A risk-based methodology for privacy requirements elicitation and control selection

The purpose of the paper is to provide a comprehensive privacy model for identifying the privacy risks of an enterprise based on its privacy requirements. A risk-based methodology for automated privacy control selection against identified privacy requirements is also proposed. The privacy model has been designed using first order logic and it is semi-formal in nature. Privacy risks are defined using the proposed formalism in terms of privacy properties. Algorithm for assessing privacy risk considering the actual information infrastructure of the enterprise is proposed. Based on the risk assessment, appropriate privacy controls should be selected from a control database. An algorithm for the same is also proposed. This methodology is easy to implement and can be used by any mid or large-scale enterprise for privacy control implementation. The effectiveness of our proposed approach is shown using a case study. From the literature review, it has emerged that there is a dearth of comprehensive privacy models that can identify the privacy requirements emanating from different sources and can eventually help the enterprise to implement privacy controls as per privacy requirements. The proposed model attempts to address this research gap by helping an enterprise to identify the specific privacy requirements and automatically select privacy controls from an appropriate knowledge base. Privacy requirements can be customized as per the needs of the enterprise.