Skip to main content
SpringerLink
Log in

pISRA: privacy considered information security risk assessment model

  • Published:
The Journal of Supercomputing Aims and scope Submit manuscript

Abstract

The security threats related to personally identifiable information are increasing dramatically. In addition to government agencies, large international companies are potential victims. To comply with regulations such as the European Union General Data Protection Regulation, organizations are required to carry out a privacy impact assessment. However, the conventional information security risk assessment model does not provide a clear methodology for conducting privacy impact assessments. In this paper, we propose a privacy-considered information security risk assessment (pISRA) model, which can take both a privacy impact analysis and risk assessment into consideration. Our proposed model can help risk assessors achieve a comparable and reproducible approach for the entire risk assessment process. Additionally, pISRA can assist organizations to select high-risk items for further action.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4

Similar content being viewed by others

References

  1. Data breach reports—identity theft resource center. http://www.idtheftcenter.org/images/breach/DataBreachReport_2016.pdf

  2. Guide to protecting the confidentiality of personally identifiable information (pii) (2010) NIST SP800-122. http://csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf

  3. Information technology—security techniques—information security risk management (2011) ISO/IEC 27005:2011, pp 1–68

  4. Information technology—security techniques—privacy framework (2011) ISO/IEC 29100:2011, pp 1–21

  5. Information technology—security techniques—information security management systems—requirements (2013) ISO/IEC 27001:2013, pp 1–23

  6. Information technology—security techniques—code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors (2014) ISO/IEC 27018:2014, pp 1–23

  7. Societal security—Business continuity management systems—guidelines for business impact analysis (BIA) (2015) ISO/TS 22317:2015, pp 1–27

  8. Data protection specification for a personal information management system (2017) BS10012:2017. http://www.bsigroup.com/en-GB/BS-10012-Personal-information-management/

  9. Information technology—security techniques—code of practice for personally identifiable information protection (2017) ISO/IEC 29151:2017, pp 1–39

  10. Information technology—security techniques—guidelines for privacy impact assessment (2017) ISO/IEC 29134:2017, pp 1–43

  11. Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) Ir8062: an introduction to privacy engineering and risk management in federal systems, Technical report. https://doi.org/10.6028/nist.ir.8062

  12. Clarke R (1999) Introduction to dataveillance and information privacy, and definitions of terms. Roger Clarke’s Dataveillance and Information Privacy Pages. http://www.cse.unsw.edu.au/~cs4920/resources/Roger-Clarke-Intro.pdf

  13. Council of the European Union: General data protection regulation (2016). http://data.consilium.europa.eu/doc/document/ST-5419-2016-INIT/en/pdf

  14. De SJ, Le Métayer D (2016) PRIAM: a privacy risk analysis methodology. In: Livraga G, Torra V, Aldini A, Martinelli F, Suri N (eds) Data privacy management and security assurance. Springer, Cham, pp 221–229

    Chapter  Google Scholar 

  15. Ministry of Justice (2012) The specific purpose and the classification of personal information of the personal information protection act. http://mojlaw.moj.gov.tw/LawContentE.aspx?id=FL010631

  16. Ministry of Justice (2015) Personal information protection act. http://law.moj.gov.tw/Eng/LawClass/LawAll.aspx?PCode=I0050021

  17. Ministry of Justice (2016) Enforcement rules of the personal information protection act. http://law.moj.gov.tw/LawClass/LawAll.aspx?PCode=I0050022

  18. Mylonas A, Theoharidou M, Gritzalis D (2014) Assessing privacy risks in android: a user-centric approach. Springer International Publishing, Cham, pp 21–37. https://doi.org/10.1007/978-3-319-07076-6_2

  19. Oetzel MC, Spiekermann S (2014) Systematic methodology for privacy impact assessments. Eur J Inf Syst 23(2):126–150. https://doi.org/10.1057/ejis.2013.18

    Article  Google Scholar 

  20. Public Law 107-347 (2002) E-government act of 2002. U.S. Government Printing Office. http://www.gpo.gov/fdsys/pkg/PLAW-107publ347

  21. Saripalli P, Walters B (2010) Quirc: a quantitative impact and risk assessment framework for cloud security. In: 2010 IEEE 3rd International Conference on Cloud Computing, pp 280–288. https://doi.org/10.1109/CLOUD.2010.22

  22. Shamala P, Ahmad R, Yusoff M (2013) A conceptual framework of info structure for information security risk assessment (ISRA). J Inf Secur Appl 18(1):45–52. https://doi.org/10.1016/j.jisa.2013.07.002

    Article  Google Scholar 

  23. Tancock D, Pearson S, Charlesworth A (2013) A privacy impact assessment tool for cloud computing. Springer, London, pp 73–123. https://doi.org/10.1007/978-1-4471-4189-1_3

    Book  Google Scholar 

  24. Theoharidou M, Mylonas A, Gritzalis D (2012) A risk assessment method for smartphones. Springer, Berlin, pp 443–456. https://doi.org/10.1007/978-3-642-30436-1_36

    Book  Google Scholar 

  25. Trattner C, Kappe F (2013) Social stream marketing on Facebook: a case study. Int J Soc Humanist Comput 2(1/2):86. https://doi.org/10.1504/ijshc.2013.053268

    Article  Google Scholar 

  26. Wei YC, Wu WC, Chu YC (2016) Performance evaluation of information security risk identification. In: The 5th International Conference on Frontier Computing, Tokyo, Japan

  27. Wright D, De Hert P (2012) Introduction to privacy impact assessment. Springer, Dordrecht, pp 3–32. https://doi.org/10.1007/978-94-007-2543-0_1

    Book  Google Scholar 

  28. Wright D, Finn R, Rodrigues R (2013) A comparative analysis of privacy impact assessment in six countries. J Contemp Eur Res 9(1):160–180

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Finance and Information, National Kaohsiung University of Science and Technology, Kaohsiung, Taiwan, ROC

    Yu-Chih Wei

  2. Computer Center, Hsin Sheng Junior College of Medical Care and Management, Taoyuan, Taiwan, ROC

    Wei-Chen Wu

  3. Department of Technology Crime Investigation, Taiwan Police College, Taipei, Taiwan, ROC

    Gu-Hsin Lai

  4. Telecommunication Laboratories, Chunghwa Telecom Co., Ltd, Taoyuan, Taiwan, ROC

    Ya-Chi Chu

Authors
  1. Yu-Chih Wei
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Wei-Chen Wu
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Gu-Hsin Lai
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Ya-Chi Chu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Yu-Chih Wei.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Wei, YC., Wu, WC., Lai, GH. et al. pISRA: privacy considered information security risk assessment model. J Supercomput 76, 1468–1481 (2020). https://doi.org/10.1007/s11227-018-2371-0

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11227-018-2371-0

Keywords

Search

Navigation