. 229–240 (2006)

    Google Scholar 

  17. Nergiz, M.E., Atzori, M., Clifton, C.: Hiding the presence of individuals from shared databases. In: Proceedings of the 2007 ACM SIGMOD International Conference on Management of Data - SIGMOD 2007, pp. 665–676 (2007)

    Google Scholar 

  18. Kifer, D.: L-diversity : privacy beyond k–Anonymity. In: Proceedings of the 22nd International Conference on Data Engineering, pp. 24–36 (2006)

    Google Scholar 

  19. Machanavajjhala, A., Gehrke, J., Kifer, D., Venkitasubramaniam, M.L.: L-diversity: privacy beyond k-anonymity. In: Proceedings - International Conference on Data Engineering, p. 24 (2006)

    Google Scholar 

  20. Ninghui, L., Tiancheng, L., Venkatasubramanian, S.: t-closeness: privacy beyond k-anonymity and l-diversity. In: Proceedings of the International Conference on Data Engineering, no. 2, pp. 106–115 (2007)

    Google Scholar 

  21. CIRCL: Legal compliance and CSIRT activities (2018). https://github.com/CIRCL/compliance. Accessed 29 Sept 2018

  22. CIRCL: AIL information leaks analysis and the GDPR in the context of collection, analysis and sharing information leaks (2018). https://www.circl.lu/assets/files/information-leaks-analysis-and-gdpr.pdf. Accessed: 20 Dec 2018

  23. Thielman, S.: Yahoo hack: 1 bn accounts compromised by biggest data breach in history, The Guardian (UK) (2016). https://www.theguardian.com/technology/2016/dec/14/yahoo-hack-security-of-one-billion-accounts-breached. Accessed 24 Oct 2018

  24. Fatema, K., Chadwick, D.W., Van Alsenoy, B.: Extracting access control and conflict resolution policies from European data protection law. In: IFIP Advances in Information and Communication Technology, vol. 375, pp. 59–72. AICT (2012)

    Google Scholar 

  25. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (1995)

    Google Scholar 

  26. Doorn, P., Thomas, E.: Tagging privacy-sensitive data according to the new European privacy legislation: GDPR DataTags - a prototype (2017). https://dans.knaw.nl/en/current/first-gdpr-datatags-results-presented-in-workshop. Accessed 20 Dec 2018

  27. Tjalsma, H.: Data Archiving and Networked Services (DANS) (2012). https://easy.dans.knaw.nl/. Accessed 24 Oct 2018

  28. Breaux, T.D., Antón, A.I.: Analyzing regulatory rules for privacy and security requirements. IEEE Trans. Softw. Eng. 34(1), 5–20 (2008)

    Article  Google Scholar 

  29. Breaux, T.D., Antón, A.I.: A systematic method for acquiring regulatory requirements: a frame-based approach. In: RHAS-6 (2007)

    Google Scholar 

  30. Schweighofer, E., Heussler, V., Kieseberg, P.: Privacy by design data exchange between CSIRTs. In: Schweighofer, E., Leitold, H., Mitrakas, A., Rannenberg, K. (eds.) APF 2017. LNCS, vol. 10518, pp. 104–119. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-67280-9_6

    Chapter  Google Scholar 

Download references

Acknowledgment

This work has received funding from the European Union Framework Programme for Research and Innovation Horizon 2020 under grant agreement No 675320.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Adham Albakri .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Albakri, A., Boiten, E., De Lemos, R. (2019). Sharing Cyber Threat Intelligence Under the General Data Protection Regulation. In: Naldi, M., Italiano, G., Rannenberg, K., Medina, M., Bourka, A. (eds) Privacy Technologies and Policy. APF 2019. Lecture Notes in Computer Science(), vol 11498. Springer, Cham. https://doi.org/10.1007/978-3-030-21752-5_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-21752-5_3

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-21751-8

  • Online ISBN: 978-3-030-21752-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics