SPECIAL SECTION ON ADVANCED SOFTWARE AND DATA ENGINEERING FOR SECURE SOCIETIES

Received July 21, 2018, accepted August 30, 2018, date of publication September 5, 2018, date of current version September 28, 2018.
Digital Object Identifier 10.1109/ACCESS.2018.2868726

A Data-Driven Security Risk Assessment

Scheme for Personal Data Protection
SHI-CHO CHA 1, (Senior Member, IEEE), AND KUO-HUI YEH 2, (Senior Member, IEEE)
1 Department of Information Management, National Taiwan University of Science and Technology, Taipei 106, Taiwan
2 Department of Information Management, National Dong Hwa University, Hualien 97401, Taiwan

Corresponding author: Kuo-Hui Yeh (khyeh@gms.ndhu.edu.tw)

This work was supported in part by the Center for Cyber-physical System Innovation from The Featured Areas Research Center
Program within the framework of the Higher Education Sprout Project by the Ministry of Education (MOE) in Taiwan and in part by the
Ministry of Science and Technology, Taiwan, under Grant MOST 105-2221-E-011-079-MY3, Grant MOST 105-2221-E-259-014-MY3,
Grant MOST 105-2221-E-011-070-MY3, and Grant MOST 107-2218-E-011-012.

ABSTRACT To protect collected personal data, current data protection laws and regulations usually request
organizations that accumulate and use personal data to adopt reasonable security safeguards. In this case, risk
assessment approaches enable organizations to specify security controls as appropriate risks to their personal
data. This paper proposes a data-driven risk assessment approach for personal data protection. In the proposed
approach, an organization can model flows of collected personal data using extended data flow diagrams.
In addition to recognizing scenarios of personal data collection and usage, the organization can identify
components used to process, store, and transmit data. Based on associated components for further risk
evaluation, the organization can identify potential incidents to each personal data. Compared to a traditional
asset-oriented risk assessment approach, the proposed method diminishes risks to assets associated with
sensitive personal data. In addition, compared to a process-oriented risk assessment approach, our approach
prevents organizations from overlooking risks to sensitive data that are not used in critical business processes.
While the proposed approach can improve the risk assessment accuracy of personal data protection, the study
may hopefully help organizations adopt more appropriate security safeguards to protect personal data.

INDEX TERMS Personal data protection, privacy, security, risk assessment, RFID.

I. INTRODUCTION the company violates the General Data Protection Regulation

As information technologies advance, organizations are
increasingly able to collect, store, and use personal data
for personalized services, advertisements, loyalty programs,
and so forth. Although several countries have enacted laws
and regulations to request organizations to protect personal
data, incidents of personal data leakage are commonplace.
According to the statistics of Identity Theft Resource Cen-
ter (ITRC) and Open Security Foundation (OSF) [1], [2],
breaches involving personal data escalate and have recently
contributed to the loss of millions of records of personal data.
Several countries raise fines for personal data leakage, urging
organizations or personal data collectors to protect personal
data earnestly. For example, Taiwan finished the amendment
to the Personal Information Protection Act in 2010, in which
the upper bound of total compensation with regard to an inci-
dent increased from 20 million to 200 million New Taiwan
dollars [3]. In addition, the EU authorities may fine a com-
pany up to 20 million euros or 4% annual global revenue if
(GDPR). Several organizations have proposed guidelines,
such as BS10012 [4] and NIST SP 800-122 [5], to help
organizations establish personal data protection systems.
Current personal data protection laws and regulations
usually follow the OECD Guidelines on the Protection of
Privacy and Trans-Border Flows of Personal Data. In 1995,
the Commission of European Parliament passed Directive
95/46/EC requesting EU member states to prohibit organi-
zations in member states from transferring personal data to
countries lacking personal data protection laws (or regula-
tions) confirming to the OECD guidelines [6]. If an organi-
zation or data collector wishes to accumulate or use personal
data of its consumers or data subjects, the organization must
obey the following OECD guidelines [7]1 :
• Collection and limitation – There should be limits to the
collection of personal data. Moreover, data should be
1 Although the Directive 95/46/EC is superseded by the GDPR, the GDPR
is still followed the OECD guidelines.

2169-3536
2018 IEEE. Translations and content mining are permitted for academic research only.
50510 Personal use is also permitted, but republication/redistribution requires IEEE permission. VOLUME 6, 2018
See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
S.-C. Cha, K.-H. Yeh: Data-Driven Security Risk Assessment Scheme for Personal Data Protection
obtained by lawful and fair means with consent of data
subjects.
• Data quality – Collected data should be kept up-to-date,
accurate, and complete.
• Purpose specification – Purposes should be specified
and disclosed while data are collected.
• Use limitation – The subsequent use of collected data
should fulfill the purposes disclosed while data are
collected.
