pISRA: privacy considered information security risk assessment model

  • Yu-Chih WeiEmail author
  • Wei-Chen Wu
  • Gu-Hsin Lai
  • Ya-Chi Chu


The security threats related to personally identifiable information are increasing dramatically. In addition to government agencies, large international companies are potential victims. To comply with regulations such as the European Union General Data Protection Regulation, organizations are required to carry out a privacy impact assessment. However, the conventional information security risk assessment model does not provide a clear methodology for conducting privacy impact assessments. In this paper, we propose a privacy-considered information security risk assessment (pISRA) model, which can take both a privacy impact analysis and risk assessment into consideration. Our proposed model can help risk assessors achieve a comparable and reproducible approach for the entire risk assessment process. Additionally, pISRA can assist organizations to select high-risk items for further action.


Privacy Risk Security Assessment Impact 


  1. 1.
    Data breach reports—identity theft resource center.
  2. 2.
    Guide to protecting the confidentiality of personally identifiable information (pii) (2010) NIST SP800-122.
  3. 3.
    Information technology—security techniques—information security risk management (2011) ISO/IEC 27005:2011, pp 1–68Google Scholar
  4. 4.
    Information technology—security techniques—privacy framework (2011) ISO/IEC 29100:2011, pp 1–21Google Scholar
  5. 5.
    Information technology—security techniques—information security management systems—requirements (2013) ISO/IEC 27001:2013, pp 1–23Google Scholar
  6. 6.
    Information technology—security techniques—code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors (2014) ISO/IEC 27018:2014, pp 1–23Google Scholar
  7. 7.
    Societal security—Business continuity management systems—guidelines for business impact analysis (BIA) (2015) ISO/TS 22317:2015, pp 1–27Google Scholar
  8. 8.
    Data protection specification for a personal information management system (2017) BS10012:2017.
  9. 9.
    Information technology—security techniques—code of practice for personally identifiable information protection (2017) ISO/IEC 29151:2017, pp 1–39Google Scholar
  10. 10.
    Information technology—security techniques—guidelines for privacy impact assessment (2017) ISO/IEC 29134:2017, pp 1–43Google Scholar
  11. 11.
    Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) Ir8062: an introduction to privacy engineering and risk management in federal systems, Technical report.
  12. 12.
    Clarke R (1999) Introduction to dataveillance and information privacy, and definitions of terms. Roger Clarke’s Dataveillance and Information Privacy Pages.
  13. 13.
    Council of the European Union: General data protection regulation (2016).
  14. 14.
    De SJ, Le Métayer D (2016) PRIAM: a privacy risk analysis methodology. In: Livraga G, Torra V, Aldini A, Martinelli F, Suri N (eds) Data privacy management and security assurance. Springer, Cham, pp 221–229CrossRefGoogle Scholar
  15. 15.
    Ministry of Justice (2012) The specific purpose and the classification of personal information of the personal information protection act.
  16. 16.
    Ministry of Justice (2015) Personal information protection act.
  17. 17.
    Ministry of Justice (2016) Enforcement rules of the personal information protection act.
  18. 18.
    Mylonas A, Theoharidou M, Gritzalis D (2014) Assessing privacy risks in android: a user-centric approach. Springer International Publishing, Cham, pp 21–37.
  19. 19.
    Oetzel MC, Spiekermann S (2014) Systematic methodology for privacy impact assessments. Eur J Inf Syst 23(2):126–150. CrossRefGoogle Scholar
  20. 20.
    Public Law 107-347 (2002) E-government act of 2002. U.S. Government Printing Office.
  21. 21.
    Saripalli P, Walters B (2010) Quirc: a quantitative impact and risk assessment framework for cloud security. In: 2010 IEEE 3rd International Conference on Cloud Computing, pp 280–288.
  22. 22.
    Shamala P, Ahmad R, Yusoff M (2013) A conceptual framework of info structure for information security risk assessment (ISRA). J Inf Secur Appl 18(1):45–52. Google Scholar
  23. 23.
    Tancock D, Pearson S, Charlesworth A (2013) A privacy impact assessment tool for cloud computing. Springer, London, pp 73–123. Google Scholar
  24. 24.
    Theoharidou M, Mylonas A, Gritzalis D (2012) A risk assessment method for smartphones. Springer, Berlin, pp 443–456. Google Scholar
  25. 25.
    Trattner C, Kappe F (2013) Social stream marketing on Facebook: a case study. Int J Soc Humanist Comput 2(1/2):86. CrossRefGoogle Scholar
  26. 26.
    Wei YC, Wu WC, Chu YC (2016) Performance evaluation of information security risk identification. In: The 5th International Conference on Frontier Computing, Tokyo, JapanGoogle Scholar
  27. 27.
    Wright D, De Hert P (2012) Introduction to privacy impact assessment. Springer, Dordrecht, pp 3–32. CrossRefGoogle Scholar
  28. 28.
    Wright D, Finn R, Rodrigues R (2013) A comparative analysis of privacy impact assessment in six countries. J Contemp Eur Res 9(1):160–180Google Scholar

Copyright information

© Springer Science+Business Media, LLC, part of Springer Nature 2018

Authors and Affiliations

  1. 1.Department of Finance and InformationNational Kaohsiung University of Science and TechnologyKaohsiungTaiwan, ROC
  2. 2.Computer CenterHsin Sheng Junior College of Medical Care and ManagementTaoyuanTaiwan, ROC
  3. 3.Department of Technology Crime InvestigationTaiwan Police CollegeTaipeiTaiwan, ROC
  4. 4.Telecommunication LaboratoriesChunghwa Telecom Co., LtdTaoyuanTaiwan, ROC

Personalised recommendations