Sascha Sven Zmiewski
ABSTRACT
Data processing systems operate in increasingly dynamic environments, such as in cloud or edge computing. In such environments, changes at run time can result in the dynamic appearance of data protection vulnerabilities, i.e., configurations in which an attacker could gain unauthorized access to confidential data. An autonomous system can mitigate such vulnerabilities by means of automated self-adaptations. If there are several data protection vulnerabilities at the same time, the system has to decide which ones to address first. In other areas of cybersecurity, risk-based approaches have proven useful for prioritizing where to focus efforts for increasing security. Traditionally, risk assessment is a manual and time-consuming process. On the other hand, addressing run-time risks requires timely decision-making, which in turn necessitates automated risk assessment.
In this paper, we propose a mathematical model for quantifying data protection risks at run time. This model accounts for the specific properties of data protection risks, such as the time it takes to exploit a data protection vulnerability and the damage caused by such exploitation. Using this risk quantification, our approach can make, in an automated process, sound decisions on prioritizing data protection vulnerabilities dynamically. Experimental results show that our risk prioritization method leads to a reduction of up to 15.8% in the damage caused by data protection vulnerabilities.
- Mark Andrejevic. 2014. The big data divide. International Journal of Communication 8 (2014), 1673–1689.Google Scholar
- Felix Bieker, Michael Friedewald, Marit Hansen, Hannah Obersteller, and Martin Rost. 2016. A Process for Data Protection Impact Assessment under the European General Data Protection Regulation. In Annual Privacy Forum. Springer, 21–37.Google Scholar
- Jakub Breier and Ladislav Hudec. 2011. Risk analysis supported by information security metrics. In Proceedings of the 12th International Conference on Computer Systems and Technologies. 393–398.Google ScholarDigital Library
- Valentina Casola, Alessandra De Benedictis, Massimiliano Rak, and Umberto Villano. 2020. A novel Security-by-Design methodology: Modeling and assessing security by SLAs with a quantitative approach. Journal of Systems and Software 163 (2020), 110537.Google ScholarCross Ref
- Shi-Cho Cha and Kuo-Hui Yeh. 2018. A data-driven security risk assessment scheme for personal data protection. IEEE Access 6(2018), 50510–50517.Google ScholarCross Ref
- Raphael Gellert. 2018. Understanding the notion of risk in the General Data Protection Regulation. Computer Law & Security Review 34, 2 (2018), 279–288.Google ScholarCross Ref
- General Data Protection Regulation. 2016. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC. Official Journal of the European Union(2016), L119.Google Scholar
- Florian Kunz and Zoltán Ádám Mann. 2019. Finding risk patterns in cloud system models. In IEEE 12th International Conference on Cloud Computing (CLOUD). 251–255.Google ScholarCross Ref
- Jan Laufer, Zoltán Ádám Mann, and Andreas Metzger. 2021. Modelling Data Protection in Fog Computing Systems using UMLsec and SysML-Sec. In ACM/IEEE International Conference on Model Driven Engineering Languages and Systems Companion (MODELS-C). 777–786.Google ScholarCross Ref
- Zoltán Ádám Mann, Florian Kunz, Jan Laufer, Julian Bellendorf, Andreas Metzger, and Klaus Pohl. 2021. RADAR: Data Protection in Cloud-Based Computer Systems at Run Time. IEEE Access 9(2021), 70816–70842.Google ScholarCross Ref
- Zoltán Ádám Mann, Andreas Metzger, and Stefan Schoenen. 2018. Towards a run-time model for data protection in the cloud. Modellierung 2018 (2018), 71–86.Google Scholar
- Yod-Samuel Martin and Antonio Kung. 2018. Methods and tools for GDPR compliance through privacy and data protection engineering. In IEEE European Symposium on Security and Privacy Workshops (EuroS&PW). 108–111.Google ScholarCross Ref
- Ian Molloy, Luke Dickens, Charles Morisset, Pau-Chen Cheng, Jorge Lobo, and Alessandra Russo. 2012. Risk-based security decisions under uncertainty. In 2nd ACM Conference on Data and Application Security and Privacy. 157–168.Google ScholarDigital Library
- C.P. Mu, X.J. Li, H.K. Huang, and S.F. Tian. 2008. Online risk assessment of intrusion scenarios using D-S evidence theory. In European Symposium on Research in Computer Security (ESORICS). Springer, 35–48.Google Scholar
- Pantaleone Nespoli, Félix Gómez Mármol, and Jorge Maestre Vidal. 2021. A Bio-Inspired Reaction Against Cyberattacks: AIS-Powered Optimal Countermeasures Selection. IEEE Access 9(2021), 60971–60996.Google ScholarCross Ref
