Search results

1 – 10 of over 14000
Article
Publication date: 13 November 2017

Christos Kalloniatis

The purpose of this paper is to extend PriS (privacy safeguard), a privacy requirements engineering method for eliciting and modelling privacy requirements during system design…

Abstract

Purpose

The purpose of this paper is to extend PriS (privacy safeguard), a privacy requirements engineering method for eliciting and modelling privacy requirements during system design, with the addition of privacy-aware cloud-based concepts to assist analysts to reason and model about privacy in cloud environments.

Design/methodology/approach

An analysis of previous findings on the file of cloud privacy based on previous work has been conducted and a set of privacy-related concepts that need to be considered during privacy analysis for cloud-based systems have been revealed. These concepts were used for extending the conceptual model of PriS.

Findings

The main finding of the paper is the design of a new, novel conceptual model that assists analysts and designers in reasoning about privacy in cloud environments. A new template using the JSON (Javascript notation object) format has been introduced for better expressing the privacy requirements along with the related concepts presented through the conceptual model, thus letting the developers to better understand the findings during the design stage and better guide them to the implementation of the respective solution.

Research limitations/implications

The design of a cloud-based process that will guide analysts in detail for eliciting and modelling the identified privacy-related requirements is the limitation and in parallel the next step of the specific work presented here.

Practical implications

The conceptual model has been applied on a real case scenario regarding its efficiency on capturing and mapping all necessary concepts for assisting analysts proceed with the design of the privacy-aware system. The results were positive, all concepts were easy to use and totally understandable from the design team and the stakeholders and the use of the JSON template received very positive comments, especially from the developer’s team.

Originality/value

The paper presents a novel conceptual model for reasoning about privacy requirements in the cloud. The applicability of the proposed model has also been tested on a real case study.

Details

Information & Computer Security, vol. 25 no. 5
Type: Research Article
ISSN: 2056-4961

Keywords

Article
Publication date: 18 December 2019

Konstantina Vemou and Maria Karyda

In the Web 2.0 era, users massively communicate through social networking services (SNS), often under false expectations that their communications and personal data are private…

Abstract

Purpose

In the Web 2.0 era, users massively communicate through social networking services (SNS), often under false expectations that their communications and personal data are private. This paper aims to analyze privacy requirements of personal communications over a public medium.

Design/methodology/approach

This paper systematically analyzes SNS services as communication models and considers privacy as an attribute of users’ communication. A privacy threat analysis for each communication model is performed, based on misuse scenarios, to elicit privacy requirements per communication type.

Findings

This paper identifies all communication attributes and privacy threats and provides a comprehensive list of privacy requirements concerning all stakeholders: platform providers, users and third parties.

Originality/value

Elicitation of privacy requirements focuses on the protection of both the communication’s message and metadata and takes into account the public–private character of the medium (SNS platform). The paper proposes a model of SNS functionality as communication patterns, along with a method to analyze privacy threats. Moreover, a comprehensive set of privacy requirements for SNS designers, third parties and users involved in SNS is identified, including voluntary sharing of personal data, the role of the SNS platforms and the various types of communications instantiating in SNS.

Details

Information & Computer Security, vol. 28 no. 1
Type: Research Article
ISSN: 2056-4961

Keywords

Article
Publication date: 1 March 2006

Evangelia Kavakli, Christos Kalloniatis, Pericles Loucopoulos and Stefanos Gritzalis

To present a new methodology for incorporating privacy requirements into the system design process called PriS, and describe its applicability in the e‐VOTE system for presenting…

1209

Abstract

Purpose

To present a new methodology for incorporating privacy requirements into the system design process called PriS, and describe its applicability in the e‐VOTE system for presenting methodology's way‐of‐working.

Design/methodology/approach

PriS is a requirement engineering methodology focused on privacy issues. It provides a set of concepts for modelling privacy requirements (anonymity, pseudonymity, unlinkability and unobservability) in the organisation domain and a systematic way‐of‐working for translating these requirements into system models. The conceptual model used in PriS is based on the Enterprise Knowledge Development (EKD) framework. PriS models privacy requirements as a special type of goal.

Findings

Based on the analysis of a number of well‐known privacy‐enhancing technologies as well as of existing security requirement engineering methodologies, this paper pinpoints the gap between system design methodologies and technological solutions. To this end, PriS is suggested, with a view to providing a methodological framework for matching privacy‐related requirements with the proper implementation techniques.