• Security safeguards – Personal data should be protected
by reasonable security safeguards.
• Openness – The developments, practices, and policies
with respect to personal data should be open.
• Individual participation – Data subjects have the right to
obtain data about themselves and the right to challenge
the accuracy of such data.
• Accountability – The organization is accountable to the
data subject in complying with the above principles.
In upholding the accountability principle, an organization
can assign employees (or the Data Protection Officer) the
responsibility of protecting personal data and dealing with
data subject complaints. The organization can disclose its
practices with personal data and its purpose of use to sat-
isfy the openness principles. Moreover, the organization can
follow disclosed practices to satisfy collection and limitation
and use limitation principles. In addition, the organization can
provide ways for data subjects to access their personal data,
ensuring the accuracy and completeness of collected personal
data and achieving data quality and individual participation
principles. However, when the organization follows the secu-
rity safeguard principle, the organization may wonder what
are ‘‘reasonable’’ security safeguards.
In this case, current personal data protection guidelines and
best practices, such as BS10012 [4], NIST SP 800-122 [5],
Payment Card Industry (PCI) Data Security Standard [8],
and so forth, usually recommend organizations to adopt risk-
based approaches that specify security controls as appropriate
to risks or potential incidents to their personal data. The
GDPR also requests companies to adopt ‘‘appropriate’’ secu-
rity controls based on risks. Generally, organizations establish
risk management processes to identity potential personal
data incidents, evaluate loss expectancies of potential inci-
dents, and adopt appropriate controls for resolution [9], [10].
Although the GDPR requests companies to perform Data
Privacy Impact Analysis (DPIA) on processing personal data,
it focuses on evaluating whether the companies comply with
the personal data protection principles rather than security
risks of personal data.
To systematically identify and evaluate information secu-
rity events, current organizations usually adopt an asset-
oriented approach to assess potential risks. Popular security
risk assessment approaches include NIST SP 800-30 [11],
OCTAVE [12], CRAMM [13], MAGERIT [14],
Cherdantseva et al. [15], Fielder et al. [16], Shin et al. [17],
STPA-SafeSec [18], Abdo et al. [19], and so forth. For
asset-oriented approaches, an organization typically view its
VOLUME 6, 2018
potential incidents as the aggregation of potential incidents to
its assets. The organization then evaluates loss expectancies
of the incidents based on the characteristics of associated
assets, such as the threats, vulnerabilities, and values of the
assets. However, if an organization performs risk assessments
via the asset-oriented approach, it may find that the assess-
ment results are heavily reliant on the experiences and skills
of the evaluator. For example, a person who assesses risks
to an asset in an organization may ignore how critical the
asset is to a business process. For this reason, research, such
as [20]–[22], propose process-oriented approaches to assess
risks to assets, considering whether the assets are involved in
critical business processes. However, for personal data pro-
tection, even if an organization does not use sensitive personal
data in critical business processes, the organization should
take care of assets related to the sensitive data and prevent
asset risks from being underestimated. For instance, a person
who performs risk assessments in an organization should not
ignore risks to the tapes that store sensitive personal data.
To address this, our study proposes a data-driven risk
assessment approach for personal data protection. People
in an organization depict scenarios of collecting and using
personal data in the organization with extended data flow
diagrams (DFDs). In the diagrams, the organization identifies
personal data and components used to store, process, and
transfer data. Based on the components, the organization then
uses the information to evaluate risks to the personal data.
While the proposed approach may prevent organizations from
underestimating risks to personal data, the study hopefully
helps organizations adopt more appropriate security safe-
guards to protect personal data.
The remainder of this paper is organized as follows:
Section II introduces preliminary knowledge and related
work about risk assessment. Section III presents an overview
of the proposed approach. Subsequently, Sections IV and V
explain the proposed approach in detail. Section VI gives an
example about how the proposed approach is used in Taiwan’s
RFID Applications for Campus Security and Safety Enhance-
ment Project for RFID application providers to perform risk
assessments. Section VII offers the main conclusions along
with recommendations for future research.
II. RELATED WORK
Information security risk management processes enable orga-
nizations to identify potential incidents or risks to, informa-
tion systems, adopting the most effective means of controlling
risks and preventing incidents via [9]: (1) risk assessment –
identifying potential incidents to organizations and evaluat-
ing loss expectancies of the incidents; (2) risk treatment –
deciding how to treat potential incidents to organizations;
(3) and, monitoring and re-assessing risk – reviewing the
effectiveness and applying another iteration of risk assess-
ment if necessary. This study focuses on the risk assessment
procedure.
Although organizations may use fault trees [23], misuse
cases [24], attack trees [25], and other tools to analyze
50511
 S.-C. Cha, K.-H. Yeh: Data-Driven Security Risk Assessment Scheme for Personal Data Protection
potential incidents, organizations may have difficulty directly
applying these tools to identify and assess incidents.
