Skip to main content
SpringerLink
Log in
Book cover

Data Protection and Privacy: (In)visibilities and Infrastructures pp 241–269Cite as

On the Road to Privacy- and Data Protection-Friendly Security Technologies in the Workplace – A Case-Study of the MUSES Risk and Trust Analysis Engine

  • Chapter

Part of the book series: Law, Governance and Technology Series ((ISDP,volume 36))

Abstract

It seems generally accepted that the major threat for company security occurs from within the organisation itself. Given the potential threats for the value attached to information resources, companies are increasing their efforts to counteract these risks, introduced by employees. Many company security technologies are strongly focused on analysing employee behaviour. An example of such a monitoring tool is MUSES (Multiplatform Usable Endpoint Security). MUSES is a user-centric security system that aims to enhance company security by reducing security risks introduced by user behaviour. However, even though the monitoring of employees may be beneficial to secure company data assets, the monitoring of employees is restricted by privacy and data protection regulation. In this paper, we use one MUSES component, namely the Real-Time Risk and Trust Analysis Engine (MUSES RT2AE), as a use case to study in which way privacy and data protection legislation limits the monitoring of employees through company security technologies.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   149.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Hardcover Book
USD   199.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    Note that the notion of insider covers a broader scope of actors than only employees. Definition of insider: “An ‘insider’ is a person that has been legitimately empowered with the right to access, represent, or decide about one or more assets of the organisation’s structure”, by Christian Probst, Jeffrey Hunker, Dieter Gollmann and Matt Bishop, Insider Threats in Cyber Security (New York: Springer, 2010), 5.

  2. 2.

    Andy Briney, “Information security industry survey”, Information Security (2001): 6; Ali Yayla, “Controlling insider threats with information security policies”, Proceedings European Conference on Information Systems (2011), paper 242.

  3. 3.

    Robert Richardson, “2010/2011 CSI Computer Crime and Security Survey”, http://gatton.uky.edu/faculty/payne/acc324/CSISurvey2010.pdf: 5. See, on the malicious side of employees, e.g.: Carl Colwill, “Human factors in information security: The insider threat – Who can you trust these days?”, Information Security Technical Report 14 (2009): 186-196.

  4. 4.

    Merrill Warkentin and Robert Willison, “Behavioral and policy issues in information security systems security: the insider threat”, European Journal of Information Systems 18 (2009): 102.

  5. 5.

    MUSES (Multiplatform Usable Endpoint Security) project, funded by the EU IST Seventh Framework Programme under the grant agreement number 318508, see: https://www.musesproject.eu/.

  6. 6.

    Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, 27 April 2016, OJ L 119/1, 4.5.2016 (hereafter referred to as: GDPR).

  7. 7.

    Charter of fundamental rights of the European Union, 12 December 2007, OJ C 83/389, 30.3.2010 (hereafter referred to as: EU Charter).

  8. 8.

    European Convention for the Protection of Human Rights and Fundamental Freedoms, 4 November 1950 (hereafter referred to as: European Convention or ECHR).

  9. 9.

    Overview of national legislation in over 50 countries: EPIC, Privacy & Human Rights. An International Survey of Privacy Laws and Developments, http://www.privacyinternational.org/survey.

  10. 10.

    For example, see: ECtHR 22 October 1981, No. 7525/76, Dudgeon v. the United Kingdom; ECtHR 15 May 1992, No. 15666/89, Kerkhoven and Hinke v. the Netherlands; ECtHR 16 December 1992, No. 13710/88, Niemietz v. Germany; ECtHR 25 March 1993, No. 13134/87, Costello-Roberts v. the United Kingdom; ECtHR 25 June 1997, No. 20605/92, Halford v. the United Kingdom.

  11. 11.

    ECtHR 25 December 2001, No. 44787/98, P.G. and J.H. v. the United Kingdom, §56; ECtHR 28 April 2003, No. 44647/98, Peck v. the United Kingdom, §57.

  12. 12.

    ECtHR 16 December 1992, No. 13710/88, Niemietz v. Germany.

  13. 13.

