A Data-Driven Security Risk Assessment Scheme for Personal Data Protection

Abstract

Read online

To protect collected personal data, current data protection laws and regulations usually request organizations that accumulate and use personal data to adopt reasonable security safeguards. In this case, risk assessment approaches enable organizations to specify security controls as appropriate risks to their personal data. This paper proposes a data-driven risk assessment approach for personal data protection. In the proposed approach, an organization can model flows of collected personal data using extended data flow diagrams. In addition to recognizing scenarios of personal data collection and usage, the organization can identify components used to process, store, and transmit data. Based on associated components for further risk evaluation, the organization can identify potential incidents to each personal data. Compared to a traditional asset-oriented risk assessment approach, the proposed method diminishes risks to assets associated with sensitive personal data. In addition, compared to a process-oriented risk assessment approach, our approach prevents organizations from overlooking risks to sensitive data that are not used in critical business processes. While the proposed approach can improve the risk assessment accuracy of personal data protection, the study may hopefully help organizations adopt more appropriate security safeguards to protect personal data.

Keywords

• Personal data protection
• privacy
• security
• risk assessment
• RFID