Abstract
Sharing Cyber Threat Intelligence (CTI) is a key strategy for improving cyber defense, but there are risks of breaching regulations and laws regarding privacy. With regulations such as the General Data Protection Regulation (GDPR) that are designed to protect citizens’ data privacy, the managers of CTI datasets need clear guidance on how and when it is legal to share such information. This paper defines the impact that GDPR legal aspects may have on the sharing of CTI. In addition, we define adequate protection levels for sharing CTI to ensure compliance with the GDPR. We also present a model for evaluating the legal requirements for supporting decision making when sharing CTI, which also includes advice on the required protection level. Finally, we evaluate our model using use cases of sharing CTI datasets between entities.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Skopik, F., Settanni, G., Fiedler, R.: A problem shared is a problem halved: a survey on the dimensions of collective cyber defense through security information sharing. Comput. Secur. 60, 154–176 (2016)
Albakri, A., Boiten, E., De Lemos, R.: Risks of sharing cyber incident information. In: Proceedings of International Conference on Availability, Reliability and Security, Hamburg, Germany, 10 p. (2018)
Sweeney, L.: Operationalizing american jurisprudence for data sharing, Technical report (2013)
Personal Information Protection Commission: Amended Act on the Protection of Personal Information (2016). https://www.ppc.go.jp/files/pdf/Act_on_the_Protection_of_Personal_Information.pdf. Accessed 03 Jan 2019
European Union: Regulation 2016/679 of the European parliament and the Council of the European Union of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/. Official J. Eur. Communities 59, 1–88 (2016)
ENISA: Directive on security of network and information systems (2017). https://ec.europa.eu/digital-single-market/en/network-and-information-security-nis-directive. Accessed: 13 Dec 2018
ENISA: Information Security Agency, ‘A step-by-step approach on how to set up a CSIRT’, WP2006/5.1, 86 (2006)
Bar-Sinai, M., Sweeney, L., Crosas, M.: DataTags, data handling policy spaces and the tags language. In: Proceedings - 2016 IEEE Symposium on Security and Privacy Workshops, SPW 2016, pp. 1–8 (2016)
Sweeney, L., Crosas, M., Bar-Sinai, M.: Sharing sensitive data with confidence: the datatags system. Technol. Sci. 2015101601 (2015). https://techscience.org/a/2015101601
IFIRST.ORG: Traffic Light Protocol (TLP) (2001). https://www.first.org/tlp/. Accessed 14 Aug 2018
CIRCL: Traffic Light Protocol (TLP) - Classification and Sharing of Sensitive Information (2018). https://www.circl.lu/pub/traffic-light-protocol/. Accessed 29 Sept 2018
Goyal, V., Pandey, O., Sahai, A., Waters, B.: Attribute-based encryption for fine-grained access control of encrypted data. In: Proceedings of the 13th ACM Conference on Computer and Communications Security - CCS 2006, pp. 89–98 (2006)
Bethencourt, J., Sahai, A., Waters, B.: Ciphertext-policy attribute-based encryption. In: Proceedings - IEEE Symposium on Security and Privacy, pp. 321–334 (2007)
Johnson, M.E.: Information risk of inadvertent disclosure: an analysis of file-sharing risk in the financial supply chain. J. Manag. Inf. Syst. 25(2), 97–124 (2008)
Sweeney, L.: k-Anonymity: a model for protecting privacy. Int. J. Uncertainty, Fuzziness Knowl.-Based Syst., 10(05), 557–570 (2002)
Xiao, X., Tao, Y.: Personalized privacy preservation. In: Proceedings of the 2006 ACM SIGMOD International Conference on Management of Data - SIGMOD 2006, pp. 229–240 (2006)
Nergiz, M.E., Atzori, M., Clifton, C.: Hiding the presence of individuals from shared databases. In: Proceedings of the 2007 ACM SIGMOD International Conference on Management of Data - SIGMOD 2007, pp. 665–676 (2007)
Kifer, D.: L-diversity : privacy beyond k–Anonymity. In: Proceedings of the 22nd International Conference on Data Engineering, pp. 24–36 (2006)
Machanavajjhala, A., Gehrke, J., Kifer, D., Venkitasubramaniam, M.L.: L-diversity: privacy beyond k-anonymity. In: Proceedings - International Conference on Data Engineering, p. 24 (2006)
Ninghui, L., Tiancheng, L., Venkatasubramanian, S.: t-closeness: privacy beyond k-anonymity and l-diversity. In: Proceedings of the International Conference on Data Engineering, no. 2, pp. 106–115 (2007)
CIRCL: Legal compliance and CSIRT activities (2018). https://github.com/CIRCL/compliance. Accessed 29 Sept 2018
CIRCL: AIL information leaks analysis and the GDPR in the context of collection, analysis and sharing information leaks (2018). https://www.circl.lu/assets/files/information-leaks-analysis-and-gdpr.pdf. Accessed: 20 Dec 2018
Thielman, S.: Yahoo hack: 1 bn accounts compromised by biggest data breach in history, The Guardian (UK) (2016). https://www.theguardian.com/technology/2016/dec/14/yahoo-hack-security-of-one-billion-accounts-breached. Accessed 24 Oct 2018
Fatema, K., Chadwick, D.W., Van Alsenoy, B.: Extracting access control and conflict resolution policies from European data protection law. In: IFIP Advances in Information and Communication Technology, vol. 375, pp. 59–72. AICT (2012)
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (1995)
Doorn, P., Thomas, E.: Tagging privacy-sensitive data according to the new European privacy legislation: GDPR DataTags - a prototype (2017). https://dans.knaw.nl/en/current/first-gdpr-datatags-results-presented-in-workshop. Accessed 20 Dec 2018
Tjalsma, H.: Data Archiving and Networked Services (DANS) (2012). https://easy.dans.knaw.nl/. Accessed 24 Oct 2018
Breaux, T.D., Antón, A.I.: Analyzing regulatory rules for privacy and security requirements. IEEE Trans. Softw. Eng. 34(1), 5–20 (2008)
Breaux, T.D., Antón, A.I.: A systematic method for acquiring regulatory requirements: a frame-based approach. In: RHAS-6 (2007)
Schweighofer, E., Heussler, V., Kieseberg, P.: Privacy by design data exchange between CSIRTs. In: Schweighofer, E., Leitold, H., Mitrakas, A., Rannenberg, K. (eds.) APF 2017. LNCS, vol. 10518, pp. 104–119. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-67280-9_6
Acknowledgment
This work has received funding from the European Union Framework Programme for Research and Innovation Horizon 2020 under grant agreement No 675320.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Albakri, A., Boiten, E., De Lemos, R. (2019). Sharing Cyber Threat Intelligence Under the General Data Protection Regulation. In: Naldi, M., Italiano, G., Rannenberg, K., Medina, M., Bourka, A. (eds) Privacy Technologies and Policy. APF 2019. Lecture Notes in Computer Science(), vol 11498. Springer, Cham. https://doi.org/10.1007/978-3-030-21752-5_3
Download citation
DOI: https://doi.org/10.1007/978-3-030-21752-5_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-21751-8
Online ISBN: 978-3-030-21752-5
eBook Packages: Computer ScienceComputer Science (R0)