- Alexander Palm, Zoltán Ádám Mann, and Andreas Metzger. 2018. Modeling data protection vulnerabilities of cloud systems using risk patterns. In International Conference on System Analysis and Modeling. Springer, 1–19.Google ScholarCross Ref
- Sowmya Ravidas, Indrakshi Ray, and Nicola Zannone. 2020. Handling incomplete information in policy evaluation using attribute similarity. In 2nd IEEE International Conference on Trust, Privacy and Security in Intelligent Systems and Applications (TPS-ISA). IEEE, 79–88.Google ScholarCross Ref
- Ira Rubinstein. 2013. Big data: the end of privacy or a new beginning?International Data Privacy Law(2013).Google Scholar
- Stefan Schoenen, Zoltán Ádám Mann, and Andreas Metzger. 2018. Using risk patterns to identify violations of data protection policies in cloud systems. In Service-Oriented Computing – ICSOC 2017 Workshops. Springer, 296–307.Google Scholar
- Alireza Shameli-Sendi, Rouzbeh Aghababaei-Barzegar, and Mohamed Cheriet. 2016. Taxonomy of information security risk assessment (ISRA). Computers & Security 57(2016), 14–30.Google ScholarDigital Library
- Alireza Shameli-Sendi, Mohamed Cheriet, and Abdelwahab Hamou-Lhadj. 2014. Taxonomy of intrusion risk assessment and response system. Computers & Security 45(2014), 1–16.Google ScholarDigital Library
- Alireza Shameli-Sendi and Michel Dagenais. 2014. ARITO: Cyber-attack response system using accurate risk impact tolerance. International Journal of Information Security 13, 4 (2014), 367–390.Google ScholarDigital Library
- Alireza Shameli-Sendi, Michel Dagenais, and Lingyu Wang. 2018. Realtime intrusion risk assessment model based on attack and service dependency graphs. Computer Communications 116 (2018), 253–272.Google ScholarCross Ref
- Laurens Sion, Pierre Dewitte, Dimitri Van Landuyt, Kim Wuyts, Ivo Emanuilov, Peggy Valcke, and Wouter Joosen. 2019. An architectural view for data protection by design. In IEEE International Conference on Software Architecture (ICSA). 11–20.Google ScholarCross Ref
- Steve Taylor, Mike Surridge, and Brian Pickering. 2021. Regulatory Compliance Modelling Using Risk Management Techniques. In IEEE World AI IoT Congress (AIIoT). 0474–0481.Google Scholar
- Aggeliki Tsohou, Emmanouil Magkos, Haralambos Mouratidis, George Chrysoloras, Luca Piras, Michalis Pavlidis, Julien Debussche, Marco Rotoloni, and Beatriz Gallego-Nicasio Crespo. 2020. Privacy, security, legal and technology acceptance elicited and consolidated requirements for a GDPR compliance platform. Information and Computer Security 28, 4 (2020), 531–553.Google ScholarCross Ref
- Niels Van Dijk, Raphaël Gellert, and Kjetil Rommetveit. 2016. A risk to a right? Beyond data protection risk assessments. Computer Law & Security Review 32, 2 (2016), 286–306.Google ScholarCross Ref
- Isabel Wagner and David Eckhoff. 2019. Technical privacy metrics: a systematic survey. Comput. Surveys 51, 3 (2019), art. 57.Google ScholarDigital Library
- Tarun Yadav and Arvind Mallari Rao. 2015. Technical aspects of cyber kill chain. In International Symposium on Security in Computing and Communication. Springer, 438–452.Google ScholarCross Ref
- Qi Zhang, Chunjie Zhou, Naixue Xiong, Yuanqing Qin, Xuan Li, and Shuang Huang. 2016. Multimodel-based incident prediction and risk assessment in dynamic cybersecurity protection for industrial control systems. IEEE Transactions on Systems, Man, and Cybernetics: Systems 46, 10(2016), 1429–1444.Google ScholarCross Ref
Index Terms
- Automatic online quantification and prioritization of data protection risks
Recommendations
Viewpoint-Based Risk Assessment and Prioritization
SEW '12: Proceedings of the 2012 35th Annual IEEE Software Engineering WorkshopFor software projects, different stakeholders may place different emphasis on the same risk. Risks that are important to one stakeholder may be less important or irrelevant to other stakeholders and vice versa. In the overall prioritization of risks for ...
A move in the security measurement stalemate: elo-style ratings to quantify vulnerability
NSPW '12: Proceedings of the 2012 New Security Paradigms WorkshopOne of the big problems of risk assessment in information security is the quantification of risk-related properties, such as vulnerability. Vulnerability expresses the likelihood that a threat agent acting against an asset will cause impact, for example,...
Taxonomy of information security risk assessment (ISRA)
Information is a perennially significant business asset in all organizations. Therefore, it must be protected as any other valuable asset. This is the objective of information security, and an information security program provides this kind of ...
Comments