On the Road to Privacy- and Data Protection-Friendly Security Technologies in the Workplace – A Case-Study of the MUSES Risk and Trust Analysis Engine

  • Yung Shin Van Der Sype
  • Jonathan Guislain
  • Jean-Marc Seigneur
  • Xavier Titi
Part of the Law, Governance and Technology Series book series (LGTS, volume 36)


It seems generally accepted that the major threat for company security occurs from within the organisation itself. Given the potential threats for the value attached to information resources, companies are increasing their efforts to counteract these risks, introduced by employees. Many company security technologies are strongly focused on analysing employee behaviour. An example of such a monitoring tool is MUSES (Multiplatform Usable Endpoint Security). MUSES is a user-centric security system that aims to enhance company security by reducing security risks introduced by user behaviour. However, even though the monitoring of employees may be beneficial to secure company data assets, the monitoring of employees is restricted by privacy and data protection regulation. In this paper, we use one MUSES component, namely the Real-Time Risk and Trust Analysis Engine (MUSES RT2AE), as a use case to study in which way privacy and data protection legislation limits the monitoring of employees through company security technologies.


Personal Data Data Protection Working Party Data Subject Security Technology 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



The research leading to these results has received funding from the EU IST Seventh Framework Programme (FP7) under the grant agreement number 318508, project MUSES (Multiplatform Usable Endpoint Security) and from the EU Horizon 2020 Programme under the grant agreement number 653618, project DOGANA (aDvanced sOcial enGineering And vulnerability Assessment framework).