Therefore, current risk assessment schemes generally adopt
asset-oriented approaches. According to the requirements of
ISO 27001, current asset-oriented risk assessment schemes
usually enable organizations to employ the following risk
identification steps [26]:
• Identify assets related to the scope of organizational
activities.
• Identify threats or potential causes of incidents to assets
that may harm the organization.
• Determine the vulnerabilities or weaknesses of the asset
that may be exploited by identified threats.
• Estimate loss expectancy when a threat related to an
asset exploits an asset vulnerability.
Generally, identified assets guide the asset-oriented risk
assessment processes in two ways: (1) determining potential
incidents to an organization; (2) evaluating expected losses
associated with those incidents. First, current asset-oriented
risk assessment schemes generally help organizations con-
sider incidents that may occur in relation to its assets and
the origin of those incidents. For instance, [27] and [28]
list common threats and vulnerabilities related to threats
and vulnerability identification. OCTAVE presents a set of
generic threat profiles that organizations may use to identify
and analyze threats to their assets [12]. CORAS gives an
organization a means of visualizing threats to its assets and
vulnerabilities of those assets using diagrams [29].
On the other hand, organizations can use asset information,
especially asset value, to reduce risk assessment. For exam-
ple, when an organization calculates annual loss expectan-
cies (ALEs) for every potential organization incident, it may
analyze its single loss expectancies (SLEs) and annualized
rate of occurrence (ARO) based on related threats and vul-
nerabilities [30]. At this point, an organization can assess
incidents affecting the same asset together rather than sep-
arately. For an asset incident, an organization can simply
determine an expected exposure factor (EF), which represents
the average proportion of asset values likely to be lost from
an incident. The single loss expectancy can be calculated by
simply multiplying the asset value and the expected exposure
factor. Existing example studies are such as [13], [27], [28],
[31], and [32] which usually use asset value as the major
evaluation criterion during risk estimation. In these methods,
instead of evaluating loss expectancies of incidents to every
organizational asset, organizations can select critical assets
based on their value. Nevertheless, this may leave a problem
that assessment of risks involves only critical assets [12].
When people evaluate risks to an asset in an organization,
they may underestimate asset risks if they forget that the
asset is important to a critical business process. For example,
a person may forget that a desktop processes confidential
data, overlooking its importance. To reduce the likelihood of
ignorance, several researchers have proposed risk assessment
schemes that consider the role of an asset in a business
process. For example, to determine the value of an asset
50512
based on its importance to the business process, Suh and
Han proposed an IS methodology for an organization [20].
Khanmohammadi and Houmb [22] proposed that an organi-
zation can group its assets by business processes, assessing
risks to each business process. Cha et al. proposed an orga-
nizational scheme to depict its business processes and assets
in flowcharts, marking its assets on flowcharts to represent
dependencies among assets and the role of assets in business
processes. Therefore, the organization can use the markings
to validate the results of asset valuation based on confiden-
tiality, integrity, and availability [21].
Although an organization assesses risks to assets based
on associated business processes, the organization may still
overlook risks to an asset in storing and processing sensitive
data if the asset is not involved in major business processes.
This study focuses on personal data flows in an organization,
proposing a risk assessment to an organization based on flows
of personal data collected by the organization.
III. THE PROPOSED APPROACH
As depicted in Figure 1, the proposed scheme includes the
following major steps:
• Identify personal data collected and applicable legal
requirements – in assessing risks to personal data col-
lected by an organization, the organization should first
identify its personal data. Based on the data, the organi-
zation can then identify applicable legal requirements.
For instance, Taiwan’s Personal Data Protection Law
prohibits an organization from collecting and using
health-care data, gene data, sexual lives, physical health
checkup data, and criminal records without satisfying
specific legal requirements [3]. Therefore, an organiza-
tion should stop keeping such data if it does not satisfy
associated legal requirements.
• Identify sources of personal data and parties to share
the data – based on identified personal data, organiza-
tions should recognize how data are collected. More-
over, organizations should identify situations in which
personal data are shared and the parties which receive the
data. In addition to using the information to model flows
of personal data, organizations may establish privacy
FIGURE 1. Major steps of the proposed scheme.
VOLUME 6, 2018
S.-C. Cha, K.-H. Yeh: Data-Driven Security Risk Assessment Scheme for Personal Data Protection
policies and disclose policies to data subjects by obtain-
ing data subject consents. To find details about how
organizations establish their privacy policies, interested
people may reference [33].
• Modeling flows of personal data – this study pro-
poses extended DFDs to model flows of personal data.
Therefore, an organization can recognize components
involved in processing, transmitting, and storing per-
sonal data. This study includes details about how to
model flows of personal data in Section IV.