    ECtHR 25 June 1997, No. 20605/92, Halford v. the United Kingdom.

  14. 14.

    ECtHR 3 April 2007, No. 62617/00, Copland v. the United Kingdom.

  15. 15.

    ECtHR 12 January 2016, No. 61496/08, Bărbulescu v. Romania.

  16. 16.

    Gail Lasprogata, Nancy King and Sukanya Pillay, “Regulation of Electronic Employee Monitoring: Identifying fundamental Principles of Employee Privacy through a Comparative Study of Data Privacy Legislation in the European Union, United States and Canada”, Stanford Technology Law Review 4 (2004): par. 15.

  17. 17.

    Convention No. 108 for the protection of individuals with regard to automatic processing of personal data, Strasbourg, 28 January 1981.

  18. 18.

    Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OC L 281/31, 23.11.95 (hereafter referred to as: Directive 95/46/EC or the Directive).

  19. 19.

    Article 99 of the GDPR.

  20. 20.

    Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector, OC L 201/37, 31/7/2002; as amended by Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009, OC L 337/11, 18.12.2009.

  21. 21.

    Recommendation No. 89 2 of the Committee of ministers to Member States on the protection of personal data used for employment purposes, adopted by the Committee of Ministers on 18 January 1989.

  22. 22.

    ILO code of practice: Protection of workers’ personal data, 1997.

  23. 23.

    Article 29 Working Party, Opinion 8/2001 on the processing of personal data in the employment context, adopted on 13 September 2001, WP48.

  24. 24.

    Article 29 Working Party, Working document on the surveillance of electronic communications in the workplace, adopted on 29 May 2002, WP55.

  25. 25.

    Italian Data Protection Authority, Authorisation No. 1/2009 concerning processing of sensitive data in the employment context, adopted on 16 December 2009.

  26. 26.

    Collective Bargaining Agreement No. 68 concerning the camera surveillance of employees of 16 June 1998; Collective Bargaining Agreement No. 81 concerning the monitoring of electronic communications of employees of 26 April 2002.

  27. 27.

    See for all recommendations and opinions: www.privacycommission.be

  28. 28.

    Article 29 Working Party, Opinion 8/2001 on the processing of personal data in the employment context, adopted on 13 September 2001, WP48, 4: “Data protection requirements apply to the monitoring and surveillance of workers whether in terms of email use, Internet access, video cameras or location data. Any monitoring must be a proportionate response by an employer to the risk it faces taking into account the legitimate privacy and other interests of workers. Any personal data held or used in the course of monitoring must be adequate, relevant and not excessive for the purpose for which the monitoring is justified. Any monitoring must be carried out in the least intrusive way possible”; Article 29 Working Party, Working document on the surveillance of electronic communications in the workplace, adopted on 29 May 2002, WP55.

  29. 29.

    Article 2, 1 of the GDPR.

  30. 30.

    Article 2, 2, (d) of the GDPR.

  31. 31.

    Article 2, 2, (c) of the GDPR.

  32. 32.

    Article 29 Working Party, Opinion 8/2001 on the processing of personal data in the employment context, adopted on 13 September 2001, WP48, 18.

  33. 33.

    Article 29 Working Party, Opinion 8/2001 on the processing of personal data in the employment context, adopted on 13 September 2001, WP48, 4.

  34. 34.

    Article 6, 1, (b) of the GDPR.

  35. 35.

    Article 6, 1, (c) of the GDPR.

  36. 36.

    Article 6, 1, (f) of the GDPR.

  37. 37.

    Recital 43 of the GDPR.

  38. 38.

    Article 29 Working Party, Opinion 8/2001 on the processing of personal data in the employment context, adopted on 13 September 2001, WP48, 23.

  39. 39.

    Article 29 Working Party, Opinion 8/2001 on the processing of personal data in the employment context, adopted on 13 September 2001, WP48, 3 and 23.

  40. 40.

    Proposal for a General Data Protection Regulation (2012/0011 COD), 11 June 2015, 9565/15.

  41. 41.

    Article 29 Working Party, Opinion 03/2013 on purpose limitation, adopted on 2 April 2013, WP203.

