Publikationen

Art der Publikation: Beitrag in Sammelwerk

Automatic online quantification and prioritization of data protection risks

Autor(en):
Zmiewski, Sascha Sven; Laufer, Jan; Mann, Zoltán Ádám
Titel des Sammelbands:
Proceedings of the 17th International Conference on Availability, Reliability and Security (ARES)
Verlag:
Association for Computing Machinery (ACM)
Ort(e):
Vienna, Austria
Veröffentlichung:
2022
ISBN:
9781450396707
Schlagworte:
vulnerability, self-adaptation, risk prioritization, risk assessment, data protection
Digital Object Identifier (DOI):
doi:10.1145/3538969.3539005
Vortrag zu dieser Publikation:
17th International Conference on Availability, Reliability and Security
FoMSESS-Jahrestreffen
Zitation:
Download BibTeX

Kurzfassung

Data processing systems operate in increasingly dynamic environments, such as in cloud or edge computing. In such environments, changes at run time can result in the dynamic appearance of data protection vulnerabilities, i.e., configurations in which an attacker could gain unauthorized access to confidential data. An autonomous system can mitigate such vulnerabilities by means of automated self-adaptations. If there are several data protection vulnerabilities at the same time, the system has to decide which ones to address first. In other areas of cybersecurity, risk-based approaches have proven useful for prioritizing where to focus efforts for increasing security. Traditionally, risk assessment is a manual and time-consuming process. On the other hand, addressing run-time risks requires timely decision-making, which in turn necessitates automated risk assessment. In this paper, we propose a mathematical model for quantifying data protection risks at run time. This model accounts for the specific properties of data protection risks, such as the time it takes to exploit a data protection vulnerability and the damage caused by such exploitation. Using this risk quantification, our approach can make, in an automated process, sound decisions on prioritizing data protection vulnerabilities dynamically. Experimental results show that our risk prioritization method leads to a reduction of up to 15.8% in the damage caused by data protection vulnerabilities.