TY - JOUR
T1 - Enhancing Privacy Risk Modeling in Practice
T2 - A Case Study of an e-Justice System
AU - Gakh, Valerii
AU - Bahsi, Hayretdin
AU - Hoffmann, Thomas
AU - Boyarchuk, Artem
AU - Khramov, Oleksii
N1 - Publisher Copyright:
© 2013 IEEE.
PY - 2024
Y1 - 2024
N2 - Conducting a proper privacy analysis of a complex system is challenging in practice. Some privacy analysis methods and guidelines do not provide clear steps, limiting their applicability. Others suffer from practicality due to a lack of support from reference materials and common knowledge bases. On the other side, the minority of industrially recognized privacy analysis tools may sometimes appear insufficient for case-specific analyst needs. The privacy analysis tooling should be fine-tuned for more effective practical application. In this paper, we proposed enhancements to one of the known but underused privacy risk analysis methods - PRIAM- and demonstrated our results in a case study with an e-justice system. First, we identified the weaknesses of PRIAM, such as its ambiguity in its terminology, lack of descriptions of the risk modeling process, and lack of common-knowledge materials for modeling decisions. We compared how these problems are dealt with in PRIAM and an industrially recognized privacy analysis method, LINDDUN and its derivatives. Eventually, we developed practical guidelines for the risk modeling steps of PRIAM, which benefit from the LINDDUN method and its supporting materials. Then, we demonstrate the applicability of our proposed enhancements and guidelines by conducting a privacy risk modeling on an e-justice platform. As this platform covers various components, including a blockchain, we also elaborated on our findings from technical and legal perspectives.
AB - Conducting a proper privacy analysis of a complex system is challenging in practice. Some privacy analysis methods and guidelines do not provide clear steps, limiting their applicability. Others suffer from practicality due to a lack of support from reference materials and common knowledge bases. On the other side, the minority of industrially recognized privacy analysis tools may sometimes appear insufficient for case-specific analyst needs. The privacy analysis tooling should be fine-tuned for more effective practical application. In this paper, we proposed enhancements to one of the known but underused privacy risk analysis methods - PRIAM- and demonstrated our results in a case study with an e-justice system. First, we identified the weaknesses of PRIAM, such as its ambiguity in its terminology, lack of descriptions of the risk modeling process, and lack of common-knowledge materials for modeling decisions. We compared how these problems are dealt with in PRIAM and an industrially recognized privacy analysis method, LINDDUN and its derivatives. Eventually, we developed practical guidelines for the risk modeling steps of PRIAM, which benefit from the LINDDUN method and its supporting materials. Then, we demonstrate the applicability of our proposed enhancements and guidelines by conducting a privacy risk modeling on an e-justice platform. As this platform covers various components, including a blockchain, we also elaborated on our findings from technical and legal perspectives.
KW - e-justice blockchain
KW - LINDDUN
KW - PRIAM
KW - Privacy risk assessment
UR - http://www.scopus.com/inward/record.url?scp=85210977554&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85210977554&partnerID=8YFLogxK
U2 - 10.1109/ACCESS.2024.3509332
DO - 10.1109/ACCESS.2024.3509332
M3 - Article
AN - SCOPUS:85210977554
SN - 2169-3536
VL - 12
SP - 183851
EP - 183874
JO - IEEE Access
JF - IEEE Access
ER -