Kim Wuyts

A privacy threat analysis framework: supporting the elicitation and fulfillment of privacy requirements

Ready or not, the digitalization of information has come, and privacy is standing out there, possibly at stake. Although digital privacy is an identified priority in our society, few systematic, effective methodologies exist that deal with privacy threats thoroughly. This paper presents a comprehensive framework to model privacy threats in software-based systems. First, this work provides a systematic methodology to model privacy-specific threats. Analogous to STRIDE, an information flow–oriented model of the system is leveraged to guide the analysis and to provide broad coverage. The methodology instructs the analyst on what issues should be investigated, and where in the model those issues could emerge. This is achieved by (i) defining a list of privacy threat types and (ii) providing the mappings between threat types and the elements in the system model. Second, this work provides an extensive catalog of privacy-specific threat tree patterns that can be used to detail the threat analysis outlined above. Finally, this work provides the means to map the existing privacy-enhancing technologies (PETs) to the identified privacy threats. Therefore, the selection of sound privacy countermeasures is simplified.

A descriptive study of Microsoft's threat modeling technique

Microsoft’s STRIDE is a popular threat modeling technique commonly used to discover the security weaknesses of a software system. In turn, discovered weaknesses are a major driver for incepting security requirements. Despite its successful adoption, to date no empirical study has been carried out to quantify the cost and effectiveness of STRIDE. The contribution of this paper is the evaluation of STRIDE via a descriptive study that involved 57 students in their last master year in computer science. The study addresses three research questions. First, it assesses how many valid threats per hour are produced on average. Second, it evaluates the correctness of the analysis results by looking at the average number of false positives, i.e., the incorrect threats. Finally, it determines the completeness of the analysis results by looking at the average number of false negatives, i.e., the overlooked threats.

Empirical evaluation of a privacy-focused threat modeling methodology

Abstract Privacy is a key issue in todays society. Software systems handle more and more sensitive information concerning citizens. It is important that such systems are privacy-friendly by design. In previous work, we proposed a privacy threat analysis methodology, named LINDDUN. The methodology supports requirements engineers and software architects in identifying privacy weaknesses in the system they contribute to developing. As this is a fairly new technique, its results when applied in realistic scenarios are yet unknown. This paper presents a series of three empirical studies that thoroughly evaluate LINDDUN from a multi-faceted perspective. Our assessment characterizes the correctness and completeness of the analysis results produced by LINDDUN, as well as the productivity associated with executing the methodology. We also look into aspects such as the ease of use and reliability of LINDDUN. The results are encouraging, overall. However, some areas for further improvement have been identified as a result of this empirical inquiry.

Linking Privacy Solutions to Developer Goals

Privacy is gaining importance since more and more data becomes digitalized. There is also a growing interest from the security community because of the existing synergy between security and privacy. Unfortunately, the privacy development life cycle is less advanced than the security one. A clear classification into different objectives is not available yet. This paper attempts to scope the privacy landscape for software engineering by proposing an operational definition for privacy and by describing a privacy taxonomy. The taxonomy is rooted in the definition and presents a classification of privacy objectives, which correspond to the developers goals. Each objective can be achieved by one or more strategies. As a validation for the taxonomy, existing privacy solutions are matched to each strategy.

Integrating Patient Consent in e-Health Access Control

Many initiatives exist that integrate e-health systems on a large scale. One of the main technical challenges is access control, although several frameworks and solutions, like XACML, are becoming standard practice. Data is no longer shared within one affinity domain but becomes ubiquitous, which results in a loss of control. As patients will be less willing to participate without additional control strategies, patient consents are introduced that allow the patients to determine precise access rules on their medical data. This paper explores the consequences of integrating consent in e-health access control. First, consent requirements are examined, after which an architecture is proposed which incorporates patient consent in the access control service of an e-health system. To validate the proposed concepts, a proof-of-concept implementation is built and evaluated.

Hardening XDS-Based Architectures

Healthcare is an information-intensive domain and therefore information technologies are playing an ever-growing role in this sector. They are expected to increase the efficiency of the delivery of healthcare services in order to both improve the quality and reduce the costs. In this context, security has been identified as a priority although several gaps still exist. This paper reports on the results of assessing the threats to XDS-based architectures. Accordingly, an architectural solution to the identified threats is presented.

The OCareCloudS project: Toward organizing care through trusted cloud services

The increasing elderly population and the shift from acute to chronic illness makes it difficult to care for people in hospitals and rest homes. Moreover, elderly people, if given a choice, want to stay at home as long as possible. In this article, the methodologies to develop a cloud-based semantic system, offering valuable information and knowledge-based services, are presented. The information and services are related to the different personal living hemispheres of the patient, namely the daily care-related needs, the social needs and the daily life assistance. Ontologies are used to facilitate the integration, analysis, aggregation and efficient use of all the available data in the cloud. By using an interdisciplinary research approach, where user researchers, (ontology) engineers, researchers and domain stakeholders are at the forefront, a platform can be developed of great added value for the patients that want to grow old in their own home and for their caregivers.

Effective and efficient privacy threat modeling through domain refinements

Privacy and security are crosscutting in the design of any software system or service, and thus a broad focus on the end-to-end system architecture is required. For this reason, systematic approaches to elicitate security and privacy threats and risks are gaining importance. Such approaches however are highly analytic, require substantial effort and rely extensively on domain expertise. Applying these methods in practice easily leads to the problem of threat explosion, where the effort required to prioritize and consider all threats starts exceeding the benefits of adopting these methods. To address this impediment to practical adoption, we present our approach to improve LINDDUN, an existing privacy engineering method. We create a domain refinement questionnaire, which involves activating and deactivating threat trees nodes by posing specific questions to the privacy engineer or software architect, leading to the a priori exclusion of non-applicable threats from the analysis exercise. The efficiency gain can be strengthened further by incorporating reusable domain knowledge in the approach to instantiate the questionnaire.