  42. 42.

    Article 29 Working Party, Opinion 03/2013 on purpose limitation, adopted on 2 April 2013, WP203, 3.

  43. 43.

    Article 29 Working Party, Opinion 8/2001 on the processing of personal data in the employment context, adopted on 13 September 2001, WP48, 15.

  44. 44.

    Article 5, 1, (c) of the GDPR.

  45. 45.

    Article 29 Working Party, Opinion 8/2001 on the processing of personal data in the employment context, adopted on 13 September 2001, WP48, 21.

  46. 46.

    Article 29 Working Party, Opinion 8/2001 on the processing of personal data in the employment context, adopted on 13 September 2001, WP48, 21.

  47. 47.

    Article 15 of the GDPR.

  48. 48.

    Article 4, (3) of the GDPR.

  49. 49.

    Article 4, (2) of the GDPR.

  50. 50.

    Recital 71 of the GDPR.

  51. 51.

    Article 22, 2 of the GDPR.

  52. 52.

    Article 5, (7) of the GDPR.

  53. 53.

    Article 4, (8) of the GDPR. See for the interpretation of the definitions under Directive 95/46/EC: Article 29 Working Party, Opinion 1/2010 on the concepts of ‘controller’ and ‘processor’, adopted on 16 February 2010, WP169.

  54. 54.

    Ann Cavoukian and Marc Chanliau, “Privacy and Security by Design: A convergence of paradigms”, in Privacy by Design. From rhetoric to reality, ed. Ann Cavoukian (Ontario: Information and Privacy Commissioner, 2013), 209-226.

  55. 55.

    Ann Cavoukian, Privacy by design in law, policy and practice. A white paper for regulators, decision-makers and policy-makers (Ontario: Information and privacy commissioner, 2011), 3.

  56. 56.

    Ann Cavoukian, Privacy by design: the 7 foundational principles (Ontario: Information and privacy commissioner of Ontario, 2009), 2.

  57. 57.

    Seda Gürses, Carmela Troncoso and Claudia Diaz, “Engineering privacy by design” (paper presented at the annual Computers, Privacy and Data Protection conference, Brussels, January 29-30, 2011), Section 2.1.

  58. 58.

    Peter Hustinx, “Privacy by design: delivering the promises”, Identity in the Information Society 3 (2010): 254.

  59. 59.

    Article 29 Working Party and Working Party on Police and Justice, The future of privacy: joint contribution to the consultation of the European Commission on the legal framework for the fundamental right to protection of personal data, adopted on 1 December 2009, WP 168.

  60. 60.

    European Data Protection Supervisor, Opinion of promoting trust in the information society by fostering data protection and privacy, adopted on 18 March 2010, 8.

  61. 61.

    Article 99 of the GDPR.

  62. 62.

    Overview by ENISA: ENISA, Privacy and Data Protection by Design – from policy to engineering, 12 January 2015, 22. For methods not being discussed explicitly in this chapter, but closely relating, see: Mina Deng, Kim Wuyts, Riccardo Scandariato, Bart Preneel and Wouter Joosen, “A privacy threat analysis framework: supporting the elicitation and fulfilment of privacy requirements”, Requirements Engineering 16 (2011): 3-32; Lin Liu, Eric Yu and John Mylopoulos, “Security and Privacy Requirements Analysis within a Social Setting” (presented at the 11th IEEE International Requirements Engineering Conference, Monterey Bay, September 8-12, 2003). John Mylopoulos, Lawrence Chung and Brian Nixon, “Representing and Using Nonfunctional Requirements: A Process-Oriented Approach”, IEEE Transactions on Software Engineering 18 (1992): 483-497. For an overview of the practical legal issues of implementing privacy for online businesses, see: Bert-Jaap Koops and Ronald Leenes, “Privacy regulation cannot be hardcoded. A critical comment on the ‘privacy by design’ provision in data-protection law”, International Review of Law, Computers and Technology 2 (2014): 159-171.

  63. 63.

