research-article

Public Access

Privacy Risk in Cybersecurity Data Sharing

Authors:

Jaspreet Bhatia,

Travis D. Breaux,

Liora Friedberg,

Daniel SmullenAuthors Info & Claims

WISCS '16: Proceedings of the 2016 ACM on Workshop on Information Sharing and Collaborative Security

Pages 57 - 64

https://doi.org/10.1145/2994539.2994541

Published: 24 October 2016 Publication History

Abstract

As information systems become increasingly interdependent, there is an increased need to share cybersecurity data across government agencies and companies, and within and across industrial sectors. This sharing includes threat, vulnerability and incident reporting data, among other data. For cyberattacks that include sociotechnical vectors, such as phishing or watering hole attacks, this increased sharing could expose customer and employee personal data to increased privacy risk. In the US, privacy risk arises when the government voluntarily receives data from companies without meaningful consent from individuals, or without a lawful procedure that protects an individual's right to due process. In this paper, we describe a study to examine the trade-off between the need for potentially sensitive data, which we call incident data usage, and the perceived privacy risk of sharing that data with the government. The study is comprised of two parts: a data usage estimate built from a survey of 76 security professionals with mean eight years' experience; and a privacy risk estimate that measures privacy risk using an ordinal likelihood scale and nominal data types in factorial vignettes. The privacy risk estimate also factors in data purposes with different levels of societal benefit, including terrorism, imminent threat of death, economic harm, and loss of intellectual property. The results show which data types are high-usage, low-risk versus those that are low-usage, high-risk. We discuss the implications of these results and recommend future work to improve privacy when data must be shared despite the increased risk to privacy.

References

[1]

D. W. Jorgenson, M. S. Ho, and K. J. Stiroh, Productivity, Volume 3: Information Technology and the American Growth Resurgence, Postwar U.S. Economic Growth. MIT Press, 2005.

[2]

FBI, "2015 Internet Crime Report," 2016.

[3]

Symantec, "Internet Security Threat Report 2016," April, p. 81, 2016.

[4]

D. Shackleford, "Combatting cyber risks in the supply chain," SANS.org, 2015.

[5]

O. of the W. H. P. Secretary, "Fact Sheet: Administration Cybersecurity Efforts 2015," 2015.

[6]

PWC, "The Global State of Information Security® Survey 2016: Turnaround and transformation in cybersecurity," 2016.

[7]

R. A. Bauer, "Consumer behavior as risk taking," in Risk Taking and Information Handling in Consumer Behavior, 1960, pp. 389--398.

[8]

C. Starr, "Social benefit versus technological risk.," Science (80-. )., vol. 165, no. 3899, p. 1232, Sep. 1969.

[9]

B. Fischhoff, P. Slovic, S. Lichtenstein, S. Read, and B. Combs, "How safe is safe enough? A psychometric study of attitudes towards technological risks and benefits," Policy Sci., vol. 9, no. 2, pp. 127--152, Apr. 1978.

[10]

P. Slovic, The perception of risk. 2000.

[11]

F. Knight, "Risk, Uncertainty, and Profit," Hart Schaffner Marx Prize essays, vol. XXXI, pp. 1--173, 1921.

[12]

J. Freudiger, S. Rane, A. E. Brito, and E. Uzun, "Privacy Preserving Data Quality Assessment for High-Fidelity Data Sharing," WISCS '14 Proc. 2014 ACM Work. Inf. Shar. Collab. Secur., pp. 21--29, 2014.

Digital Library

[13]

D. Khader, "Attribute Based Search in Encrypted Data," Proc. 2014 ACM Work. Inf. Shar. Collab. Secur. - WISCS '14, pp. 31--40, 2014.

Digital Library

[14]

L. Xu, C. Jiang, Y. Chen, Y. Ren, and K. J. R. Liu, "Privacy or utility in data collection? A contract theoretic approach," IEEE J. Sel. Top. Signal Process., vol. 9, no. 7, pp. 1256--1269, Oct. 2015.

[15]

P. Cichonski, T. Millar, T. Grance, and K. Scarfone, "Computer Security Incident Handling Guide: Recommendations of the National Institute of Standards and Technology, 800--61. Revision 2," NIST Spec. Publ., vol. 800-61, p. 79, 2012.