• Identify potential incidents to personal data – as
described in Section V, to evaluate risks to a personal
data in an organization, the organization can identify
potential incidents to the data based on assets related
to the data in the proposed scheme. Note that if an
organization shares personal data with other parties,
the organization should consider potential incidents to
personal data in the parties.
• Evaluate risks – after identifying potential inci-
dents associated with personal data, an organization
applies quantitative or qualitative approaches to evalu-
ate and predict incidents. Consequently, the organiza-
tion can determine how to treat the potential incidents.
Although several risk evaluation approaches have been
recently developed, e.g. the research by Vorster and
Labuschagne [34], no single risk evaluation approach
fits every situation. Therefore, the proposed scheme
does not restrict what risk evaluation approach an orga-
nization adopts.
IV. MODELING FLOWS OF PERSONAL DATA
This work uses data flow diagrams (DFDs) to show how orga-
nizations store, process, and transmit personal data. Although
they can use other diagrams to model flows of data, such as
sequential diagrams, collaborative diagrams, and flowcharts,
DFDs help organizations directly visualize data flows.
Figure 2 lists the graphical notations of DFDs in this study.
As traditional DFDs, this study uses rectangles to represent
entities, circles to represent processes, arrows to show data
flows, and open-ended rectangles to indicate data stores.
Because risks to logical data can be covered by risks to
FIGURE 2. Major graphical notations used in this study.
VOLUME 6, 2018
associated hardware and software, this study uses gray
open-ended rectangles to represent physical data storage.
Moreover, this study enhances the data flow model by
Howard and Leblanc [35]; that is, dotted lines are used in
DFDs to demarcate the boundaries of different components.
To distinguish physical boundaries from logical boundaries,
this study uses thin dotted lines to represent logical or sys-
tem boundaries and thick dotted lines to represent physical
boundaries. Finally, small circles indicate interfaces between
a user and a system (or between two systems). Data stored in
a system can be accessed via system interfaces.
Figure 3 offers an example of visualized personal data
flows via the proposed scheme. Suppose that an organization
provides a website. The website, which is composed of two
systems sX and sY , collects a set of personal data DX from
its users. Three processes (PS A , PS B , and PS C ) are involved
in processing DX : PS A serves to process the personal data
entered by users through the interface I1 of sX . These personal
data are processed by PS A and then stored in local data
storage of SX . PS B obtains DX from PS A and replicates DX
to an external storage device. PS B also forwards DX to PS C
through I3 to enable administrators of sY to know the status
of current users via the interface I4 . The organization presents
online advertisements of an external online advertisement
provider. The provider can obtain DX for personalized adver-
tisements via the interface I2 of sX .
FIGURE 3. Representative flows of personal data with the proposed
scheme.
Table 1 presents a glossary of notations in this work. For
each DFD, an organization can identify a set of personal
data D. Moreover, for each di ∈ D, the organization identifies
the following information:
• A set of systems Sdi to collect, process, and store per-
sonal data di . For simplicity, this study views a system
as an aggregation of components, such as hardware,
software, and so on.
• If a system sj ∈ Sdi provides interfaces for other
s
systems or entities to access di , this study uses Idij to
represent the set of interfaces to access di in sj .
• A set of physical media Mdi containing information
on di . A physical medium, such as a tape and a
document, can exist without systems.
50513
 S.-C. Cha, K.-H. Yeh: Data-Driven Security Risk Assessment Scheme for Personal Data Protection
TABLE 1. Glossary of notations.
• A set of physical regions Ldi that di are processed.
This study assumes systems, media, and entities in a
region have similar environmental risks. Therefore, this
study only identifies environmental risks for each region
lj ∈ Ldi .
• A set of entities Edi that may access di .
V. IDENTIFYING POTENTIAL INCIDENTS TO
PERSONAL DATA
Figure 4 illustrates how an organization can utilize the DFDs
proposed in Section IV to determine potential incidents. This
study assumes that these potential incidents can be viewed as
an aggregation of the potential incidents to each personal data
in the organization. Suppose that an organization collects a set
of personal data D.
FIGURE 4. Steps to identify potential incidents.
For each di in D, an organization first identifies potential
incidents to associated systems Sdi . In this case, several
guidelines offer a list of incidents to information systems.
For instance, OCTAVE proposes that an organization can
consider the following potential incidents: software defects,
malicious code, system crashes, and hardware defects [36].
Moreover, while identifying potential incidents to each sys-
tem sj ∈ Sdi , an organization can consider potential inci-
dents to the interfaces used to access di . Take the security
requirements of X.509 certificate technique as an example,
an organization should protect the transfer of information
from the following potential incidents [37]: identity inter-
ception, masquerade, replay, data interception, manipulation,
repudiation, and denial of service. In addition to protect-
ing electronic data stored in systems and transmitted via
50514
interfaces of the systems, for each physical medium mm
containing di , an organization should identify potential inci-
dents to the medium. Therefore, organizations can establish
operating procedures and appropriate countermeasures to
protect physical media containing the data from disclosing,
modifying, and destroying data.
