Search results

Privacy and data protection is major challenge that needs to be addressed by EU funded projects given their collaborative nature. The General Data Privacy Regulation (GDPR) defines personal data as any information which is related to an identified or identifiable natural person. To this end any information that could individually or collectively lead to the identification of a natural person directly or indirectly (i.e., name, address or location data, identification number, commercial identity, IP address, etc.) are personal data. All data collected must be kept secure and inaccessible to unauthorized persons. These data need to be handled with appropriate confidentiality and technical security, as required by National and European Union (EU) legislation and recommendations. A privacy risk assessment is performed to safeguard that possible privacy breaches can be detected and facilitate informed decision-making that will minimize possible privacy risks and problems. Since the early stages of the ENVISION project, a proactive approach was adapted in minimizing possible negative impacts on the level of privacy and data protection, as well to consider the necessary measures to mitigate the identified risks. The deliverable at hand presents an Overview of the Personal Data Framework presenting the basic EU and National legislation, as well as the personal data handled within the project. The next chapter presents the privacy risk assessment definition and characteristics and the methodological framework used to perform the privacy risk assessment. Finally, risks and mitigation measures are presented in detail.

Intro -- Acknowledgments -- Introduction -- Chapter Overview -- Terminology and Definitions -- Attributes -- Privacy Settings of Attributes -- Risk Sources -- Data Inference -- Threat -- Privacy Harm -- Privacy Risks -- Privacy Risk Analysis -- Dimensions of Privacy Scoring in OSNs -- Type of Data -- Assumptions About the User -- Privacy Settings -- Risk Sources -- Privacy Metrics -- Sensitivity -- Visibility -- Reachability -- Data Inference -- Suggestion of Countermeasures -- Attribute Visibility in OSN -- Visibility Matrix -- Construction of Visibility Matrix -- An Illustration -- Open Problems -- Harm Trees for OSNs -- Harm Trees -- Construction of Harm trees -- Harm Likelihood -- Harm Expressions -- Harm Database -- Open Problems -- Privacy Risk Analysis in OSNs -- An Overview -- PrivOSN in Details -- Computation of Accuracy -- Evaluation of Harm Likelihoods -- Computation Profile Similarity -- Presentation of Privacy Risk to the User -- Residual Risks -- Open Problems -- Social Benefits -- Social Ties -- Social Capital -- Understanding Social Benefits -- Social Benefit Criteria -- Attributes and Social Benefit Criteria -- Evaluation of Social Benefit -- Open Problems -- Choosing the Right Privacy Settings -- Privacy and Social Benefit Tradeoff in Privacy Management -- An Integer Programming Model -- Balancing Privacy Risks and Social Benefits -- Formulation of the IP Problem -- Objective Function -- Privacy Risk Constraints -- Social Benefit Constraints -- Privacy Setting Constraints -- Open Problems -- Conclusion -- Notations and Their Meanings -- Comparison of Privacy Scoring Mechanisms -- Cases 3 and 4 -- Bibliography -- Authors' Biographies -- Blank Page.

Part 4: Privacy I ; International audience ; In the fight against tax evaders and other cheats, governments seek to gather more information about their citizens. In this paper we claim that this increased transparency, combined with ineptitude, or corruption, can lead to widespread violations of privacy, ultimately harming law-abiding individuals while helping those engaged in criminal activities such as stalking, identity theft and so on.In this paper we survey a number of data sources administrerd by the Greek state, offered as web services, to investigate whether they can lead to leakage of sensitive information. Our study shows that we were able to download significant portions of the data stored in some of these data sources (scraping). Moreover, for those datasources that were not ammenable to scraping we looked at ways of extracting information for specific individuals that we had identified by looking at other data sources. The vulnerabilities we have discovered enable the collection of personal data and, thus, open the way for a variety of impersonation attacks, identity theft, confidence trickster attacks and so on. We believe that the lack of a big picture which was caused by the piecemeal development of these datasources hides the true extent of the threat. Hence, by looking at all these data sources together, we outline a number of mitigation strategies that can alleviate some of the most obvious attack strategies. Finally, we look at measures that can be taken in the longer term to safeguard the privacy of the citizens.

Addressing cyber and privacy risks has never been more critical for organisations. While a number of risk assessment methodologies and software tools are available, it is most often the case that one must, at least, integrate them into a holistic approach that combines several appropriate risk sources as input to risk mitigation tools. In addition, cyber risk assessment primarily investigates cyber risks as the consequence of vulnerabilities and threats that threaten assets of the investigated infrastructure. In fact, cyber risk assessment is decoupled from privacy impact assessment, which aims to detect privacy-specific threats and assess the degree of compliance with data protection legislation. Furthermore, a Privacy Impact Assessment (PIA) is conducted in a proactive manner during the design phase of a system, combining processing activities and their inter-dependencies with assets, vulnerabilities, real-time threats and Personally Identifiable Information (PII) that may occur during the dynamic life-cycle of systems. In this paper, we propose a cyber and privacy risk management toolkit, called AMBIENT (Automated Cyber and Privacy Risk Management Toolkit) that addresses the above challenges by implementing and integrating three distinct software tools. AMBIENT not only assesses cyber and privacy risks in a thorough and automated manner but it also offers decision-support capabilities, to recommend optimal safeguards using the well-known repository of the Center for Internet Security (CIS) Controls. To the best of our knowledge, AMBIENT is the first toolkit in the academic literature that brings together the aforementioned capabilities. To demonstrate its use, we have created a case scenario based on information about cyber attacks we have received from a healthcare organisation, as a reference sector that faces critical cyber and privacy threats.

