Abstract
The detection and handling of data leakages is becoming a critical issue for organizations. To this end, data leakage solutions are usually employed by organizations to monitor network traffic and the use of portable storage devices. These solutions often produce a large number of alerts, whose analysis is time-consuming and costly for organizations. To effectively handle leakage incidents, organizations should be able to focus on the most severe incidents. Therefore, alerts need to be prioritized with respect to their severity. This work presents a novel approach for the quantification of data leakages based on their severity. The approach quantifies leakages with respect to the amount and sensitivity of the leaked information as well as the ability to identify the data subjects of the leaked information. To specify and reason on data sensitivity in an application domain, we propose a data model representing the knowledge in the domain. We validate our approach by analyzing data leakages within a healthcare environment.
This work has been funded by the Dutch national program COMMIT under the THeCS project.
Chapter PDF
Similar content being viewed by others
References
Ponemon Institute: Third annual benchmark study on patient privacy & data security (2012)
Banescu, S., Zannone, N.: Measuring privacy compliance with process specifications. In: International Workshop on Security Measurements and Metrics, pp. 41–50. IEEE (2011)
Information Age: New EU data laws to include 24hr breach notification (2012)
Backes, M., Kopf, B., Rybalchenko, A.: Automatic discovery and quantification of information leaks. In: IEEE Symposium on Security and Privacy, pp. 141–153. IEEE (2009)
Borders, K., Prakash, A.: Quantifying information leaks in outbound web traffic. In: IEEE Symposium on Security and Privacy, pp. 129–140. IEEE (2009)
Smith, G.: On the foundations of quantitative information flow. In: de Alfaro, L. (ed.) FOSSACS 2009. LNCS, vol. 5504, pp. 288–302. Springer, Heidelberg (2009)
Harel, A., Shabtai, A., Rokach, L., Elovici, Y.: M-score: A misuseability weight measure. IEEE Transactions on Dependable and Secure Computing 9(3), 414–428 (2012)
Abbadi, I.M., Alawneh, M.: Preventing insider information leakage for enterprises. In: SECURWARE, pp. 99–106. IEEE (2008)
Salem, M.B., Hershkop, S., Stolfo, S.J.: A survey of insider attack detection research. In: Insider Attack and Cyber Security. Adv. Inf. Secur., vol. 39, pp. 69–90. Springer (2008)
Takebayashi, T., Tsuda, H., Hasebe, T., Masuoka, R.: Data loss prevention technologies. Fujitsu Scientific and Technical Journal 46(1), 47–55 (2010)
Koch, R.: Towards next-generation intrusion detection. In: ICCC, pp. 1–18. IEEE (2011)
Gessiou, E., Vu, Q.H., Ioannidis, S.: IRILD: an Information Retrieval based method for Information Leak Detection. In: EC2ND, pp. 33–40. IEEE (2011)
Gómez-Hidalgo, J., Martın-Abreu, J., Nieves, J., Santos, I., Brezo, F., Bringas, P.: Data leak prevention through named entity recognition. In: SocialCom, pp. 1129–1134. IEEE (2010)
Hart, M., Manadhata, P., Johnson, R.: Text classification for data loss prevention. In: Fischer-Hübner, S., Hopper, N. (eds.) PETS 2011. LNCS, vol. 6794, pp. 18–37. Springer, Heidelberg (2011)
Farahmand, F., Navathe, S.B., Enslow, P.H., Sharp, G.P.: Managing vulnerabilities of information systems to security incidents. In: ICEC, pp. 348–354. ACM (2003)
Garg, A., Curtis, J., Halper, H.: Quantifying the financial impact of it security breaches. Information Management & Computer Security 11(2), 74–83 (2003)
Blakley, B., McDermott, E., Geer, D.: Information security is information risk management. In: NSPW, pp. 97–104. ACM (2001)
Adriansyah, A., van Dongen, B.F., Zannone, N.: Privacy analysis of user behavior using alignments. it - Information Technology 55(6), 255–260
Gruber, T.R.: Toward principles for the design of ontologies used for knowledge sharing? International Journal of Human-Computer Studies 43(5), 907–928 (1995)
Doulaverakis, C., Nikolaidis, G., Kleontas, A., Kompatsiaris, I., et al.: GalenOWL: Ontology based drug recommendations discovery. J. Biomedical Semantics 3, 14 (2012)
OpenGALEN, http://www.opengalen.org/ (accessed February 24, 2014)
SNOMED - CT, http://www.ihtsdo.org/snomed-ct/ (accessed February 24, 2014)
The Open Biological and Biomedical Ontologies Foundry, http://www.obofoundry.org/ (accessed February 24, 2014)
Open Clinical: Ontologies, http://www.openclinical.org/ontologies.html (accessed February 24, 2014)
The Gene ontology, http://www.geneontology.org/ (accessed February 24, 2014)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 IFIP International Federation for Information Processing
About this paper
Cite this paper
Vavilis, S., Petković, M., Zannone, N. (2014). Data Leakage Quantification. In: Atluri, V., Pernul, G. (eds) Data and Applications Security and Privacy XXVIII. DBSec 2014. Lecture Notes in Computer Science, vol 8566. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-43936-4_7
Download citation
DOI: https://doi.org/10.1007/978-3-662-43936-4_7
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-43935-7
Online ISBN: 978-3-662-43936-4
eBook Packages: Computer ScienceComputer Science (R0)