Furthermore, organizations can identify environmental
risks to regions that di are processed. ISO 27005 provides
a list of environmental risks, such as fire, water damage,
climatic phenomenon, and so on [9]. Organizations can utilize
the list with appropriate customization to identify potential
incidents to components in each region associated to di .
Similarly, an organization can make use of threats and vulner-
abilities to human beings (or entities) provided in ISO 27005
to discover potential incidents to each entity en ∈ Edi .
Finally, organizations can obtain potential incidents to each
personal data and utilize the identification results for further
evaluation.
VI. AN EXAMPLE TO APPLY THE PROPOSED SCHEME
IN THE REAL WORLD
To establish standard rules for RFID application on cam-
puses, Taiwan’s Ministry of Education (MOE) funded a pilot
project at the National Taiwan University of Science and
Technology (NTUST). The RFID Applications for Campus
Security and Safety Enhancement Project focused on campus
security and safety applications in elementary and special-
education schools. Teams from different universities imple-
mented RFID applications at these schools for the following
six scenarios: (a) attendance notification; (b) abnormal body
temperature detection; (c) dangerous zone trespass detection;
(d) library management; (e) management of equipment and
other assets; and (f) guest management.
Privacy is one of the most important issues in this project.
First, the project office invited several experts in privacy law,
information security, and RFID standards and technologies
to establish a consulting team discussing privacy issues
associated with RFID applications. Based on suggestions
from experts, the project office then developed Personal
Data Protection Guidelines for RFID Campus Applications
Implementation.
Figure 5 illustrates major outputs of the guidelines: First,
using the guidelines, RFID application providers develop pri-
vacy policies that meet current regulations and best practices
for RFID privacy. Moreover, providers can use these policies
to communicate with users about how RFID applications col-
lect and use personal data and how these applications protect
personal data. On the other hand, the project office requests
RFID application providers to perform risk assessment based
on guidelines, providing results of risk assessment and risk
treatment to the project office. Therefore, the project office
can check the results and treatment to ensure that RFID
application providers adopt appropriate security safeguards
to protect personal data. The risk assessment requirements of
the guidelines is listed as follows:
VOLUME 6, 2018
S.-C. Cha, K.-H. Yeh: Data-Driven Security Risk Assessment Scheme for Personal Data Protection
FIGURE 5. Majors outputs of the personal data protection guidelines for
RFID campus applications implementation.
Using the means mentioned in Section IV, RFID appli-
cation providers depict flows of personal data for each sce-
nario and identify personal data and associated components.
Figure 6 shows an application scenario for attendance noti-
fication. This scenario has three major system components
(RFID tags, readers, and the attendance notification system)
and two entities (parents of students and teachers). The tag
identification process of an RFID reader emits identification
requests to monitor nearby RFID tags. When a student’s tag
receives the identification request, the process retrieves the
tag’s identity from the local tag repository and sends the
identity back to the reader. After receiving the identity, the tag
identification process transmits the identity to the attendance
logging process in the attendance notification system. The
attendance logging process then identifies the student based
on the map between student identities and associated tag
identities, storing the information in an attendance log. At the
FIGURE 6. Example scenario for attendance notification.
VOLUME 6, 2018
start of the first class of the day, a teacher uses the attendance-
checking process to yield the attendance status. If a teacher
finds a student is missing, he or she requests that the system
send a message to the student’s parents. The attendance noti-
fication process retrieves the relevant contact information and
sends this message.
As illustrated in Figure 6, four types of personal data are
collected and used – the identity of a tag,2 mapping tag
identities and student identities, attendance logs, and contact
information of students’ parents. The application stores per-
sonal data in student tags and the attendance notification sys-
tem. Moreover, the following interfaces transfer personal data
among different components – the interface between RFID
tags and RFID readers (tag IDs), the interface between RFID
readers and the attendance notification systems (tag IDs),
the interface between teachers and attendance notification
systems (attendance logs and student IDs to notification).
The project office of the RFID Applications for Campus
Security and Safety Enhancement further classifies incidents
as an RFID application from the above-mentioned parts into
the following three classes: (1) incidents to tags – potential
incidents to personal data in RFID tags; (2) incidents to
systems – potential incidents to personal data stored in back-
end systems and remote services; (3) incidents to interfaces
– potential incidents to personal data transferred among tags,
back-end systems, and remote services. Based on classes of
incidents listed in Table 2, the project office supplies a list
of incidents suggested for evaluation. For each personal data
collected or used by an RFID application provider, an RFID
application provider should consider incidents to associated
components according to component type. For example, if an
RFID application provider stores personal data in user tags,
the application provider should evaluate potential incidents
of class ‘‘incidents to tags’’ for each kind of tag used to store
the data.
TABLE 2. Example incidents to different classes of components.
