Presentation is loading. Please wait.

Presentation is loading. Please wait.

Making Privacy Possible: Research on Organizational Privacy Technology

Published byChristoffer Torp Modified over 5 years ago

Similar presentations

Presentation on theme: "Making Privacy Possible: Research on Organizational Privacy Technology"— Presentation transcript:

1 Making Privacy Possible: Research on Organizational Privacy Technology
Clare-Marie Karat, Carolyn Brodie, and John Karat Privacy Enabling Technology Research Security, Networking and Privacy (SNAP) To replace the title / subtitle with your own: Click on the title block -> select all the text by pressing Ctrl+A -> press Delete key -> type your own text IBM Research 4/25/2019

2 The Many Views of Privacy
Individual “I want to be alone” “I don’t really care what you know” “Keep this between you and me” (confidential) Organizational “What are the legal requirements” “How can I manage information” There has been more research focus on Individual than on Organizational issues in use of Personal Information (PI) Protecting data at rest (e.g., encryption, annonymization) vs. Providing accountable control over use Organizations need help from technology to provide reasonable policies and to enforce them IBM Research 4/25/2019

3 Privacy Research Statement
Most organizations store PI data in heterogeneous server system environments. Currently they do not have a unified way of defining or implementing a privacy policy that encompasses both web and legacy applications across the different server platforms. This makes the management of PI data difficult for both enterprises and end users. IBM Research 4/25/2019

4 Progress to Date Identified Organizational Needs – Initial survey (51 participants) asking about “top privacy concerns and technology needs” Established Scenarios - In-Depth follow up (13 participants) to identify data flow and architectural concepts for privacy technology (e.g., sticky policy) Iterated on Designs - Scenario-based walkthrough sessions of the privacy management prototype (SPARCLE) with target users (2 design iterations, 22 participants) Conducted Evaluations - Laboratory study examining methods for policy authoring (36 participants) Developed Architecture - Ongoing technical feasibility analysis IBM Research 4/25/2019

5 Identify Organizational Needs
Recruited 51 Participants from Industry and Government: North America Europe Asia Pacific Sent Participants Privacy Questionnaires by Asked about Top Concerns, Desired Function, Current Activities Analyzed Data by Industry (N=23) and Government (N=28) Questionnaire Response Rate was Approximately 80% from Customers IBM Research 4/25/2019

6 Top Privacy Concerns Expressed
Industry and government patterns of concerns similar Industry more concerned about economic harm to brand Government more concerned about privacy violations by users outside the organization IBM Research 4/25/2019

7 Desired Privacy Functions
Similar pattern across industry and government Desired policy/data portability Looked for easy to use authoring environment Wanted one solution for all organizational data IBM Research 4/25/2019

8 Establish Scenarios with Customers
How would you describe your role regarding privacy? Can you give us an example scenario of what happens to a piece of PI as it passes through your organization from the time it is first collected until you dispose of it? What are the strengths and weaknesses of your organization's current processes (manual or automated)? What additional privacy functionality does your organization need and how would you like this privacy functionality to fit into your business process? Are there different privacy issues for Web and Legacy data? Do you have any other privacy requirements that you would like to tell us about? IBM Research 4/25/2019

9 Scenario Approach Developed Enriched Domain-Specific Scenarios
Combined scenarios gathered from customers into four domain-specific stereotypical scenarios in: Healthcare, Banking/Finance, Travel/Entertainment, Government Enriched Scenarios Reviewed with 17 Customers in and face-to-face sessions Customers agreed the scenarios represent all steps involving PI in their industries very well Conducted Component Analysis of each Step Broke each scenario down into steps such that each step involves one type of PI use.... Used EPA Benchmark, Mapped Tactical, and Created Future Roadmap Privacy Solutions for Customers Used Scenarios in Design Review Sessions with Customers IBM Research 4/25/2019

10 Iterative Design of Privacy Enabling Technology
Focused on key privacy steps from previous analysis Established interaction requirements and a customer-validated design of a highly usable and effective privacy management tool called SPARCLE (Server Privacy ARchitecture and CapabiLity Enablement). Scope: Author policies Connect policy definition to system entities (Implement) Check policy compliance (Audit) Iteratively designed and reviewed with customers 10 sessions with 22 target users over 2 design iterations IBM Research 4/25/2019

11 What is a Privacy Policy Rule?
Privacy is not about a single absolute privacy rule – Context Specific Policies are involved Policies have been found to have stable form: Who (data user) can see my (data subject) information (data element) For what purposes (e.g., marketing, patient care) To carry out what actions (e.g., distribute) Under what conditions (e.g., lives in California) With what obligations (e.g., data subject must be notified) Key Question - How can organizations author, implement, and audit privacy policies without rewriting all applications? IBM Research 4/25/2019