    On the differences and data minimisation as a starting point to bridge different mindsets, see: Seda Gürses, Carmela Troncoso and Claudia Diaz, “Engineering privacy by design” (paper presented at the annual Computers, Privacy and Data Protection conference, Brussels, January 29-30, 2011).

  64. 64.

    Dag Wiese Schartum, “Making privacy by design operative”, International Journal of Law and Information Technology 24 (2016): 163.

  65. 65.

    ENISA, Privacy and Data Protection by Design – from policy to engineering, 12 January 2015, 17.

  66. 66.

    Jaap-Henk Hoepman, “Privacy Design Strategies – extended abstract” (paper presented at ICT-System Security and Privacy Protection – 29th IFIP TC 11 International Conference, SEC 2014, Marrakech, June 2-4, 2014). Proceedings (2014): 448 (hereafter referred to as: Jaap-Henk Hoepman, Privacy by Design Strategies (2014)).

  67. 67.

    Daniel J. Solove, “A taxonomy of privacy”, University of Pennsylvania Law Review 154 (2006): 477.

  68. 68.

    Sarah Spiekermann and Lorrie Faith Cranor, “Engineering privacy”, IEEE Transactions on Software Engineering 35 (2009): 69.

  69. 69.

    Jaap-Henk Hoepman, Privacy by Design Strategies (2014): 451.

  70. 70.

    Sarah Spiekermann and Lorrie Faith Cranor, “Engineering privacy”, IEEE Transactions on Software Engineering 35 (2009): 73.

  71. 71.

    Jaap-Henk Hoepman, Privacy by Design Strategies (2014): 452.

  72. 72.

    Jaap-Henk Hoepman, Privacy by Design Strategies (2014)): 455.

  73. 73.

    Dag Wiese Schartum, “Making privacy by design operative”, International Journal of Law and Information Technology 24 (2016): 166.

  74. 74.

    Carsten Kleiner and Georg Disterer, “Ensuring mobile device security and compliance at the workplace”, Procedia Computer Science 64 (2015): 276.

  75. 75.

    Abubakar Bello Garba, Jocelyn Armarego, David Murray and William Kenworthy, “Review of the Information Security and Privacy Challenges in Bring Your Own Device (BYOD) Environments”, Journal of Information Privacy and Security 11 (2015): 45.

  76. 76.

    Paloma de las Cuevas, Antonio Mora, Juan Julian Merelo, Pedro Castillo, Pablo Garcia-Sanchez and Antonio Fernandez-Ares, “Corporate security solutions for BYOD : A novel user-centric and self-adaptive system”, Computer Communications 68 (2015): 85.

  77. 77.

    Henrik Arfwedson, Markus Burvall, Yasir Ali, Antonio Mora, Paloma de las Cuevas, Sergio Zamarripa, Jean-Marc Seigneur and Zardosht Hodaie, “Architecture and Prototype Specification”, MUSES project, D2.1 (2013), 10.

  78. 78.

    Jean-Marc Seigneur, Carlos Ballester Lafuente, Xavier Titi and Jonathan Guislain, “Revised MUSES trust and risk metrics”, MUSES project, D3.3 (2014), 8.

  79. 79.

    Seda Gürses, Carmela Troncoso and Claudia Diaz, “Engineering privacy by design” (paper presented at the annual Computers, Privacy and Data Protection conference, Brussels, January 29-30, 2011), Section 4.2.

  80. 80.

    Based on: Ann Cavoukian, Privacy by design in law, policy and practice. A white paper for regulators, decision-makers and policy-makers (Ontario: Information and privacy commissioner, 2011).

  81. 81.

    Yung Shin Van Der Sype, Jean-Marc Seigneur, Antonio Mora Garcia and Christoph Stanik, “Policy Recommendations for the Existing Legal Framework”, MUSES project, D7.2 (2014), 58.

  82. 82.

    Yung Shin Van Der Sype, Jean-Marc Seigneur, Henrik Arfwedson, Sergio Zamarripa, Markus Burvall, Christoph Stanik, Paloma de las Cuevas and Xavier Titi, “Legal evaluation”, MUSES project, D7.4 (2015), 19.