The project office requests RFID application providers
to fill out risk evaluation forms to evaluate risk values of
potential incidents to personal data based on risk evalua-
tion criteria. Table 3 is an example of a risk evaluation
form, listing by data and associated components the inci-
dents to data collected and utilized by an RFID applica-
tion provider. For each component, the RFID application
provider evaluate risk values to the component. The project
office further requests RFID application providers to provide
2 Because the system can link a student to a tag based on the mapping
between tag identities and student identities, the provider should treat tag
identity as personal identifiable data.
50515
 S.-C. Cha, K.-H. Yeh: Data-Driven Security Risk Assessment Scheme for Personal Data Protection
TABLE 3. An snapshoot of a risk evaluation form.
information about countermeasures and describe why they
are appropriate.
Finally, an RFID application provider should regularly
monitor and review residual risks and identify acceptable
risks to ensure the accuracy and effectiveness of risk assess-
ment and treatment. Moreover, a provider may need to re-
assess risks to reflect major application changes. In the RFID
Applications for Campus Security and Safety Enhancement
Project, the project office requests that RFID application
providers maintain risk management processes and asso-
ciated application records. To ensure the effectiveness of
risk management processes, the project office reviews data
periodically. We have implemented the proposed risk assess-
ment scheme as C#.net WinForm application with Visual
Studio 2017. Figure 7 presents a snapshot of our project
implementation in which a security assessment process is
demonstrated.
FIGURE 7. A system snapshot of our project implementation.
VII. CONCLUSIONS AND FUTURE WORK
This study proposes a data-driven risk assessment approach
to personal data protection in which an organization models
50516
collected personal data flows using DFDs. In addition to
recognizing scenarios of personal data collection and usage,
the organization identifies components used to process, store,
and transmit personal data. Based on associated compo-
nents, the organization can identify potential incidents to
each personal data. Compared to the traditional asset-oriented
risk assessment approaches, the proposed approach prevents
risks to assets associated with sensitive personal data from
being underestimated. In addition, compared to the process-
oriented risk assessment approaches, the proposed approach
prevents the overlooking of risks to sensitive data not used
in an organization’s critical business processes. Therefore,
the proposed approach improves the accuracy of risk assess-
ment for personal data protection.
Our future work includes the following directions. First,
future tools may help a person draw DFDs based on
our approach and management of diagrams. Additionally,
the tools can automatically identify personal data and asso-
ciated components, generating potential incidents to the data
for risk assessment. Moreover, the tools can store risk assess-
ment results and further treatment into database. Therefore,
the organization can review the effectiveness of previous risk
assessment and treatment.
Second, this study classifies components associated to
personal data into systems, entities, interfaces, media, and
physical regions. The components can be further classified
into sub-components, e.g., media such as documents, tapes,
USB disks, and so on. In addition, research may provide
sample incidents to different kinds of components and sub-
components.
Last but not least, this study does not address personal
data quantity. For example, the value of front-end sys-
tems for users to input their personal data differs from
the database system storing all personal data. Representing
personal data quantity in DFDs and using the information
for risk assessment remains important and exciting future
work.
REFERENCES
[1] Identity Theft Resource Center (ITRC). Data Breaches. Accessed:
Sep. 1, 2018. [Online]. Available: https://www.idtheftcenter.org/
data-breaches
[2] The Risk Based Security (RBS) and The Open Security Founda-
tion (OSF). DatalossDB. Accessed: Sep. 1, 2018. [Online]. Available:
https://blog.datalossdb.org
[3] Taiwan Ministry of Justice. (2015). Personal Information
Protection Act. Accessed: Sep. 1, 2018. [Online]. Available:
https://law.moj.gov.tw/Eng/LawClass/LawAll.aspx?PCode=I0050021
[4] BS 10012: 2017 Data Protection–Specification for a Personal Information
Management System, Britsh Standard Institute, London, U.K., 2017.
[5] E. McCallister, T. Grance, and K. A. Scarfone, ‘‘Guide to protecting
the confidentiality of personally identifiable information (PII),’’ NIST,
Gaithersburg, MD, USA, Tech. Rep. 800-122, 2010.
[6] Directive 95/46/EC of the European Parliament and of the Council of 24
October 1995 on the Protection of Individuals With Regard to the Process-
ing of Personal Data and on the Free Movement of Such Data, Official
Journal of the European Communities, No. l. 281, E. Union, Brussels,
Belgium, Nov. 1995, pp. 31–50. Accessed: Sep. 1, 2018. [Online].
