Cybersecurity Systems (CSSs) play a fundamental role in guaranteeing data confidentiality, integrity, and availability. However, while processing data, CSSs can intentionally or unintentionally expose personal information to people that can misuse them. For this reason, privacy implications of a CSS should be carefully evaluated. This is a challenging task mainly because modern CSSs have complex architectures and components. Moreover, data processed by CSSs can be exposed to different actors, both internal and external to the organization. This contribution presents a methodology, called EPIC, that is specifically designed to evaluate privacy violation risks in cybersecurity systems. Differently, from other general purpose guidelines, EPIC is an operational methodology aimed at guiding security and privacy experts with step-by-step instructions from modeling data exposure in the CSS to the systematical identification of privacy threats and evaluation of their associated privacy violation risk. This contribution also shows the application of the EPIC methodology to the use case of a large academic organization CSS protecting over 15, 000 hosts.

EPIC: a Methodology for Evaluating Privacy Violation Risk in Cybersecurity Systems / S. Mascetti, N. Metoui, A. Lanzi, C. Bettini. - In: TRANSACTIONS ON DATA PRIVACY. - ISSN 2013-1631. - 11:3(2018), pp. 239-277.

EPIC: a Methodology for Evaluating Privacy Violation Risk in Cybersecurity Systems

S. Mascetti
Primo
;
N. Metoui
Secondo
;
A. Lanzi
Penultimo
;
C. Bettini
Ultimo
2018

Abstract

Cybersecurity Systems (CSSs) play a fundamental role in guaranteeing data confidentiality, integrity, and availability. However, while processing data, CSSs can intentionally or unintentionally expose personal information to people that can misuse them. For this reason, privacy implications of a CSS should be carefully evaluated. This is a challenging task mainly because modern CSSs have complex architectures and components. Moreover, data processed by CSSs can be exposed to different actors, both internal and external to the organization. This contribution presents a methodology, called EPIC, that is specifically designed to evaluate privacy violation risks in cybersecurity systems. Differently, from other general purpose guidelines, EPIC is an operational methodology aimed at guiding security and privacy experts with step-by-step instructions from modeling data exposure in the CSS to the systematical identification of privacy threats and evaluation of their associated privacy violation risk. This contribution also shows the application of the EPIC methodology to the use case of a large academic organization CSS protecting over 15, 000 hosts.
cybersecurity System; Privacy violation risk; Privacy impact assessment
Settore INF/01 - Informatica
Article (author)
File in questo prodotto:
File Dimensione Formato  
paper.pdf

accesso riservato

Tipologia: Pre-print (manoscritto inviato all'editore)
Dimensione 1.56 MB
Formato Adobe PDF
1.56 MB Adobe PDF   Visualizza/Apri   Richiedi una copia
tdp.a290a17.pdf

accesso aperto

Tipologia: Publisher's version/PDF
Dimensione 1.55 MB
Formato Adobe PDF
1.55 MB Adobe PDF Visualizza/Apri
Pubblicazioni consigliate

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/2434/586223
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 3
  • ???jsp.display-item.citation.isi??? 3
social impact