Jan Laufer presented the background of the approach and showed its integration in RADAR at the 17th International Conference on Availability, Reliability and Security (ARES 2022) in Vienna. RADAR (Run-time Adaptations for DAta pRotection) was developed in the SSE working group to provide run-time data protection in cloud-based computer systems. Experiments with the model integrated into RADAR show that risk prioritization can significantly reduce the damage caused by privacy gaps.

Publication

Sascha Sven Zmiewski, Jan Laufer and Zoltán Ádám Mann: Automatic Online Quantification and Prioritization of Data Protection Risks. In: Proceedings of the 17th International Conference on Availability, Reliability and Security ARES '22 , Association for Computing Machinery , New York, NY, USA , 2022 .   [DOI]

Abstract

Data processing systems operate in increasingly dynamic environments, such as in cloud or edge computing. In such environments, changes at run time can result in the dynamic appearance of data protection vulnerabilities, i.e., configurations in which an attacker could gain unauthorized access to confidential data. An autonomous system can mitigate such vulnerabilities by means of automated self-adaptations. If there are several data protection vulnerabilities at the same time, the system has to decide which ones to address first. In other areas of cybersecurity, risk-based approaches have proven useful for prioritizing where to focus efforts for increasing security. Traditionally, risk assessment is a manual and time-consuming process. On the other hand, addressing run-time risks requires timely decision-making, which in turn necessitates automated risk assessment.

In this paper, we propose a mathematical model for quantifying data protection risks at run time. This model accounts for the specific properties of data protection risks, such as the time it takes to exploit a data protection vulnerability and the damage caused by such exploitation. Using this risk quantification, our approach can make, in an automated process, sound decisions on prioritizing data protection vulnerabilities dynamically. Experimental results show that our risk prioritization method leads to a reduction of up to 15.8% in the damage caused by data protection vulnerabilities.