Available: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:
31995L0046
VOLUME 6, 2018
S.-C. Cha, K.-H. Yeh: Data-Driven Security Risk Assessment Scheme for Personal Data Protection
[7] Guidelines on the Protection of Privacy and Transborder Flows of
Personal Data. Paris, France: Organization for Economic Cooperation
and Development, Committee for Information, Computer, and Com-
munication Policy, 1980. Accessed: Sep. 1, 2018. [Online]. Avail-
able: http://www.oecd.org/sti/ieconomy/oecdguidelinesontheprotectionof-
privacyandtransborderflowsofpersonaldata.htm
[8] Payment Card Industry (PCI) Data Security Standard—Requirements
and Security Assessment Procedures, Secur. Standards Council, Wake-
field, MA, USA, 2018. Accessed: Sep. 1, 2018. [Online]. Available:
https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
[9] Information Technology–Security Techniques–Information Security Risk
Management, International Standard ISO/IEC 27005:2018, 2018.
[10] M. E. Whitman and H. J. Mattord, Management of Information Security,
3rd ed. Boston, MA, USA: Course Technology, 2010.
[11] G. Stoneburner, A. Goguen, and A. Feringa, ‘‘Risk management guide
for information technology systems,’’ NIST, Gaithersburg, MD, USA,
Tech. Rep. SP 800-30, 2002.
[12] C. Alberts and A. Dorofee, Managing Information Security Risks: The
OCTAVE (SM) Approach. Boston, MA, USA: Addison-Wesley, 2002.
[13] Z. Yazar, ‘‘A qualitative risk analysis and management tool—CRAMM,’’
SANS Inst., Singapore, 2002. Accessed: Sep. 1, 2018. [Online]. Available:
https://www.sans.org/reading-room/whitepapers/auditing/qualitative-risk-
analysis-management-tool-cramm-83
[14] Ministry of Finance and Public Administration, Madrid, Spain. (Jul. 2014).
MAGERIT—Version 3.0 Methodology for Information Systems Risk
Analysis and Management. Accessed: Sep. 1, 2018. [Online]. Available:
https://administracionelectronica.gob.es/pae_Home/dam/jcr:80b16a91-
75b1-432d-ab23-844a12aab5fc/MAGERIT_v_3_book_1_method_PDF_
NIPO_630-14-162-0.pdf
[15] Y. Cherdantseva et al., ‘‘A review of cyber security risk assessment meth-
ods for SCADA systems,’’ Comput. Secur., vol. 56, pp. 1–27, Feb. 2015.
[16] A. Fielder, E. Panaousis, P. Malacaria, C. Hankin, and F. Smeraldi, ‘‘Deci-
sion support approaches for cyber security investment,’’ Decision Support
Syst., vol. 86, pp. 13–23, Jun. 2016.
[17] J. Shin, H. Son, and G. Heo, ‘‘Cyber security risk evaluation of a nuclear
I&C using BN and ET,’’ Nucl. Eng. Technol., vol. 49, pp. 517–524,
Apr. 2017.
[18] I. Friedberg, K. McLaughlin, P. Smith, D. Laverty, and S. Sezer,
‘‘STPA-SafeSec: Safety and security analysis for cyber-physical systems,’’
J. Inf. Secur. Appl., vol. 34, pp. 183–196, Jun. 2017.
[19] H. Abdo, M. Kaouk, J.-M. Flaus, and F. Masse, ‘‘A safety/security
risk analysis approach of industrial control systems: A cyber bowtie–
combining new version of attack tree with bowtie analysis,’’ Comput.
Secur., vol. 72, pp. 175–195, Jan. 2018.
[20] B. Suh and I. Han, ‘‘The IS risk analysis based on a business model,’’ Inf.
Manage., vol. 41, no. 2, pp. 149–158, 2003.
[21] S.-C. Cha, L.-T. Liu, and B.-C. Yu, ‘‘Process-oriented approach for vali-
dating asset value for evaluating information security risk,’’ in Proc. Int.
Conf. Comput. Sci. Eng. Washington, DC, USA: IEEE Computer Society,
vol. 3, Aug. 2009, pp. 379–385. [Online]. Available: http://portal.acm.org/
citation.cfm?id=1632709.1633538
[22] K. Khanmohammadi and S. H. Houmb, ‘‘Business process-based infor-
mation security risk assessment,’’ in Proc. 4th Int. Conf. Netw. Syst. Secur.
Washington, DC, USA: IEEE Computer Society, Sep. 2010, pp. 199–206.
[Online]. Available: http://dx.doi.org/10.1109/NSS.2010.37
[23] P. J. Brooke and R. F. Paige, ‘‘Fault trees for security system design and
analysis,’’ Comput. Secur., vol. 22, no. 3, pp. 256–264, 2003.
[24] R. Matulevicius, N. Mayer, and P. Heymans, ‘‘Alignment of misuse cases
with security risk management,’’ in Proc. 3rd Int. Conf. Availability, Rel.
Secur. (ARES). Washington, DC, USA: IEEE Computer Society, 2008,
pp. 1397–1404.