[16]

J. C. Baird and E. Noma, Fundamentals of scaling and psychophysics. John Wiley & Sons, Inc., 1978.

[17]

K. Auspurg and T. Hinz, Factorial Survey Experiments. 2014.

[18]

J. Bhatia, T. D. Breaux, J. R. Reidenberg, T. B. Norton, "A Theory of Vagueness and Privacy Risk Perception," IEEE 24th International Requirements Engineering Conference (RE'16), 2016.

[19]

H. Nissenbaum, Privacy in context: Technology, policy, and the integrity of social life. Stanford Law Books, 2009.

Digital Library

[20]

C. Wakslak and Y. Trope, "The effect of construal level on subjective probability estimates," Psychol. Sci., vol. 20, no. 1, pp. 52--58, Jan. 2009.

[21]

J. T. Kulas and A. A. Stachowski, "Respondent rationale for neither agreeing nor disagreeing: Person and item contributors to middle category endorsement intent on Likert personality indicators," J. Res. Pers., vol. 47, no. 4, pp. 254--262, Aug. 2013.

[22]

A. Gelman and J. Hill, "Data analysis using regression and multilevel/hierarchical models," Policy Anal., pp. 1--651, 2007.

[23]

H. Hibshi, T. D. Breaux, and S. B. Broomell, "Assessment of risk perception in security requirements composition," 2015 IEEE 23rd Int. Requir. Eng. Conf. (RE), pp. 146--155, 2015.

[24]

F. Faul, E. Erdfelder, A.-G. Lang, and A. Buchner, "G*Power 3: a flexible statistical power analysis program for the social, behavioral, and biomedical sciences.," Behav. Res. Methods, vol. 39, no. 2, pp. 175--91, May 2007.

[25]

J. Creswell, "Research design?: qualitative, quantitative, and mixed methods approaches," 2014, p. 273.

[26]

T. D. Breaux, H. Hibshi, and A. Rao, "Eddy, a formal language for specifying and analyzing data flow specifications for conflicting privacy requirements," Requir. Eng., vol. 19, no. 3, pp. 281--307, Sep. 2014.

Digital Library

[27]

T. D. Breaux, D. Smullen, and H. Hibshi, "Detecting repurposing and over-collection in multi-party privacy requirements specifications," 2015 IEEE 23rd Int'l Req'ts Engr. Conf. (RE), 2015, pp. 166--175.

Cited By

Jiang YWen XQian X(2024)Impact of gain-loss framing on online scam susceptibility: the role of scam frames, warning frames, and risk perceptionBehaviour & Information Technology10.1080/0144929X.2024.2378883(1-14)Online publication date: 23-Jul-2024
https://doi.org/10.1080/0144929X.2024.2378883
Gupta SKaplan SNygaard AGhanavati S(2022)A Two-Fold Study to Investigate Users’ Perception of IoT Information Sensitivity Levels and Their Willingness to Share the InformationEmerging Information Security and Applications10.1007/978-3-030-93956-4_6(87-107)Online publication date: 12-Jan-2022
https://doi.org/10.1007/978-3-030-93956-4_6
Stojkovski BLenzini GKoenig VRivas S(2021)What’s in a Cyber Threat Intelligence sharing platform?Proceedings of the 37th Annual Computer Security Applications Conference10.1145/3485832.3488030(385-398)Online publication date: 6-Dec-2021
https://dl.acm.org/doi/10.1145/3485832.3488030
Show More Cited By

Index Terms

Privacy Risk in Cybersecurity Data Sharing

Recommendations

Internet transactions: perceptions of personal risk

User perception of the risk associated with giving information to online companies is examined, as well as user concerns with personal privacy and beliefs that using the internet can result in personal privacy problems. A research model was proposed by ...
Privacy protection in data sharing: towards feedback based solutions
ICEGOV '14: Proceedings of the 8th International Conference on Theory and Practice of Electronic Governance

Sharing data is gaining importance in recent years due to proliferation of social media and a growing tendency of governments to gain citizens' trust through being transparent. Data dissemination, however, increases chance of compromising privacy ...
Preserving Patient Privacy When Sharing Same-Disease Data
Challenge Papers and Regular Papers

Medical and health data are often collected for studying a specific disease. For such same-disease microdata, a privacy disclosure occurs as long as an individual is known to be in the microdata. Individuals in same-disease microdata are thus subject to ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

WISCS '16: Proceedings of the 2016 ACM on Workshop on Information Sharing and Collaborative Security