Originality/value

This paper proposes a new methodology for addressing privacy requirements during the design process. It guides developers to choose the most appropriate implementation techniques for realising the identified privacy issues. PriS methodology has a high degree of applicability on Internet systems that wish to provide services that ensure users privacy, such as anonymous browsing, untraceable transactions, etc.

Details

Internet Research, vol. 16 no. 2
Type: Research Article
ISSN: 1066-2243

Keywords

Article
Publication date: 1 December 2007

Evangelia Kavakli, Stefanos Gritzalis and Kalloniatis Christos

The purpose of the paper is to present Privacy Safeguard (PriS) a formal security requirements engineering methodology which, incorporates privacy requirements in the system…

Abstract

Purpose

The purpose of the paper is to present Privacy Safeguard (PriS) a formal security requirements engineering methodology which, incorporates privacy requirements in the system design process and to demonstrate its applicability in an e‐voting case.

Design/methodology/approach

PriS provides a methodological framework for addressing privacy‐related issues during system development. It provides a set of concepts for formally expressing privacy requirements (authentication, authorisation, identification, data protection, anonymity, pseudonymity, unlinkability and unobservability) and a systematic way‐of‐working for translating these requirements into system models. The main activities of the PriS way‐of‐working are: elicit privacy‐related goals, analyse the impact of privacy goals on processes, model affected processes using privacy process patterns and identify the technique(s) that best support/implement the above‐process patterns.

Findings

Analysis of a number of well known privacy‐enhancing technologies, as well as of existing security requirement engineering methodologies, pinpoints the gap between system design methodologies and technological solutions. To this end, PriS provides an integrated approach for matching privacy‐related requirements to proper implementation techniques. Experimentation with the e‐voting case suggests that PriS has a high degree of applicability on internet systems that wish to provide services that ensure users privacy, such as anonymous browsing, untraceable transactions, etc.

Originality/value

The paper proposes a new methodology for addressing privacy requirements during the design process. Instead of prescribing a single solution, PriS guides developers to choose the most appropriate implementation techniques for realizing the identified privacy issues. In addition, due to its formal definition it facilitates control of the accuracy and precision of the results and enables the development of automated tools for assisting its application.

Details

Transforming Government: People, Process and Policy, vol. 1 no. 4
Type: Research Article
ISSN: 1750-6166

Keywords

Article
Publication date: 3 April 2009

U.M. Mbanaso, G.S. Cooper, David Chadwick and Anne Anderson

This paper aims to describe a bilateral symmetric approach to authorization, privacy protection and obligation enforcement in distributed transactions. The authors introduce the…

Abstract

Purpose

This paper aims to describe a bilateral symmetric approach to authorization, privacy protection and obligation enforcement in distributed transactions. The authors introduce the concept of the obligation of trust (OoT) protocol as a privacy assurance and authorization mechanism that is built upon the XACML standard. The OoT allows two communicating parties to dynamically exchange their privacy and authorization requirements and capabilities, which the authors term a notification of obligation (NoB), as well as their commitments to fulfilling each other's requirements, which the authors term signed acceptance of obligations (SAO). The authors seek to describe some applicability of these concepts and to show how they can be integrated into distributed authorization systems for stricter privacy and confidentiality control.

Design/methodology/approach

Existing access control and privacy protection systems are typically unilateral and provider‐centric, in that the enterprise service provider assigns the access rights, makes the access control decisions, and determines the privacy policy. There is no negotiation between the client and the service provider about which access control or privacy policy to use. The authors adopt a symmetric, more user‐centric approach to privacy protection and authorization, which treats the client and service provider as peers, in which both can stipulate their requirements and capabilities, and hence negotiate terms which are equally acceptable to both parties.

Findings

The authors demonstrate how the obligation of trust protocol can be used in a number of different scenarios to improve upon the mechanisms that are currently available today.

Practical implications

This approach will serve to increase trust in distributed transactions since each communicating party receives a difficult to repudiate digitally signed acceptance of obligations, in a standard language (XACML), which can be automatically enforced by their respective computing machinery.

Originality/value

The paper adds to current research in trust negotiation, privacy protection and authorization by combining all three together into one set of standardized protocols. Furthermore, by providing hard to repudiate signed acceptance of obligations messages, this strengthens the legal case of the injured party should a dispute arise.

