[Owasp_top_10_privacy_risks_project] 2011 work / Determination of risk
colin.watson at owasp.org
Wed Aug 20 18:07:40 UTC 2014
Florian and Stefan
I just re-listened to the podcast about this project. It reminded me
that we did a little bit on privacy at the 2011 summit. The wiki pages
that documented the output are here:
Perhaps there might be some useful things in there.
But I was thinking about another issue with many organisations,
especially commercial ones, and it relates to how they calculate risk,
and thus how they might weigh up these privacy risks against CIA
security risks. Risk is the combination of likelihood and impact.
Organisations are not that good at determining risk, but at least for
security, the impacts are almost always determined by the impact on
the organisation itself, not on the individual. And that's a problem.
Here's a couple of examples:
Example 1: Username enumeration, where usernames are consumers' email addresses
SECURITY: From a security perspective, the organisation might not
be too bothered
about a few "cracked accounts" where the username has been found
and then some
passwords have been guessed or brute forced, especially if there
are account lock-outs
and other password guessing mechanisms.
PRIVACY: But from the individual's perspective, they might be very
someone else (a partner, family member, friend, enemy, another
can discover I am a customer. In the worst case it might lead to
harm against the customer (e.g. I found out you were pregant and seeking an
Example 2: Reflected XSS on a public page on a travel magazine website
SECURITY: An organisation might not be too concerned, relative to
because only one person is affected at a time.
PRIVACY: The person that follows a malicious link might be affected
that copies their bank login details subsequently, and steals money
So I wonder how we make sure the risk determination is adequately
determined? I jointly wrote about how the impact needs to be
considered from four perspectives from which personal information
draws its privacy value. These are:
- its value as an asset used within the organisation’s operations;
- its value to the individual to whom it relates;
- its value to other parties who might want to use the information,
whether for legitimate or improper purposes;
- its societal value as interpreted by regulators and other groups.
See pp 8-12 in:
The Privacy Dividend
OWASP Project Leader for Cornucopia and Codes of Conduct, and
co-leader for AppSensor
More information about the Owasp_top_10_privacy_risks_project