[Owasp_top_10_privacy_risks_project] 2011 work / Determination of risk

Colin Watson colin.watson at owasp.org
Wed Aug 20 18:07:40 UTC 2014


Florian and Stefan

2011
------

I just re-listened to the podcast about this project. It reminded me
that we did a little bit on privacy at the 2011 summit. The wiki pages
that documented the output are here:

   https://www.owasp.org/index.php/Summit_2011_Working_Sessions/Session073

   https://www.owasp.org/index.php/Talk:Summit_2011_Working_Sessions/Session073

Perhaps there might be some useful things in there.

Risk
------

But I was thinking about another issue with many organisations,
especially commercial ones, and it relates to how they calculate risk,
and thus how they might weigh up these privacy risks against CIA
security risks. Risk is the combination of likelihood and impact.

Organisations are not that good at determining risk, but at least for
security, the impacts are almost always determined by the impact on
the organisation itself, not on the individual. And that's a problem.
Here's a couple of examples:

 Example 1: Username enumeration, where usernames are consumers' email addresses

   SECURITY: From a security perspective, the organisation might not
be too bothered
   about a few "cracked accounts" where the username has been found
and then some
   passwords have been guessed or brute forced, especially if there
are account lock-outs
   and other password guessing mechanisms.

   PRIVACY: But from the individual's perspective, they might be very
concerned that
   someone else (a partner, family member, friend, enemy, another
commercial body)
   can discover I am a customer. In the worst case it might lead to
some physical
   harm against the customer (e.g. I found out you were pregant and seeking an
   abortion).

 Example 2: Reflected XSS on a public page on a travel magazine website

   SECURITY: An organisation might not be too concerned, relative to
other vulnerabilities,
   because only one person is affected at a time.

   PRIVACY: The person that follows a malicious link might be affected
by malware
   that copies their bank login details subsequently, and steals money
from them.

So I wonder how we make sure the risk determination is adequately
determined? I jointly wrote about how the impact needs to be
considered from four perspectives from which personal information
draws its privacy value. These are:

- its value as an asset used within the organisation’s operations;
- its value to the individual to whom it relates;
- its value to other parties who might want to use the information,
whether for legitimate or improper purposes;
- its societal value as interpreted by regulators and other groups.

See pp 8-12 in:

  The Privacy Dividend
  http://ico.org.uk/news/current_topics/privacy_dividend

Regards

Colin Watson
OWASP Project Leader for Cornucopia and Codes of Conduct, and
co-leader for AppSensor


More information about the Owasp_top_10_privacy_risks_project mailing list