12 IBM Research 4/25/2019

13 Parsed Rule Original Rule Rule Elements IBM Research 4/25/2019

14 Laboratory Privacy Policy Rule Authoring Study
Can we determine whether the Natural Language or Structured Entry method is better for policy authoring? Examined performance of novice policy authors 36 knowledge workers Provided 3 scenarios describing a desired privacy situation Asked people to write policy rules using three methods Unconstrained Natural Language with a policy rule template Structured entry from lists of elements IBM Research 4/25/2019

15 Privacy Policy Rule Authoring: Preferences
Unconstrained policy authoring left participants unsure of their rules Natural Language template seemed to provide good guidance Structured Entry seemed equally satisfying Lower score represents higher degree of satisfaction IBM Research 4/25/2019

16 Privacy Policy Rule Authoring: Quality
Unconstrained authoring yielded low quality (% elements identified) Natural Language and Structured Entry yielded good quality Including both methods seems to be most promising direction IBM Research 4/25/2019

17 Privacy Policy Creation Utility
Author Privacy Policy Machine Readable Natural Language Transform Visualization Of Privacy Implementation Utility Enforcement Engine Log Internal Privacy Audit Privacy Policy Creation Utility IBM Research 4/25/2019

18 Next Steps Continue enrichment and testing of the prototype with target customers! Exploring relationship to compliance issues IBM Research 4/25/2019

Download ppt "Making Privacy Possible: Research on Organizational Privacy Technology"

Similar presentations

Policy Specification, Analysis and Transformation International Technology Alliance in Network and Information Sciences A scenario based demo will illustrate.

Policy Specification, Analysis and Transformation International Technology Alliance in Network and Information Sciences A scenario based demo will illustrate.
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS.

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS.
Components of a Product Vision/Strategy

Components of a Product Vision/Strategy
Global Business Blueprint Summary Presenters: Laurie Dempsey, CBP Lois McCluskey, eCP January 28, 2004.

Global Business Blueprint Summary Presenters: Laurie Dempsey, CBP Lois McCluskey, eCP January 28, 2004.
Software Modeling SWE5441 Lecture 3 Eng. Mohammed Timraz

Software Modeling SWE5441 Lecture 3 Eng. Mohammed Timraz
Securing the Broker Pattern Patrick Morrison 12/08/2005.

Securing the Broker Pattern Patrick Morrison 12/08/2005.
Dr. Julian Lo Consulting Director ITIL v3 Expert

Dr. Julian Lo Consulting Director ITIL v3 Expert
On Privacy-aware Information Lifecycle Management (ILM) in Enterprises: Setting the Context Marco Casassa Mont Hewlett-Packard.

On Privacy-aware Information Lifecycle Management (ILM) in Enterprises: Setting the Context Marco Casassa Mont Hewlett-Packard.
Identifying Needs and Establishing Requirements John Thiesfeld Jeff Morton Josh Edwards.

Identifying Needs and Establishing Requirements John Thiesfeld Jeff Morton Josh Edwards.
Software Factory Assembling Applications with Models, Patterns, Frameworks and Tools Anna Liu Senior Architect Advisor Microsoft Australia.

Software Factory Assembling Applications with Models, Patterns, Frameworks and Tools Anna Liu Senior Architect Advisor Microsoft Australia.
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
IIBA Denver | may 20, 2015 | Kym Byron , MBA, CBAP, PMP, CSM, CSPO

IIBA Denver | may 20, 2015 | Kym Byron , MBA, CBAP, PMP, CSM, CSPO
System Engineering Instructor: Dr. Jerry Gao. System Engineering Jerry Gao, Ph.D. Jan. 1999 - System Engineering Hierarchy - System Modeling - Information.

System Engineering Instructor: Dr. Jerry Gao. System Engineering Jerry Gao, Ph.D. Jan System Engineering Hierarchy - System Modeling - Information.
Software Process and Product Metrics

Software Process and Product Metrics
Sharif University of Technology Session # 4.  Contents  Systems Analysis and Design Sharif University of Technology MIS (Management Information System),

Sharif University of Technology Session # 4.  Contents  Systems Analysis and Design Sharif University of Technology MIS (Management Information System),
The Software Development Life Cycle: An Overview

The Software Development Life Cycle: An Overview
Chapter 6 System Engineering - Computer-based system - System engineering process - “Business process” engineering - Product engineering (Source: Pressman,

Chapter 6 System Engineering - Computer-based system - System engineering process - “Business process” engineering - Product engineering (Source: Pressman,
Karolina Muszyńska. Reverse engineering - looking at the solution to figure out how it works Reverse engineering - breaking something down in order to.

Karolina Muszyńska. Reverse engineering - looking at the solution to figure out how it works Reverse engineering - breaking something down in order to.
Creating an Effective Email Policy Central Missouri Chapter Jesse Wilkins April 16, 2009.

Creating an Effective Policy Central Missouri Chapter Jesse Wilkins April 16, 2009.
Business Analysis and Essential Competencies

Business Analysis and Essential Competencies

Similar presentations

Ads by Google