Details

Internet Research, vol. 19 no. 2
Type: Research Article
ISSN: 1066-2243

Keywords

Article
Publication date: 28 August 2019

Vasiliki Diamantopoulou and Haralambos Mouratidis

The enforcement of the General Data Protection Regulation imposes specific privacy- and -security related requirements that any organisation that processes European Union…

Abstract

Purpose

The enforcement of the General Data Protection Regulation imposes specific privacy- and -security related requirements that any organisation that processes European Union citizens’ personal data must comply with. The application of privacy- and security-by-design principles are assisting organisation in achieving compliance with the Regulation. The purpose of this study is to assist data controllers in their effort to achieve compliance with the new Regulation, by proposing the adoption of the privacy level agreement (PLA). A PLA is considered as a formal way for the data controllers and the data subjects to mutually agree the privacy settings of a service provisioned. A PLA supports privacy management, by analysing privacy threats, vulnerabilities and information systems’ trust relationships.

Design/methodology/approach

However, the concept of PLA has only been proposed on a theoretical level. To this aim, two different domains have been selected acting as real-life case studies, the public administration and the health care, where special categories of personal data are processed.

Findings

The results of the evaluation of the adoption of the PLA by the data controllers are positive. Furthermore, they indicate that the adoption of such an agreement facilitates data controllers in demonstrating transparency of their processes. Regarding data subjects, the evaluation process revealed that the use of the PLA increases trust levels on data controllers.

Originality/value

This paper proposes a novel reference architecture to enable PLA management in practice and reports on the application and evaluation of PLA management.

Details

Information & Computer Security, vol. 27 no. 5
Type: Research Article
ISSN: 2056-4961

Keywords

Article
Publication date: 12 July 2013

Costas Lambrinoudakis

The aim of the paper is to highlight gaps in compliance environments regarding information privacy and provide recommendations for global information privacy standards.

1073

Abstract

Purpose

The aim of the paper is to highlight gaps in compliance environments regarding information privacy and provide recommendations for global information privacy standards.

Design/methodology/approach

The paper draws conceptually upon an existing security standard's framework and omissions in information privacy compliance frameworks are recognized. As a result, an extended framework of information security and privacy standards is developed. Moreover, taking into account the different attributes and focus of information privacy as compared to information security, the elicitation of usability criteria for web applications and interfaces that will assist users to protect their privacy, is being proposed.

Findings

Within ICT standards numerous information security standards exist, which enable a common understanding of security requirements and promote global rules and practices for security mechanisms. Through their usage, designed information systems ultimately reach a commonly accepted security level and interoperate with other systems in an efficient and secure way. Nevertheless, a similar compliance environment is missing with regard to information privacy. Often security controls are seen as the solution to privacy protection and security compliance frameworks are regarded as guidance to information privacy as well. This is clearly the wrong approach since the main security and privacy attributes are different; information security refers to information stored, processed and transmitted for completing the information system's functions and purpose, while information privacy is the protection of the information's subject identity.

Research limitations/implications

The identified gaps in compliance environments are based on extensive literature review, while the proposed enhancements for the information privacy standards are, at this stage, an opinion‐based piece of work.

Originality/value

Currently, information privacy is treated mostly as a legal compliance requirement and thus is not adequately handled by security standards. The paper provides recommendations and further guidance in managerial, procedural and technical level for handling information privacy.

Article
Publication date: 19 June 2017

Chitra Sharma and Anjali Kaushik

Offshoring is a common practice to operationalize global business strategies. Data protection and privacy assurance are major concerns in such international arrangements. This…

Abstract

Purpose

Offshoring is a common practice to operationalize global business strategies. Data protection and privacy assurance are major concerns in such international arrangements. This paper aims to examine the strategy adopted to ensure privacy assurance in offshoring arrangements.

Design/methodology/approach

This is a literature review to understand privacy assurance strategies adopted in offshoring arrangements and an exploratory case study of captive offshoring arrangement with onshore location in Canada and offshoring locations in India and Philippines. A comparative analysis of the privacy laws and privacy principles of Canada, Philippines and India has been done.

Findings

It was found that at the time of migration of process or work to the offshore location, organizations follow a conformist privacy strategy; however, once in business as usual mode, they follow entrepreneur privacy strategy. Privacy impact assessment (PIA) was found to be an important element in resolving the “administrative problem” of an offshoring organization’s privacy assurance strategy.

Research limitations/implications

The core privacy principles are outlined in the PIA templates; however, the current templates are designed to meet the conformist strategy and may need to be revised to include the cultural aspects, training, audit and information security requirements to plan and deliver on the entrepreneur strategy.

Practical implications

Offshoring organizations can benefit by planning for entrepreneur privacy assurance strategy at the inception stage. Enhancements to PIA templates to facilitate the same have been suggested.

Originality/value

Privacy assurance strategy followed by organizations while offshoring has been examined. This paper suggests extending the PIA process so that it covers privacy assurance requirements in offshoring arrangements. The learnings can be used in managing privacy assurance requirements in similar multi-country offshore arrangements.