  83. 83.

    Jean-Marc Seigneur, “Online e-Reputation Management Services”, in Computer and Information Security Handbook, 2nd edition, ed. John Vacca (Waltham: Elsevier, 2013), 1053-1072; Yung Shin Van Der Sype and Jean-Marc Seigneur, “Case study: Legal Requirements for the Use of Social Login Features for Online Reputation Updates” (paper presented at the annual ACM International Symposium of Applied Computing, Gyeongju, March 24-29, 2014).

  84. 84.

    Hoepman’s fifth design strategy: Jaap-Henk Hoepman, Privacy by Design Strategies (2014): 455.

  85. 85.

    For alternatives, see also: Florian Schaub, Rebecca Balebako, Adam Durity and Lorrie Faith Cranor, “A Design Space for Effective Privacy Notices” (paper presented at the Symposium on Usable Privacy and Security, Ottawa, July 22-24, 2015).

  86. 86.

    Hoepman’s first design strategy: Jaap-Henk Hoepman, Privacy by Design Strategies (2014): 453.

  87. 87.

    Hoepman’s fourth design strategy: Jaap-Henk Hoepman, Privacy by Design Strategies (2014): 454.

  88. 88.

    Hoepman’s third privacy strategy: Jaap-Henk Hoepman, Privacy by Design Strategies (2014): 454.

  89. 89.

    Article 4, 3 of the GDPR.

  90. 90.

    Hoepman’s second design pattern: Jaap-Henk Hoepman, Privacy by Design Strategies (2014): 454.

  91. 91.

    Dag Wiese Schartum, “Making privacy by design operative”, International Journal of Law and Information Technology 24 (2016): 166.

  92. 92.

    Jean-Marc Seigneur, Carlos Ballester Lafuente, Xavier Titi and Jonathan Guislain, “Revised MUSES trust and risk metrics”, MUSES project, D3.3 (2014), 26.

  93. 93.

    Hoepman’s fourth design strategy: Jaap-Henk Hoepman, Privacy by Design Strategies (2014): 454.

  94. 94.

    Hoepman’s first design strategy: Jaap-Henk Hoepman, Privacy by Design Strategies (2014): 453.

  95. 95.

    Article 29 Working Party, Opinion 4/2007 on the concept of personal data, adopted on 20 June 2007, WP136, 18.

  96. 96.

    Recital 23a of the proposed General Data Protection Regulation (2012/0011 COD), 11 June 2015, 9565/15.

  97. 97.

    Jean-Marc Seigneur, Carlos Ballester Lafuente, Xavier Titi and Jonathan Guislain, “Revised MUSES trust and risk metrics”, MUSES project, D3.3 (2014).

  98. 98.

    EDPS, Opinion on the data protection reform package, 7 March 2012, §182, http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/dv/edpsopinion_/edpsopinion_en.pdf

Bibliography

  • Arfwedson, Henrik, Burvall, Markus, Ali, Yasir, Mora, Antonio, de las Cuevas, Paloma, Zamarripa, Sergio, Seigneur, Jean-Marc, and Hodaie, Zardosht. “Architecture and Prototype Specification”, MUSES project, D2.1 (2013).

    Google Scholar 

  • Article 29 Working Party. Opinion 3/2013 on purpose limitation, adopted on 2 April 2013, WP203.

    Google Scholar 

  • Article 29 Working Party, Opinion 4/2007 on the concept of personal data, adopted on 20 June 2007, WP136.

    Google Scholar 

  • Article 29 Working Party. Opinion 8/2001 on the processing of personal data in the employment context, adopted on 13 September 2001, WP48.

    Google Scholar 

  • Article 29 Working Party and Working Party on Police and Justice, The future of privacy: joint contribution to the consultation of the European Commission on the legal framework for the fundamental right to protection of personal data, adopted on 1 December 2009, WP 168.

    Google Scholar 

  • Briney, Andy. “Information security industry survey”, Information Security (2001): 34–46.

    Google Scholar 

  • Colwill, Carl. “Human factors in information security: The insider threat – Who can you trust these days?”, Information Security Technical Report 14 (2009): 186–196.

