Computer Science > Cryptography and Security
[Submitted on 7 Jun 2023]
Title:A GDPR-compliant Risk Management Approach based on Threat Modelling and ISO 27005
View PDFAbstract:Computer systems process, store and transfer sensitive information which makes them a valuable asset. Despite the existence of standards such as ISO 27005 for managing information risk, cyber threats are increasing, exposing such systems to security breaches, and at the same time, compromising users' privacy. However, threat modelling has also emerged as an alternative to identify and analyze them, reducing the attack landscape by discarding low-risk attack vectors, and mitigating high-risk ones. In this work, we introduce a novel threat-modelling-based approach for risk management, using ISO 27005 as a baseline for integrating ISO 27001/27002 security controls with privacy regulations outlined in the European General Data Protection Regulation (GDPR). In our proposal, risk estimation and mitigation is enhanced by combining STRIDE and attack trees as a threat modelling strategy. Our approach is applied to an IoT case study, where different attacks are analyzed to determine their risk levels and potential countermeasures.
Submission history
From: Denys A. Flores Dr. [view email][v1] Wed, 7 Jun 2023 21:07:09 UTC (6,390 KB)
References & Citations
Bibliographic and Citation Tools
Bibliographic Explorer (What is the Explorer?)
Litmaps (What is Litmaps?)
scite Smart Citations (What are Smart Citations?)
Code, Data and Media Associated with this Article
CatalyzeX Code Finder for Papers (What is CatalyzeX?)
DagsHub (What is DagsHub?)
Gotit.pub (What is GotitPub?)
Papers with Code (What is Papers with Code?)
ScienceCast (What is ScienceCast?)
Demos
Recommenders and Search Tools
Influence Flower (What are Influence Flowers?)
Connected Papers (What is Connected Papers?)
CORE Recommender (What is CORE?)
arXivLabs: experimental projects with community collaborators
arXivLabs is a framework that allows collaborators to develop and share new arXiv features directly on our website.
Both individuals and organizations that work with arXivLabs have embraced and accepted our values of openness, community, excellence, and user data privacy. arXiv is committed to these values and only works with partners that adhere to them.
Have an idea for a project that will add value for arXiv's community? Learn more about arXivLabs.