Fuzzy-based approach to assess and prioritize privacy risks
Fuzzy-based approach to assess and prioritize privacy risks
The new general data protection regulation requires organizations to conduct a data protection impact assessment (DPIA) when the processing of personal information may result in high risk to individual rights and freedoms. DPIA allows organizations to identify, assess and prioritize the risks related to the processing of personal information and select suitable mitigations to reduce the severity of the risks. The existing DPIA methodologies measure the severity of privacy risks according to analysts’ opinions about the likelihood and the impact factors of the threats. The assessment is therefore subjective to the expertise of the analysts. To reduce subjectivity, we propose a set of well-defined criteria that analysts can use to measure the likelihood and the impact of a privacy risk. Then, we adopt the fuzzy multi-criteria decision-making approach to systematically measure the severity of privacy risks while modeling the imprecision and vagueness inherent in linguistic assessment. Our approach is illustrated for a realistic scenario with respect to LINDDUN threat categories.
Fuzzy set theory, Privacy risk assessment, Privacy risks
1-11
Hart, Stephen
43396380-899f-44e0-86c3-3aa10aae993c
Ferrara, Anna Lisa
6bc9ff9b-aa7d-4124-8de1-73aeda822d7e
Paci, Federica
9fbf3e5b-ae03-40e8-a75a-3657cbc9216e
Hart, Stephen
43396380-899f-44e0-86c3-3aa10aae993c
Ferrara, Anna Lisa
6bc9ff9b-aa7d-4124-8de1-73aeda822d7e
Paci, Federica
9fbf3e5b-ae03-40e8-a75a-3657cbc9216e
Hart, Stephen, Ferrara, Anna Lisa and Paci, Federica
(2019)
Fuzzy-based approach to assess and prioritize privacy risks.
Soft Computing, .
(doi:10.1007/s00500-019-03986-5).
Abstract
The new general data protection regulation requires organizations to conduct a data protection impact assessment (DPIA) when the processing of personal information may result in high risk to individual rights and freedoms. DPIA allows organizations to identify, assess and prioritize the risks related to the processing of personal information and select suitable mitigations to reduce the severity of the risks. The existing DPIA methodologies measure the severity of privacy risks according to analysts’ opinions about the likelihood and the impact factors of the threats. The assessment is therefore subjective to the expertise of the analysts. To reduce subjectivity, we propose a set of well-defined criteria that analysts can use to measure the likelihood and the impact of a privacy risk. Then, we adopt the fuzzy multi-criteria decision-making approach to systematically measure the severity of privacy risks while modeling the imprecision and vagueness inherent in linguistic assessment. Our approach is illustrated for a realistic scenario with respect to LINDDUN threat categories.
This record has no associated files available for download.
More information
e-pub ahead of print date: 15 April 2019
Keywords:
Fuzzy set theory, Privacy risk assessment, Privacy risks
Identifiers
Local EPrints ID: 432809
URI: http://eprints.soton.ac.uk/id/eprint/432809
ISSN: 1432-7643
PURE UUID: ffd098fb-bc04-4095-85db-a5f2e9b0a40b
Catalogue record
Date deposited: 26 Jul 2019 16:30
Last modified: 16 Mar 2024 01:47
Export record
Altmetrics
Contributors
Author:
Stephen Hart
Author:
Anna Lisa Ferrara
Author:
Federica Paci
Download statistics
Downloads from ePrints over the past year. Other digital versions may also be available to download e.g. from the publisher's website.
View more statistics