    Article  Google Scholar 

  • Cavoukian, Ann. Privacy by design in law, policy and practice. A white paper for regulators, decision-makers and policy-makers (Ontario: Information and privacy commissioner, 2011).

    Google Scholar 

  • Cavoukian, Ann. Privacy by design: the 7 foundational principles (Ontario: Information and privacy commissioner of Ontario, 2009).

    Google Scholar 

  • Cavoukian, Ann, and Chanliau, Marc. “Privacy and Security by Design: A convergence of paradigms”, in Privacy by Design. From rhetoric to reality, ed. Cavoukian, Ann. (Ontario: Information and Privacy Commissioner, 2013): 209–226.

    Google Scholar 

  • de las Cuevas, Paloma, Mora, Anotnio, Merelo, Juan Julian, Castillo, Pedro, Garcia-Sanchez, Pablo, and Fernandez-Ares, Antonio. “Corporate security solutions for BYOD : A novel user-centric and self-adaptive system”, Computer Communications 68 (2015): 83–95.

    Google Scholar 

  • ENISA. Privacy and Data Protection by Design – from policy to engineering, 12 January 2015.

    Google Scholar 

  • European Data Protection Supervisor. Opinion of promoting trust in the information society by fostering data protection and privacy, 18 March 2010.

    Google Scholar 

  • European Data Protection Supervisor. Opinion on the data protection reform package, 7 March 2012.

    Google Scholar 

  • Garba, Abubakar B., Armarego, Jocelyn, Murray, David, and Kenworthy, William. “Review of the Information Security and Privacy Challenges in Bring Your Own Device (BYOD) Environments”, Journal of Information Privacy and Security 11 (2015): 38–54.

    Article  Google Scholar 

  • Gürses, Seda, Troncoso, Carmela, and Diaz, Claudia. “Engineering privacy by design” (paper presented at the annual Computers, Privacy and Data Protection conference, Brussels, January 29–30, 2011).

    Google Scholar 

  • Hoepman, Jaap-Henk. “Privacy Design Strategies – extended abstract” (paper presented at ICT-System Security and Privacy Protection – 29th IFIP TC 11 International Conference, SEC 2014, Marrakech, June 2–4, 2014).

    Google Scholar 

  • Hustinx, Peter. “Privacy by design: delivering the promises”, Identity in the Information Society 3 (2010): 253–255.

    Article  Google Scholar 

  • Kleiner, Carsten, and Disterer, Georg. “Ensuring mobile device security and compliance at the workplace”, Procedia Computer Science 64 (2015): 274–281.

    Article  Google Scholar 

  • Koops, Bert-Jaap, and Leenes, Ronald. “Privacy regulation cannot be hardcoded. A critical comment on the ‘privacy by design’ provision in data protection law”, International Review of Law, Computers & Technology 2 (2014): 159–171.

    Google Scholar 

  • Lasprogata, Gail, King, Nancy, and Pillay, Sukanya. “Regulation of Electronic Employee Monitoring: Identifying fundamental Principles of Employee Privacy through a Comparative Study of Data Privacy Legislation in the European Union, United States and Canada”, Stanford Technology Law Review 4 (2004): 1-46.

    Google Scholar 

  • Probst, Christian, Hunker, Jeffrey, Gollmann, Dieter, and Bishop Matt. Insider Threats in Cyber Security (New York: Springer, 2010).

    Book  Google Scholar 

  • Richardson, Robert. “2010/2011 CSI Computer Crime and Security Survey”, http://gatton.uky.edu/faculty/payne/acc324/CSISurvey2010.pdf.

  • Schartum, Dag Wiese “Making privacy by design operative”, International Journal of Law and Information Technology 24 (2016): 151–175.

    Google Scholar 

  • Schaub, Florian, Balebako, Rebecca, Durity, Adam, and Cranor, Lorrie Faith. “A Design Space for Effective Privacy Notices” (paper presented at the Symposium on Usable Privacy and Security, Ottawa, July 22–24, 2015).