Addressing cyber and privacy risks has never been more critical for organisations. While a number of risk assessment methodologies and software tools are available, it is most often the case that one must, at least, integrate them into a holistic approach that combines several appropriate risk sources as input to risk mitigation tools. In addition, cyber risk assessment primarily investigates cyber risks as the consequence of vulnerabilities and threats that threaten assets of the investigated infrastructure. In fact, cyber risk assessment is decoupled from privacy impact assessment, which aims to detect privacy-specific threats and assess the degree of compliance with data protection legislation. Furthermore, a Privacy Impact Assessment (PIA) is conducted in a proactive manner during the design phase of a system, combining processing activities and their inter-dependencies with assets, vulnerabilities, real-time threats and Personally Identifiable Information (PII) that may occur during the dynamic life-cycle of systems. In this paper, we propose a cyber and privacy risk management toolkit, called AMBIENT (Automated Cyber and Privacy Risk Management Toolkit) that addresses the above challenges by implementing and integrating three distinct software tools. AMBIENT not only assesses cyber and privacy risks in a thorough and automated manner but it also offers decision-support capabilities, to recommend optimal safeguards using the well-known repository of the Center for Internet Security (CIS) Controls. To the best of our knowledge, AMBIENT is the first toolkit in the academic literature that brings together the aforementioned capabilities. To demonstrate its use, we have created a case scenario based on information about cyber attacks we have received from a healthcare organisation, as a reference sector that faces critical cyber and privacy threats.

[EN] Users are not often aware of privacy risks and disclose information in online social networks. They do not consider the audience that will have access to it or the risk that the information continues to spread and may reach an unexpected audience. Moreover, not all users have the same perception of risk. To overcome these issues, we propose a Privacy Risk Score (PRS) that: (1) estimates the reachability of an user¿s sharing action based on the distance between the user and the potential audience; (2) is described in levels to adjust to the risk perception of individuals; (3) does not require the explicit interaction of individuals since it considers information flows; and (4) can be approximated by centrality metrics for scenarios where there is no access to data about information flows. In this case, if there is access to the network structure, the results show that global metrics such as closeness have a high degree of correlation with PRS. Otherwise, local and social centrality metrics based on ego-networks provide a suitable approximation to PRS. The results in real social networks confirm that local and social centrality metrics based on degree perform well in estimating the privacy risk of users. ; This work is partially supported by the Spanish Government project TIN2014-55206-R and FPI grant BES-2015-074498. ; Alemany-Bordera, J.; Del Val Noguera, E.; Alberola Oltra, JM.; García-Fornes, A. (2018). Estimation of privacy risk through centrality metrics. Future Generation Computer Systems. 82:63-76. https://doi.org/10.1016/j.future.2017.12.030 ; S ; 63 ; 76 ; 82

Addressing cyber and privacy risks has never been more critical for organisations. While a number of risk assessment methodologies and software tools are available, it is most often the case that one must, at least, integrate them into a holistic approach that combines several appropriate risk sources as input to risk mitigation tools. In addition, cyber risk assessment primarily investigates cyber risks as the consequence of vulnerabilities and threats that threaten assets of the investigated infrastructure. In fact, cyber risk assessment is decoupled from privacy impact assessment, which aims to detect privacy-specific threats and assess the degree of compliance with data protection legislation. Furthermore, a Privacy Impact Assessment (PIA) is conducted in a proactive manner during the design phase of a system, combining processing activities and their inter-dependencies with assets, vulnerabilities, real-time threats and Personally Identifiable Information (PII) that may occur during the dynamic life-cycle of systems. In this paper, we propose a cyber and privacy risk management toolkit, called AMBIENT (AutoMated cyBer and prIvacy risk managEmeNt Toolkit) that addresses the above challenges by implementing and integrating three distinct software tools. AMBIENT not only assesses cyber and privacy risks in a thorough and automated manner but it also offers decision-support capabilities, to recommend optimal safeguards using the well-known repository of the Center for Internet Security (CIS) Controls. To the best of our knowledge, AMBIENT is the first toolkit, in the academic literature, that brings together the aforementioned capabilities. To demonstrate its use, we have created a case scenario based on information about cyber attacks we have received from a healthcare organisation, as a reference sector that faces critical cyber and privacy threats.

