-
Consent verification monitoring
Authors:
Marco Robol,
Travis D. Breaux,
Elda Paja,
Paolo Giorgini
Abstract:
Advances in service personalization are driven by low-cost data collection and processing, in addition to the wide variety of third-party frameworks for authentication, storage, and marketing. New privacy regulations, such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), increasingly require organizations to explicitly state their data practices in p…
▽ More
Advances in service personalization are driven by low-cost data collection and processing, in addition to the wide variety of third-party frameworks for authentication, storage, and marketing. New privacy regulations, such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), increasingly require organizations to explicitly state their data practices in privacy policies. When data practices change, a new version of the policy is released. This can occur a few times a year, when data collection or processing requirements are rapidly changing. Consent evolution raises specific challenges to ensuring GDPR compliance. We propose a formal consent framework to support organizations, data users and data subjects in their understanding of policy evolution under a consent regime that supports both the retroactive and non-retroactive granting and withdrawal of consent. The contributions include: (i) a formal framework to reason about data collection and access under multiple consent granting and revocation scenarios; (ii) a scripting language that implements the consent framework for encoding and executing different scenarios; (iii) five consent evolution use cases that illustrate how organizations would evolve their policies using this framework; and (iv) a scalability evaluation of the reasoning framework. The framework models are used to verify when user consent prevents or detects unauthorized data collection and access. The framework can be integrated into a runtime architecture to monitor policy violations as data practices evolve in real-time. The framework was evaluated using the five use cases and a simulation to measure the framework scalability. The simulation results show that the approach is computationally scalable for use in runtime consent monitoring under a standard model of data collection and access, and practice and policy evolution.
△ Less
Submitted 13 June, 2022;
originally announced June 2022.
-
Knowledge-driven Data Ecosystems Towards Data Transparency
Authors:
Sandra Geisler,
Maria-Esther Vidal,
Cinzia Cappiello,
Bernadette Farias Lóscio,
Avigdor Gal,
Matthias Jarke,
Maurizio Lenzerini,
Paolo Missier,
Boris Otto,
Elda Paja,
Barbara Pernici,
Jakob Rehof
Abstract:
A Data Ecosystem offers a keystone-player or alliance-driven infrastructure that enables the interaction of different stakeholders and the resolution of interoperability issues among shared data. However, despite years of research in data governance and management, trustability is still affected by the absence of transparent and traceable data-driven pipelines. In this work, we focus on requiremen…
▽ More
A Data Ecosystem offers a keystone-player or alliance-driven infrastructure that enables the interaction of different stakeholders and the resolution of interoperability issues among shared data. However, despite years of research in data governance and management, trustability is still affected by the absence of transparent and traceable data-driven pipelines. In this work, we focus on requirements and challenges that data ecosystems face when ensuring data transparency. Requirements are derived from the data and organizational management, as well as from broader legal and ethical considerations. We propose a novel knowledge-driven data ecosystem architecture, providing the pillars for satisfying the analyzed requirements. We illustrate the potential of our proposal in a real-world scenario. Lastly, we discuss and rate the potential of the proposed architecture in the fulfillment of these requirements.
△ Less
Submitted 21 May, 2021; v1 submitted 19 May, 2021;
originally announced May 2021.
-
A Mixed-method Study on Security and Privacy Practices in Danish Companies
Authors:
Asmita Dalela,
Saverio Giallorenzo,
Oksana Kulyk,
Jacopo Mauro,
Elda Paja
Abstract:
Increased levels of digitalization in society expose companies to new security threats, requiring them to establish adequate security and privacy measures. Additionally, the presence of exogenous forces like new regulations, e.g., GDPR and the global COVID-19 pandemic, pose new challenges for companies that should preserve an adequate level of security while having to adapt to change. In this pape…
▽ More
Increased levels of digitalization in society expose companies to new security threats, requiring them to establish adequate security and privacy measures. Additionally, the presence of exogenous forces like new regulations, e.g., GDPR and the global COVID-19 pandemic, pose new challenges for companies that should preserve an adequate level of security while having to adapt to change. In this paper, we investigate such challenges through a two-phase study in companies located in Denmark -- a country characterized by a high level of digitalization and trust -- focusing on software development and tech-related companies. Our results show a number of issues, most notably i) a misalignment between software developers and management when it comes to the implementation of security and privacy measures, ii) difficulties in adapting company practices in light of implementing GDPR compliance, and iii) different views on the need to adapt security measures to cope with the COVID-19 pandemic.
△ Less
Submitted 8 April, 2021;
originally announced April 2021.
-
"It's Not Something We Have Talked to Our Team About": Results From a Preliminary Investigation of Cybersecurity Challenges in Denmark
Authors:
Camilla Nadja Fleron,
Jonas Kofod Jørgensen,
Oksana Kulyk,
Elda Paja
Abstract:
Although Denmark is reportedly one of the most digitised countries in Europe, IT security in Danish companies has not followed along. To shed light into the challenges that companies experience with implementing IT security, we conducted a preliminary study running semi-structured interviews with four employees from four different companies, asking about their IT security and what they need to red…
▽ More
Although Denmark is reportedly one of the most digitised countries in Europe, IT security in Danish companies has not followed along. To shed light into the challenges that companies experience with implementing IT security, we conducted a preliminary study running semi-structured interviews with four employees from four different companies, asking about their IT security and what they need to reduce risks of cyber threats. Our results show that companies are lacking fundamental security protection and are in need of guidance and tools to help them implementing basic security practices, while raising awareness of cyber threats. Based on our findings and with the inspiration of the latest reports and international security standards, we discuss steps towards further investigation towards develo** a framework targeting SMEs that want to adopt straightforward and actionable IT security guidance.
△ Less
Submitted 10 July, 2020;
originally announced July 2020.