A Perfect Match: Converging and Automating Privacy and Security Impact Assessment On-the-Fly

A Perfect Match: Converging and Automating Privacy and Security Impact Assessment On-the-Fly

As the upsurge of information and communication technologies has become the foundation of all modern application domains, fueled by the unprecedented amount of data being processed and exchanged, besides security concerns, there are also pressing privacy considerations that come into play. Compoundi...

Full description

Bibliographic Details
Main Authors: Dimitrios Papamartzivanos, Sofia Anna Menesidou, Panagiotis Gouvas, Thanassis Giannetsos
Format: Article
Language:English
Published: MDPI AG 2021-01-01
Series:Future Internet
Subjects:
Privacy Impact Assessment
General Data Protection Regulation
privacy scoring system
privacy quantification
healthcare data privacy
Online Access:https://www.mdpi.com/1999-5903/13/2/30
id doaj-2d2e991349344880a4f63211af8c73f1
record_format Article
spelling doaj-2d2e991349344880a4f63211af8c73f12021-01-28T00:02:36ZengMDPI AGFuture Internet1999-59032021-01-0113303010.3390/fi13020030A Perfect Match: Converging and Automating Privacy and Security Impact Assessment On-the-FlyDimitrios Papamartzivanos0Sofia Anna Menesidou1Panagiotis Gouvas2Thanassis Giannetsos3Ubitech Ltd., R&D Department, 11632 Athens, GreeceUbitech Ltd., R&D Department, 11632 Athens, GreeceUbitech Ltd., R&D Department, 11632 Athens, GreeceDTU Compute, Department of Applied Mathematics and Computer Science, Technical University of Denmark, 2800 Lyngby, DenmarkAs the upsurge of information and communication technologies has become the foundation of all modern application domains, fueled by the unprecedented amount of data being processed and exchanged, besides security concerns, there are also pressing privacy considerations that come into play. Compounding this issue, there is currently a documented gap between the cybersecurity and privacy risk assessment (RA) avenues, which are treated as distinct management processes and capitalise on rather rigid and make-like approaches. In this paper, we aim to combine the best of both worlds by proposing the APSIA (Automated Privacy and Security Impact Assessment) methodology, which stands for Automated Privacy and Security Impact Assessment. APSIA is powered by the use of interdependency graph models and data processing flows used to create a digital reflection of the cyber-physical environment of an organisation. Along with this model, we present a novel and extensible privacy risk scoring system for quantifying the privacy impact triggered by the identified vulnerabilities of the ICT infrastructure of an organisation. We provide a prototype implementation and demonstrate its applicability and efficacy through a specific case study in the context of a heavily regulated sector (i.e., assistive healthcare domain) where strict security and privacy considerations are not only expected but mandated so as to better showcase the beneficial characteristics of APSIA. Our approach can complement any existing security-based RA tool and provide the means to conduct an enhanced, dynamic and generic assessment as an integral part of an iterative and unified risk assessment process on-the-fly. Based on our findings, we posit open issues and challenges, and discuss possible ways to address them, so that such holistic security and privacy mechanisms can reach their full potential towards solving this conundrum.https://www.mdpi.com/1999-5903/13/2/30Privacy Impact AssessmentGeneral Data Protection Regulationprivacy scoring systemprivacy quantificationhealthcare data privacy
collection DOAJ
language English
format Article
sources DOAJ
author Dimitrios Papamartzivanos
Sofia Anna Menesidou
Panagiotis Gouvas
Thanassis Giannetsos
spellingShingle Dimitrios Papamartzivanos
Sofia Anna Menesidou
Panagiotis Gouvas
Thanassis Giannetsos
A Perfect Match: Converging and Automating Privacy and Security Impact Assessment On-the-Fly
Future Internet
Privacy Impact Assessment
General Data Protection Regulation
privacy scoring system
privacy quantification
healthcare data privacy
author_facet Dimitrios Papamartzivanos
Sofia Anna Menesidou
Panagiotis Gouvas
Thanassis Giannetsos
author_sort Dimitrios Papamartzivanos
title A Perfect Match: Converging and Automating Privacy and Security Impact Assessment On-the-Fly
title_short A Perfect Match: Converging and Automating Privacy and Security Impact Assessment On-the-Fly
title_full A Perfect Match: Converging and Automating Privacy and Security Impact Assessment On-the-Fly
title_fullStr A Perfect Match: Converging and Automating Privacy and Security Impact Assessment On-the-Fly
title_full_unstemmed A Perfect Match: Converging and Automating Privacy and Security Impact Assessment On-the-Fly
title_sort perfect match: converging and automating privacy and security impact assessment on-the-fly
publisher MDPI AG
series Future Internet
issn 1999-5903
publishDate 2021-01-01
description As the upsurge of information and communication technologies has become the foundation of all modern application domains, fueled by the unprecedented amount of data being processed and exchanged, besides security concerns, there are also pressing privacy considerations that come into play. Compounding this issue, there is currently a documented gap between the cybersecurity and privacy risk assessment (RA) avenues, which are treated as distinct management processes and capitalise on rather rigid and make-like approaches. In this paper, we aim to combine the best of both worlds by proposing the APSIA (Automated Privacy and Security Impact Assessment) methodology, which stands for Automated Privacy and Security Impact Assessment. APSIA is powered by the use of interdependency graph models and data processing flows used to create a digital reflection of the cyber-physical environment of an organisation. Along with this model, we present a novel and extensible privacy risk scoring system for quantifying the privacy impact triggered by the identified vulnerabilities of the ICT infrastructure of an organisation. We provide a prototype implementation and demonstrate its applicability and efficacy through a specific case study in the context of a heavily regulated sector (i.e., assistive healthcare domain) where strict security and privacy considerations are not only expected but mandated so as to better showcase the beneficial characteristics of APSIA. Our approach can complement any existing security-based RA tool and provide the means to conduct an enhanced, dynamic and generic assessment as an integral part of an iterative and unified risk assessment process on-the-fly. Based on our findings, we posit open issues and challenges, and discuss possible ways to address them, so that such holistic security and privacy mechanisms can reach their full potential towards solving this conundrum.
topic Privacy Impact Assessment
General Data Protection Regulation
privacy scoring system
privacy quantification
healthcare data privacy
url https://www.mdpi.com/1999-5903/13/2/30
work_keys_str_mv AT dimitriospapamartzivanos aperfectmatchconvergingandautomatingprivacyandsecurityimpactassessmentonthefly
AT sofiaannamenesidou aperfectmatchconvergingandautomatingprivacyandsecurityimpactassessmentonthefly
AT panagiotisgouvas aperfectmatchconvergingandautomatingprivacyandsecurityimpactassessmentonthefly
AT thanassisgiannetsos aperfectmatchconvergingandautomatingprivacyandsecurityimpactassessmentonthefly
AT dimitriospapamartzivanos perfectmatchconvergingandautomatingprivacyandsecurityimpactassessmentonthefly
AT sofiaannamenesidou perfectmatchconvergingandautomatingprivacyandsecurityimpactassessmentonthefly
AT panagiotisgouvas perfectmatchconvergingandautomatingprivacyandsecurityimpactassessmentonthefly
AT thanassisgiannetsos perfectmatchconvergingandautomatingprivacyandsecurityimpactassessmentonthefly
_version_ 1724320308779810816

Similar Items