Description
When developing an information system or software, it is important to keep privacy
in mind from the very beginning. To identify privacy threats related to a system, one
can use a methodology for modeling privacy threats. There are various methodologies
available. They differ in various aspects, such as the required expertise or the workload,
but also, importantly, in terms of which aspects of privacy they cover. This requires the
ability to identify a methodology that is suitable for a specific system and that meets the
expectations of the stakeholders. To facilitate this, we first conduct a systematic literature
review (SLR) to provide a comprehensive overview of the available alternatives. We
identify 26 methodologies. As part of the SLR, we extract several attributes of the
methodologies. These include the level of maturity, the required expertise, and whether
certain predefined privacy problems are taken into account. Then, we perform a
qualitative data analysis to identify additional attributes. These include the coverage
of types of personal data and the coverage of types of threat sources. For example, a
methodology might cover only sensitive personal data and threats from external parties,
but not from the provider of the system under analysis. We present the identified
methodologies and the combined list of attributes in the form of a decision matrix. We
propose a decision making process that utilizes this decision matrix. It can be used for
the systematic selection of a methodology for modeling privacy threats. To the best of
our knowledge, this is the first SLR and the first decision support for privacy threat
modeling methodologies. Furthermore, as part of both the SLR and the qualitative
data analysis, we identify gaps between the existing methodologies and, based on this,
provide suggestions for further research directions.
|
Thesis topic in co-operation with the Fraunhofer Institute for Applied and Integrated Security AISEC, Garching