    Google Scholar 

  • Seigneur, Jean-Marc. “Online e-Reputation Management Services”, in Computer and Information Security Handbook, 2nd edition, ed. Vacca, John. (Waltham: Elsevier, 2013), 1053–1072.

    Chapter  Google Scholar 

  • Seigneur, Jean-Marc, Ballester Lafuente, Carlos, Titi, Xavier, and Guislain, Jonathan. “Revised MUSES trust and risk metrics”, MUSES project, D3.3 (2014).

    Google Scholar 

  • Solove, Daniel “A taxonomy of privacy”, University of Pennsylvania Law Review 154 (2006): 477–560.

    Article  Google Scholar 

  • Spiekermann, Sarah, and Cranor, Lorrie Faith. “Engineering privacy”, IEEE Transactions on Software Engineering 35 (2009): 67–82.

    Google Scholar 

  • Van Der Sype, Yung Shin and, Seigneur, Jean-Marc. “Case study: Legal Requirements for the Use of Social Login Features for Online Reputation Updates” (paper presented at the annual ACM International Symposium of Applied Computing, Gyeongju, March 24–29, 2014).

    Google Scholar 

  • Van Der Sype, Yung Shin, Seigneur, Jean-Marc, Arfwedson, Henrik, Zamarripa, Sergio, Burvall, Markus, Stanik, Christoph, de las Cuevas, Paloma, and Titi, Xavier. “Legal evaluation”, MUSES project, D7.4 (2015).

    Google Scholar 

  • Van Der Sype, Yung Shin, Seigneur, Jean-Marc, Mora Garcia, Antonio, and Stanik, Christoph. “Policy Recommendations for the Existing Legal Framework”, MUSES project, D7.2 (2014).

    Google Scholar 

  • Warkentin, Merrill, and Willison, Robert. “Behavioral and policy issues in information security systems security: the insider threat”, European Journal of Information Systems 18 (2009): 101–105.

    Article  Google Scholar 

  • Yayla, Ali. “Controlling insider threats with information security policies”, Proceedings European Conference on Information Systems (2011), paper 242.

    Google Scholar 

Download references

Acknowledgments

The research leading to these results has received funding from the EU IST Seventh Framework Programme (FP7) under the grant agreement number 318508, project MUSES (Multiplatform Usable Endpoint Security) and from the EU Horizon 2020 Programme under the grant agreement number 653618, project DOGANA (aDvanced sOcial enGineering And vulnerability Assessment framework).

Author information

Authors and Affiliations

  1. Centre for IT & IP Law, KU Leuven, Sint-Michielsstraat 6, box 3443, BE-3000, Leuven, Belgium

    Yung Shin Van Der Sype

  2. ISS CUI, Medi@Law, G3S, University of Geneva, 7, Route de Drize, CH-1227, Carouge, Switzerland

    Jonathan Guislain, Jean-Marc Seigneur & Xavier Titi

Authors
  1. Yung Shin Van Der Sype
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jonathan Guislain
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jean-Marc Seigneur
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Xavier Titi
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Yung Shin Van Der Sype .

Editor information

Editors and Affiliations

  1. Tilburg Institute for Law, Technology, & Society, Tilburg University, Tilburg, The Netherlands

    Ronald Leenes

  2. Law, Science, Technology, & Society (LSTS), Vrije Universiteit Brussel (VUB), Brussels, Belgium

    Rosamunde van Brakel , Serge Gutwirth  & Paul De Hert ,  & 

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this chapter

Cite this chapter

Van Der Sype, Y.S., Guislain, J., Seigneur, JM., Titi, X. (2017). On the Road to Privacy- and Data Protection-Friendly Security Technologies in the Workplace – A Case-Study of the MUSES Risk and Trust Analysis Engine. In: Leenes, R., van Brakel, R., Gutwirth, S., De Hert, P. (eds) Data Protection and Privacy: (In)visibilities and Infrastructures. Law, Governance and Technology Series(), vol 36. Springer, Cham. https://doi.org/10.1007/978-3-319-50796-5_9

Download citation

Publish with us

Policies and ethics

Search

Navigation