Privacy as a fundamental human right remains a challenge in our data-driven society. Legislators in developed countries did their best to enact laws to protect this right. The most well-established privacy law is the GDPR in the European Union. While the GDPR creates a detailed framework to define every aspect of interaction with data, there are still some gaps that remained. One of these gaps is the lack of numeric assessment methods to measure different risks that data subjects may face in a data breach situation. Based on Article 35 of the GDPR, EU companies are required to perform a Data Protection Impact Assessment (DPIA), but the law does not mention precisely how to do such assessments and does not provide any numeric methodologies. In this thesis work, we explain the details of this challenge and introduce different existing frameworks to overcome it. We get in details of the PRUDEnce, a framework to assess the re-identification risk in the background knowledge based attacks. The main contribution of this thesis is examining the PRUDEnce framework in the temporal purchasing footprints dataset of shopping baskets and proving the ability of the framework in providing a numeric risk assessment in such datasets. Our findings confirm the results of the main research paper and demonstrate how the risk changes numerically with the increment of the background knowledge of adversaries.

Kit d'eines; Seguretat cibernètica; Privacitat ; Kit de herramientas; Seguridad cibernética; Privacidad ; Toolkit; Cybersecurity; Privacy ; Addressing cyber and privacy risks has never been more critical for organisations. While a number of risk assessment methodologies and software tools are available, it is most often the case that one must, at least, integrate them into a holistic approach that combines several appropriate risk sources as input to risk mitigation tools. In addition, cyber risk assessment primarily investigates cyber risks as the consequence of vulnerabilities and threats that threaten assets of the investigated infrastructure. In fact, cyber risk assessment is decoupled from privacy impact assessment, which aims to detect privacy-specific threats and assess the degree of compliance with data protection legislation. Furthermore, a Privacy Impact Assessment (PIA) is conducted in a proactive manner during the design phase of a system, combining processing activities and their inter-dependencies with assets, vulnerabilities, real-time threats and Personally Identifiable Information (PII) that may occur during the dynamic life-cycle of systems. In this paper, we propose a cyber and privacy risk management toolkit, called AMBIENT (Automated Cyber and Privacy Risk Management Toolkit) that addresses the above challenges by implementing and integrating three distinct software tools. AMBIENT not only assesses cyber and privacy risks in a thorough and automated manner but it also offers decision-support capabilities, to recommend optimal safeguards using the well-known repository of the Center for Internet Security (CIS) Controls. To the best of our knowledge, AMBIENT is the first toolkit in the academic literature that brings together the aforementioned capabilities. To demonstrate its use, we have created a case scenario based on information about cyber attacks we have received from a healthcare organisation, as a reference sector that faces critical cyber and privacy threats.

Addressing cyber and privacy risks has never been more critical for organisations. While a number of risk assessment methodologies and software tools are available, it is most often the case that one must, at least, integrate them into a holistic approach that combines several appropriate risk sources as input to risk mitigation tools. In addition, cyber risk assessment primarily investigates cyber risks as the consequence of vulnerabilities and threats that threaten assets of the investigated infrastructure. In fact, cyber risk assessment is decoupled from privacy impact assessment, which aims to detect privacy-specific threats and assess the degree of compliance with data protection legislation. Furthermore, a Privacy Impact Assessment (PIA) is conducted in a proactive manner during the design phase of a system, combining processing activities and their inter-dependencies with assets, vulnerabilities, real-time threats and Personally Identifiable Information (PII) that may occur during the dynamic life-cycle of systems. In this paper, we propose a cyber and privacy risk management toolkit, called AMBIENT (Automated Cyber and Privacy Risk Management Toolkit) that addresses the above challenges by implementing and integrating three distinct software tools. AMBIENT not only assesses cyber and privacy risks in a thorough and automated manner but it also offers decision-support capabilities, to recommend optimal safeguards using the well-known repository of the Center for Internet Security (CIS) Controls. To the best of our knowledge, AMBIENT is the first toolkit in the academic literature that brings together the aforementioned capabilities. To demonstrate its use, we have created a case scenario based on information about cyber attacks we have received from a healthcare organisation, as a reference sector that faces critical cyber and privacy threats.

This study aims to test the third-person effect (TPE) in the perception of Internet privacy risks. Support was found for a TPE model suggesting that users report greater perceived Internet privacy risks on others than on themselves, based on a sample ( N = 613) from Amazon MTurk. In particular, the differential perception of Internet privacy risks between self and others increased people's willingness to recommend protective measures to others but decreased their willingness to adopt protective measures themselves. Moreover, social distance, perceived Internet privacy knowledge, negative online privacy experiences, and Internet use activities emerged as significant predictors of TPE perceptions about Internet privacy risks. Study findings indicated that third-person perception is one of the major barriers inhibiting the adoption of privacy protection measures. The antecedents of TPE perceptions detected here provide valuable implications about how to enable Internet users to protect their privacy security.