A Problem-Based Approach for Computer-Aided Privacy Threat Identification

  • Kristian Beckers
  • Stephan Faßbender
  • Maritta Heisel
  • Rene Meis
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8319)


Recently, there has been an increase of reported privacy threats hitting large software systems. These threats can originate from stakeholders that are part of the system. Thus, it is crucial for software engineers to identify these privacy threats, refine these into privacy requirements, and design solutions that mitigate the threats.

In this paper, we introduce our methodology named Problem-Based Privacy Analysis (ProPAn). The ProPAn method is an approach for identifying privacy threats during the requirements analysis of software systems using problem frame models. Our approach does not rely entirely on the privacy analyst to detect privacy threats, but allows a computer aided privacy threat identification that is derived from the relations between stakeholders, technology, and personal information in the system-to-be.

To capture the environment of the system, e.g., stakeholders and other IT systems, we use problem frames, a requirements engineering approach founded on the modeling of a machine (system-to-be) in its environment (e.g. stakeholders, other software). We define a UML profile for privacy requirements and a reasoning technique that identifies stakeholders, whose personal information are stored or transmitted in the system-to-be and stakeholders from whom we have to protect this personal information. We illustrate our approach using an eHealth scenario provided by the industrial partners of the EU project NESSoS.


privacy threat analysis problem frames requirements engineering 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Alebrahim, A., Hatebur, D., Heisel, M.: A method to derive software architectures from quality requirements. In: Thu, T.D., Leung, K. (eds.) Proceedings of the 18th Asia-Pacific Software Engineering Conference (APSEC), pp. 322–330. IEEE Computer Society (2011)Google Scholar
  2. 2.
    Asnar, Y., Li, T., Massacci, F., Paci, F.: Computer aided threat identification. In: Proceedings of the 2011 IEEE 13th Conference on Commerce and Enterprise Computing, CEC 2011, pp. 145–152. IEEE Computer Society (2011)Google Scholar
  3. 3.
    Atos Origin: Papyrus UML Modelling Tool (February 2011),
  4. 4.
    AT&T and Bell-Labs: Graphviz - Graph Visualization Software (June 2012),
  5. 5.
    Côté, I., Hatebur, D., Heisel, M., Schmidt, H.: UML4PF – a tool for problem-oriented requirements analysis. In: Proceedings of the International Conference on Requirements Engineering (RE), pp. 349–350. IEEE Computer Society (2011)Google Scholar
  6. 6.
    Deng, M., Wuyts, K., Scandariato, R., Preneel, B., Joosen, W.: A privacy threat analysis framework: supporting the elicitation and fulfillment of privacy requirements. Requir. Eng. 16, 3–32 (2011)CrossRefGoogle Scholar
  7. 7.
    Eclipse Foundation: Eclipse - An Open Development Platform (2011),
  8. 8.
    Eclipse Foundation: Acceleo - transforming models into code (June 2012),
  9. 9.
    EU: Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Tech. rep., European Community(EU) (1995),
  10. 10.
    Hafiz, M.: A collection of privacy design patterns. In: Proceedings of the 2006 Conference on Pattern Languages of Programs, PLoP 2006, pp. 7:1–7:13. ACM (2006)Google Scholar
  11. 11.
    Hansen, M., Schwartz, A., Cooper, A.: Privacy and Identity Management. IEEE Security & Privacy 6(2), 38–45 (2008)CrossRefGoogle Scholar
  12. 12.
    Hatebur, D., Heisel, M.: A foundation for requirements analysis of dependable software. In: Buth, B., Rabe, G., Seyfarth, T. (eds.) SAFECOMP 2009. LNCS, vol. 5775, pp. 311–325. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  13. 13.
    Hatebur, D., Heisel, M.: A UML profile for requirements analysis of dependable software. In: Schoitsch, E. (ed.) SAFECOMP 2010. LNCS, vol. 6351, pp. 317–331. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  14. 14.
    ISO and IEC: Common Criteria for Information Technology Security Evaluation – Part 2 Security functional components. ISO/IEC 15408, International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) (2009)Google Scholar
  15. 15.
    Jackson, M.: Problem Frames. Analyzing and structuring software development problems. Addison-Wesley (2001)Google Scholar
  16. 16.
    Jackson, M., Zave, P.: Deriving specifications from requirements: an example. In: Proceedings 17th Int. Conf. on Software Engineering, Seattle, USA, pp. 15–24. ACM Press (1995)Google Scholar
  17. 17.
    Kalloniatis, C., Kavakli, E., Gritzalis, S.: Addressing privacy requirements in system design: the PriS method. Requir. Eng. 13, 241–255 (2008)CrossRefGoogle Scholar
  18. 18.
    OECD: OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. Tech. rep. Organisation for Economic Co-operation and Development (OECD) (1980),,3746,en_2649_34255_1815186_1_1_1_1,00&&en-USS_01DBC.html
  19. 19.
    Westin, A.F.: Privacy and Freedom. Atheneum, New York (1967)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2014

Authors and Affiliations

  • Kristian Beckers
    • 1
  • Stephan Faßbender
    • 1
  • Maritta Heisel
    • 1
  • Rene Meis
    • 1
  1. 1.paluno - The Ruhr Institute for Software TechnologyUniversity of Duisburg-EssenGermany

Personalised recommendations