[25] V. Saini, Q. Duan, and V. Paruchuri, ‘‘Threat modeling using attack trees,’’
J. Comput. Sci. Colleges, vol. 23, no. 4, pp. 124–131, 2008.
[26] Information Technology–Security Techniques Information Security–
Management Systems–Requirements, International Standard ISO/IEC
27001:20013, 2013.
[27] Information Technology–Security Techniques–Management of Information
and Communications Technology Security—Part 4: Techniques for the
Management of IT Security, Standard ISO/IEC TR 13335-3, 1998.
[28] The Security Risk Management Guide Version 1.2, Microsoft Solutions
Secur. Compliance Group Microsoft Secur. Center Excellence, Microsoft
Corporation, Redmond, WA, USA, 2006.
VOLUME 6, 2018
[29] M. S. Lund, F. den Braber, and K. Stölen, ‘‘Maintaining results from
security assessments,’’ in Proc. 7th Eur. Conf. Softw. Maintenance Reeng.,
Mar. 2003, pp. 341–350.
[30] Guide for Conducting Risk Assessments, document NIST SP 800-30
revision 1, National Institute of Standards and Technology, Gaithersburg,
MD, USA, Sep. 2012. Accessed: Sep. 1, 2018. [Online]. Available:
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-
30r1.pdf
[31] Information Security Management Systems Part 3: Guidelines for Infor-
mation Security Risk Management, BSI Standard 7799-3:2017, British
Standards Institution (BSI), London, U.K., Oct. 2017.
[32] L. D. Bodin, L. A. Gordon, and M. P. Loeb, ‘‘Information security and risk
management,’’ Commun. ACM, vol. 51, no. 4, pp. 64–68, 2008.
[33] S.-C. Cha, R.-T. Ku, Y.-P. Fu, and H.-P. Lin, ‘‘On generating RFID
privacy policies in consideration of openness and enforcement,’’ in
Proc. IEEE 2nd Int. Conf. Social Comput. Washington, DC, USA:
IEEE Computer Society, 2010, pp. 897–905. [Online]. Available:
http://dx.doi.org/10.1109/SocialCom.2010.133
[34] A. Vorster and L. E. S. Labuschagne, ‘‘A framework for comparing differ-
ent information security risk analysis methodologies,’’ in Proc. Annu. Res.
Conf. South Afr. Inst. Comput. Scientists Inf. Technol. IT Res. Developing
Countries (SAICSIT), in Republic of South Africa: South African Institute
for Computer Scientists and Information Technologists, 2005, pp. 95–103.
[35] M. Howard and D. LeBlanc, Writing Secure Code, 2nd ed. Redmond, WA,
USA: Microsoft Press, 2002.
[36] C. Alberts and A. Dorofee. OCTAVE Threat Profiles. Software
Engineering Institute, Carnegie Mellon University, Pittsburgh,
PA, USA. Accessed: Sep. 1, 2018. [Online]. Available:
http://130.18.86.27/faculty/warkentin/SecurityPapers/Merrill/
AlbertsDorofee_OCTAVEThreatProfiles.pdf
[37] Information Technology–Open Systems Interconnection–The Directory:
Public-Key and Attribute Certificate Frameworks, Standard ISO/IEC
9594-8:2017, 1993.
SHI-CHO CHA (SM’17) received the B.S. and
Ph.D. degrees in information management from
National Taiwan University in 1996 and 2003,
respectively. He is currently an Associate Profes-
sor at the Department of Information Manage-
ment, National Taiwan University of Science and
Technology, where he has been a Faculty Member
since 2006. He is a certified PMP, CISSP, CSSLP,
CCFP, and CISM. From 2003 to 2006, he was
a Senior Manager at PricewaterhouseCoopers,
Taiwan. His current research interests include security and privacy of
blockchain applications, IoT security and privacy, and information security
risk management.
KUO-HUI YEH (SM’16) received the M.S. and
Ph.D. degrees in information management from
the National Taiwan University of Science and
Technology, Taipei, Taiwan, in 2005 and 2010,
respectively. He is currently an Associate Profes-
sor with the Department of Information Manage-
ment, National Dong Hwa University, Hualien,
Taiwan. He has authored over 90 articles in inter-
national journals and conference proceedings. His
research interests include IoT security, blockchain,
mobile security, NFC/RFID security, authentication, digital signature, data
privacy, and network security. In addition, he has participated in the organi-
zation committee of DSC 2018, SPCPS 2017, NSS 2016, RFIDsec 14 Asia,
and RFIDsec 12 Asia, and he has served as a TPC member of 26 international
conferences/workshops on information security. He is currently an Editor of
the IEEE ACCESS, the Journal of Internet Technology (JIT), the Journal of
Information Security and Applications, Security and Communication Net-
works, and Data in Brief, and has served as the Guest Editor for Future
Generation Computer Systems, the International Journal of Information
Security, JIT, Sensors, and Cryptography.
50517