Privacy Incidents Database - January 2017

Submitted by drwright on Mon, 12/12/2016 - 12:02pm

Public Audience
Purpose: To highlight project progress. Information is generally at a higher level which is accessible to the interested public. All information contained in the report (regions 1-3) is a Government Deliverable/CDRL.

PI(s): Jessica Staddon
Researchers: Esha Sharma

This project is building the first comprehensive encyclopedia and database of privacy incidents. Most privacy incidents, such as cyber-bullying/slander/stalking, revenge porn, social media oversharing, data reidentification and surveillance, do not involve a security breach. Therefore, such incidents are not represented in current security incident databases. This lack of a centralized resource leads to widely varying measurements, for example, the Privacy Rights Clearinghouse datafinds less than 400 data breach incidents in 2014, whereas based on proprietary data from 70 companies and organizations, Verizon finds over 2000 breaches in 2014. Our publicly accessible database will enable the privacy technology and policy communities to reach consensus around patterns in privacy incidents.

HARD PROBLEM(S) ADDRESSED

Policy-Governed Secure Collaboration:
- The patterns and characteristics of security incidents are a significant driver of security technology innovation. Patterns are detected by analyzing repositories of malware/viruses/worms, incidents affecting control/SCADA systems, general security alerts and updates and data breaches. This project is building the repository to enable the identification of patterns in incident root causes, entities, location, etc., that will inform product and policy development and privacy training.

PUBLICATIONS

"Privacy Incidents Database: the data mining challenges and opportunities", Cyber Security Practitioner, Jessica Staddon, November 2016. Available at: http://www.cecileparkmedia.com/cyber-security-practitioner/article_template.asp?Contents=Yes&from=cslp&ID=211

ACCOMPLISHMENT HIGHLIGHTS

Presented the Privacy Incidents Database at Indiana University's Center for Applied Cybersecurity Research in October. Talk Announcement: https://cacr.iu.edu/events/speaker_series/2016/2016-10-20-speaker-series.php, as a result of the talk have begun collaboration discussions with Christena Nippert-Eng.
Conducted the first user study to understand end-user perceptions of privacy incidents. We found evidence of a schism between the law/policy perspective on privacy incidents and end-users. For example, end-users in our sample consistently report anticipated privacy issues (e.g., emerging technolgies) as privacy incidents.
Completed the development of a privacy incidents classifier that achieves an overall accuracy (F_1 measure) of more than 93% which is 12% better than keyword-based classifiers (i.e. identifying incidents by classifying articles containing "privacy" and other privacy related keywords, as privacy incident articles). Hence, the classifier significantly reduces the amount of human review needed to identify news articles that are about privacy incidents (and so, are content for the database).

Groups:

NCSU Science of Security Lablet Research Initiative