October 2016

88 pages

ISBN:9781450345651

DOI:10.1145/2994539

General Chairs:
Stefan Katzenbeisser
TU Darmstadt and CASED, Germany
,
Edgar Weippl
SBA Research, Austria
,
Program Chairs:
Erik-Oliver Blass
Airbus Group Innovations, Germany
,
Florian Kerschbaum
SAP, Germany

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 24 October 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

CCS'16

Sponsor:

SIGSAC

CCS'16: 2016 ACM SIGSAC Conference on Computer and Communications Security

October 24, 2016

Vienna, Austria

Acceptance Rates

WISCS '16 Paper Acceptance Rate 8 of 24 submissions, 33%;

Overall Acceptance Rate 23 of 58 submissions, 40%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

14
Total Citations
View Citations
1,792
Total Downloads

Downloads (Last 12 months)550
Downloads (Last 6 weeks)58

Reflects downloads up to 22 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Jiang YWen XQian X(2024)Impact of gain-loss framing on online scam susceptibility: the role of scam frames, warning frames, and risk perceptionBehaviour & Information Technology10.1080/0144929X.2024.2378883(1-14)Online publication date: 23-Jul-2024
https://doi.org/10.1080/0144929X.2024.2378883
Gupta SKaplan SNygaard AGhanavati S(2022)A Two-Fold Study to Investigate Users’ Perception of IoT Information Sensitivity Levels and Their Willingness to Share the InformationEmerging Information Security and Applications10.1007/978-3-030-93956-4_6(87-107)Online publication date: 12-Jan-2022
https://doi.org/10.1007/978-3-030-93956-4_6
Stojkovski BLenzini GKoenig VRivas S(2021)What’s in a Cyber Threat Intelligence sharing platform?Proceedings of the 37th Annual Computer Security Applications Conference10.1145/3485832.3488030(385-398)Online publication date: 6-Dec-2021
https://dl.acm.org/doi/10.1145/3485832.3488030
Gupta SNygaard AKaplan SJain VGhanavati S(2021)PHIN: A Privacy Protected Heterogeneous IoT NetworkResearch Challenges in Information Science10.1007/978-3-030-75018-3_8(124-141)Online publication date: 8-May-2021
https://doi.org/10.1007/978-3-030-75018-3_8
Bellotti FOsman NArnold EMozaffari SInnamaa SLouw TTorrao GWeber HHiller JDe Gloria ADianati MBerta R(2020)Managing Big Data for Addressing Research Questions in a Collaborative Project on Automated Driving Impact AssessmentSensors10.3390/s2023677320:23(6773)Online publication date: 27-Nov-2020
https://doi.org/10.3390/s20236773
Liu SDu JShrivastava AZhong L(2020)Privacy Adversarial NetworkProceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies10.1145/33698163:4(1-18)Online publication date: 14-Sep-2020
https://dl.acm.org/doi/10.1145/3369816
Xu ZYang LWang ZWen SHanson RChen SXiang Y(2020)BHDA - A Blockchain-Based Hierarchical Data Access Model for Financial Services2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)10.1109/TrustCom50675.2020.00077(530-538)Online publication date: Dec-2020
https://doi.org/10.1109/TrustCom50675.2020.00077
Toapanta Toapanta SMafla Gallegos LBenavides Quimis BHuilcapi Subia D(2020)Approach to Mitigate the Cyber-Environment Risks of a Technology Platform2020 3rd International Conference on Information and Computer Technologies (ICICT)10.1109/ICICT50521.2020.00069(390-396)Online publication date: Mar-2020
https://doi.org/10.1109/ICICT50521.2020.00069
Toapanta SPeñafiel LGallegos L(2019)Prototype to Mitigate the Risks of the Integrity of Cyberattack Information in Electoral Processes in Latin AmericaProceedings of the 2019 2nd International Conference on Education Technology Management10.1145/3375900.3375915(111-118)Online publication date: 18-Dec-2019
https://dl.acm.org/doi/10.1145/3375900.3375915
Horák MStupka VHusák M(2019)GDPR Compliance in Cybersecurity SoftwareProceedings of the 14th International Conference on Availability, Reliability and Security10.1145/3339252.3340516(1-8)Online publication date: 26-Aug-2019
https://dl.acm.org/doi/10.1145/3339252.3340516
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents