Abstract
The imminent introduction of the Data Protection Act in India would make it necessary for almost all enterprises, dealing with personal data, to implement privacy-specific controls. These controls would serve to mitigate the risks that breach the privacy properties of user data. Hence, the first step toward implementing such controls is the execution of privacy risk assessment procedures that would help elicit the privacy risks to user data. All user data are processed/managed by one or more business processes. Hence, assessment of privacy risks to user data should consider the vulnerabilities within, and threats to, corresponding business process. It should also consider different perspectives, namely business, legal and contractual needs, and users’ expectations, during the computation of data privacy values. This paper proposes such a comprehensive methodology for identifying data privacy risks and quantifying the same. The risk values are computed at different levels (privacy property level, business process level, etc.) to help both senior management and operational personnel, in assessing and mitigating privacy risks.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
The Personal Data Protection Bill: http://meity.gov.in/writereaddata/files/Personal_Data_Protection_Bill,2018.pdf (2018). Last accessed 22 Sept 2018
ISO/IEC 29134:2017: Information technology—Security techniques—Guidelines for privacy impact assessment, 1st edn. ISO/IEC, Switzerland (2017)
ISO/IEC 27005:2011: Information technology—Security techniques—Information security risk management, 2nd edn. ISO/IEC, Switzerland (2011)
Bhattacharjee, J., Sengupta, A., Barik, M.S., Mazumdar, C.: A study of qualitative and quantitative approaches for information security risk management. In: Gupta, M., Sharman, R., Walp, J. (eds.) Information Technology Risk Management and Compliance in Modern Organizations, pp. 1–20. IGI-Global, USA (2017)
Bhattacharjee, J., Sengupta, A., Mazumdar, C.: A Quantitative methodology for security risk assessment of enterprise business processes. In: Proceedings of the 2nd International Conference on Information Systems Security and Privacy (ICISSP), pp. 388–399. SCITEPRESS, Italy (2016)
Mulle, J., von Stackelberg, S., Bohm, K.: Modelling and transforming security constraints in privacy-aware business processes. In: Proceedings of the IEEE International Conference on Service-Oriented Computing and Applications, pp. 1–4. IEEE (2011)
Business Process Model and Notation: http://www.bpmn.org/. Last accessed 21 Sept 2018
Labda, W., Mehandjiev, N., Sampaio, P.: Modeling of privacy-aware business processes in BPMN to protect personal data. In: Proceedings of the 29th Annual ACM Symposium on Applied Computing. ACM, Republic of Korea (2014)
Abu-Nimeh, S., Mead, N.: Combining privacy and security risk assessment in security quality requirements engineering. In: AAAI Spring Symposium: Intelligent Information Privacy Management (2010)
Risk Assessment Guide—SQUARE: https://www.square.org.au/risk-assessment/risk-assessment-guide/. Last accessed 22 Sept 2018
Shapiro, S.S.: Situating anonymization within a privacy risk model. In: 2012 IEEE International Systems Conference SysCon, pp. 1–6 (2012)
Nissenbaum, H.: Privacy in Context: Technology, Policy, and the Integrity of Social Life. Stanford Law Books, Palo Alto (2009)
Solove, D.: Understanding Privacy. Harvard University Press, Cambridge (2010)
Le Métayer, D., De, SJ.: Privacy risk analysis to enable informed privacy settings. In: [Research Report] RR-9125, Inria—Research Centre Grenoble—Rhône-Alpes, pp. 1–24 (2017)
Pellungrini, R., Pratesi, F., Pappalardo, L.: Assessing privacy risk in retail data. In: Guidotti, R., Monreale, A., Pedreschi, D., Abiteboul, S. (eds.) Personal Analytics and Privacy. An Individual and Collective Perspective. PAP 2017. LNCS, vol. 10708. Springer, Cham (2017)
Wagner, I., Boiten, E.: Privacy risk assessment: from art to science, by metrics. In: Garcia-Alfaro, J., Herrera-JoancomartĂ, J., Livraga, G., Rios R. (eds.) Data Privacy Management, Cryptocurrencies and Blockchain Technology, DPM 2018, CBT 2018. LNCS, vol. 11025. Springer, Cham (2018)
De, S.J., Le Métayer, D.: A refinement approach for the reuse of privacy risk analysis results. In: Annual Privacy Forum, vol. 10518, pp. 52–830. Vienne, Austria (2017)
ISO/IEC 29151:2017: Information technology—Security techniques—Code of practice for personally identifiable information protection, 1st edn. ISO/IEC, Switzerland (2017)
NIST SP 800-53: Security and privacy controls for federal information systems and organizations, 4th edn. NIST, USA (2013)
Pfitzmann, A., Hansen, M.: A terminology for talking about privacy by data minimization: anonymity, unlinkability, undetectability, unobservability, pseudonymity, and identity management, v0.34. http://dud.inf.tu-dresden.de/Anon_Terminology.shtml. Last accessed 16 Sept 2018
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Singapore Pte Ltd.
About this chapter
Cite this chapter
Manna, A., Sengupta, A., Mazumdar, C. (2020). A Quantitative Methodology for Business Process-Based Data Privacy Risk Computation. In: Chaki, R., Cortesi, A., Saeed, K., Chaki, N. (eds) Advanced Computing and Systems for Security. Advances in Intelligent Systems and Computing, vol 996. Springer, Singapore. https://doi.org/10.1007/978-981-13-8969-6_2
Download citation
DOI: https://doi.org/10.1007/978-981-13-8969-6_2
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-13-8968-9
Online ISBN: 978-981-13-8969-6
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)