Details

Journal of Global Operations and Strategic Sourcing, vol. 10 no. 2
Type: Research Article
ISSN: 2398-5364

Keywords

Article
Publication date: 18 May 2020

Aggeliki Tsohou, Emmanouil Magkos, Haralambos Mouratidis, George Chrysoloras, Luca Piras, Michalis Pavlidis, Julien Debussche, Marco Rotoloni and Beatriz Gallego-Nicasio Crespo

General data protection regulation (GDPR) entered into force in May 2018 for enhancing personal data protection. Even though GDPR leads toward many advantages for the data…

1005

Abstract

Purpose

General data protection regulation (GDPR) entered into force in May 2018 for enhancing personal data protection. Even though GDPR leads toward many advantages for the data subjects it turned out to be a significant challenge. Organizations need to implement long and complex changes to become GDPR compliant. Data subjects are empowered with new rights, which, however, they need to become aware of. GDPR compliance is a challenging matter for the relevant stakeholders calls for a software platform that can support their needs. The aim of data governance for supporting GDPR (DEFeND) EU project is to deliver such a platform. The purpose of this paper is to describe the process, within the DEFeND EU project, for eliciting and analyzing requirements for such a complex platform.

Design/methodology/approach

The platform needs to satisfy legal and privacy requirements and provide functionalities that data controllers request for supporting GDPR compliance. Further, it needs to satisfy acceptance requirements, for assuring that its users will embrace and use the platform. In this paper, the authors describe the methodology for eliciting and analyzing requirements for such a complex platform, by analyzing data attained by stakeholders from different sectors.

Findings

The findings provide the process for the DEFeND platform requirements’ elicitation and an indicative sample of those. The authors also describe the implementation of a secondary process for consolidating the elicited requirements into a consistent set of platform requirements.

Practical implications

The proposed software engineering methodology and data collection tools (i.e. questionnaires) are expected to have a significant impact for software engineers in academia and industry.

Social implications

It is reported repeatedly that data controllers face difficulties in complying with the GDPR. The study aims to offer mechanisms and tools that can assist organizations to comply with the GDPR, thus, offering a significant boost toward the European personal data protection objectives.

Originality/value

This is the first paper, according to the best of the authors’ knowledge, to provide software requirements for a GDPR compliance platform, including multiple perspectives.

Details

Information & Computer Security, vol. 28 no. 4
Type: Research Article
ISSN: 2056-4961

Keywords

Article
Publication date: 28 August 2019

Adéle Da Veiga, Ruthea Vorster, Fudong Li, Nathan Clarke and Steven M. Furnell

The purpose of this study was to investigate the difference between South Africa (SA) and the United Kingdom (UK) in terms of data protection compliance with the aim to establish…

Abstract

Purpose

The purpose of this study was to investigate the difference between South Africa (SA) and the United Kingdom (UK) in terms of data protection compliance with the aim to establish if a country that has had data protection in place for a longer period of time has a higher level of compliance with data protection requirements in comparison with a country that is preparing for compliance.

Design/methodology/approach

An insurance industry multi-case study within the online insurance services environment was conducted. Personal information of four newly created consumer profiles was deposited to 10 random insurance organisation websites in each country to evaluate a number of data privacy requirements of the Data Protection Act and Protection of Personal Information Act.

Findings

The results demonstrate that not all the insurance organisations honored the selected opt-out preference for receiving direct marketing material. This was evident in direct marketing material that was sent from the insurance organisations in the sample to both the SA and UK consumer profiles who opted out for it. A total of 42 unsolicited third-party contacts were received by the SA consumer profiles, whereas the UK consumer profiles did not receive any third-party direct marketing. It was also found that the minimality principle is not always met by both SA and UK organisations.

Research limitations/implications

As a jurisdiction with a heavy stance towards privacy implementation and regulation, it was found that the UK is more compliant than SA in terms of implementation of the evaluated data protection requirements included in the scope of this study, however not fully compliant.

Originality/value

Based upon the results obtained from this research, it suggests that the SA insurance organisations should ensure that the non-compliance aspects relating to direct marketing and sharing data with third parties are addressed. SA insurance companies should learn from the manner in which the UK insurance organisations implement these privacy requirements. Furthermore, the UK insurance organisations should focus on improved compliance for direct marking and the minimality principle. The study indicates the positive role that data protection legislation plays in a county like the UK, with a more mature stance toward compliance with data protection legislation.

1 – 10 of over 14000