  1. Arfwedson, Henrik, Burvall, Markus, Ali, Yasir, Mora, Antonio, de las Cuevas, Paloma, Zamarripa, Sergio, Seigneur, Jean-Marc, and Hodaie, Zardosht. “Architecture and Prototype Specification”, MUSES project, D2.1 (2013).Google Scholar
  2. Article 29 Working Party. Opinion 3/2013 on purpose limitation, adopted on 2 April 2013, WP203.Google Scholar
  3. Article 29 Working Party, Opinion 4/2007 on the concept of personal data, adopted on 20 June 2007, WP136.Google Scholar
  4. Article 29 Working Party. Opinion 8/2001 on the processing of personal data in the employment context, adopted on 13 September 2001, WP48.Google Scholar
  5. Article 29 Working Party and Working Party on Police and Justice, The future of privacy: joint contribution to the consultation of the European Commission on the legal framework for the fundamental right to protection of personal data, adopted on 1 December 2009, WP 168.Google Scholar
  6. Briney, Andy. “Information security industry survey”, Information Security (2001): 34–46.Google Scholar
  7. Colwill, Carl. “Human factors in information security: The insider threat – Who can you trust these days?”, Information Security Technical Report 14 (2009): 186–196.CrossRefGoogle Scholar
  8. Cavoukian, Ann. Privacy by design in law, policy and practice. A white paper for regulators, decision-makers and policy-makers (Ontario: Information and privacy commissioner, 2011).Google Scholar
  9. Cavoukian, Ann. Privacy by design: the 7 foundational principles (Ontario: Information and privacy commissioner of Ontario, 2009).Google Scholar
  10. Cavoukian, Ann, and Chanliau, Marc. “Privacy and Security by Design: A convergence of paradigms”, in Privacy by Design. From rhetoric to reality, ed. Cavoukian, Ann. (Ontario: Information and Privacy Commissioner, 2013): 209–226.Google Scholar
  11. de las Cuevas, Paloma, Mora, Anotnio, Merelo, Juan Julian, Castillo, Pedro, Garcia-Sanchez, Pablo, and Fernandez-Ares, Antonio. “Corporate security solutions for BYOD : A novel user-centric and self-adaptive system”, Computer Communications 68 (2015): 83–95.Google Scholar
  12. ENISA. Privacy and Data Protection by Design – from policy to engineering, 12 January 2015.Google Scholar
  13. European Data Protection Supervisor. Opinion of promoting trust in the information society by fostering data protection and privacy, 18 March 2010.Google Scholar
  14. European Data Protection Supervisor. Opinion on the data protection reform package, 7 March 2012.Google Scholar
  15. Garba, Abubakar B., Armarego, Jocelyn, Murray, David, and Kenworthy, William. “Review of the Information Security and Privacy Challenges in Bring Your Own Device (BYOD) Environments”, Journal of Information Privacy and Security 11 (2015): 38–54.CrossRefGoogle Scholar
  16. Gürses, Seda, Troncoso, Carmela, and Diaz, Claudia. “Engineering privacy by design” (paper presented at the annual Computers, Privacy and Data Protection conference, Brussels, January 29–30, 2011).Google Scholar
  17. Hoepman, Jaap-Henk. “Privacy Design Strategies – extended abstract” (paper presented at ICT-System Security and Privacy Protection – 29th IFIP TC 11 International Conference, SEC 2014, Marrakech, June 2–4, 2014).Google Scholar
  18. Hustinx, Peter. “Privacy by design: delivering the promises”, Identity in the Information Society 3 (2010): 253–255.CrossRefGoogle Scholar
  19. Kleiner, Carsten, and Disterer, Georg. “Ensuring mobile device security and compliance at the workplace”, Procedia Computer Science 64 (2015): 274–281.CrossRefGoogle Scholar
  20. Koops, Bert-Jaap, and Leenes, Ronald. “Privacy regulation cannot be hardcoded. A critical comment on the ‘privacy by design’ provision in data protection law”, International Review of Law, Computers & Technology 2 (2014): 159–171.Google Scholar
  21. Lasprogata, Gail, King, Nancy, and Pillay, Sukanya. “Regulation of Electronic Employee Monitoring: Identifying fundamental Principles of Employee Privacy through a Comparative Study of Data Privacy Legislation in the European Union, United States and Canada”, Stanford Technology Law Review 4 (2004): 1-46.Google Scholar
  22. Probst, Christian, Hunker, Jeffrey, Gollmann, Dieter, and Bishop Matt. Insider Threats in Cyber Security (New York: Springer, 2010).CrossRefGoogle Scholar
  23. Richardson, Robert. “2010/2011 CSI Computer Crime and Security Survey”, http://gatton.uky.edu/faculty/payne/acc324/CSISurvey2010.pdf.
  24. Schartum, Dag Wiese “Making privacy by design operative”, International Journal of Law and Information Technology 24 (2016): 151–175.Google Scholar
  25. Schaub, Florian, Balebako, Rebecca, Durity, Adam, and Cranor, Lorrie Faith. “A Design Space for Effective Privacy Notices” (paper presented at the Symposium on Usable Privacy and Security, Ottawa, July 22–24, 2015).Google Scholar
  26. Seigneur, Jean-Marc. “Online e-Reputation Management Services”, in Computer and Information Security Handbook, 2nd edition, ed. Vacca, John. (Waltham: Elsevier, 2013), 1053–1072.CrossRefGoogle Scholar
  27. Seigneur, Jean-Marc, Ballester Lafuente, Carlos, Titi, Xavier, and Guislain, Jonathan. “Revised MUSES trust and risk metrics”, MUSES project, D3.3 (2014).Google Scholar
  28. Solove, Daniel “A taxonomy of privacy”, University of Pennsylvania Law Review 154 (2006): 477–560.CrossRefGoogle Scholar
  29. Spiekermann, Sarah, and Cranor, Lorrie Faith. “Engineering privacy”, IEEE Transactions on Software Engineering 35 (2009): 67–82.Google Scholar
  30. Van Der Sype, Yung Shin and, Seigneur, Jean-Marc. “Case study: Legal Requirements for the Use of Social Login Features for Online Reputation Updates” (paper presented at the annual ACM International Symposium of Applied Computing, Gyeongju, March 24–29, 2014).Google Scholar
  31. Van Der Sype, Yung Shin, Seigneur, Jean-Marc, Arfwedson, Henrik, Zamarripa, Sergio, Burvall, Markus, Stanik, Christoph, de las Cuevas, Paloma, and Titi, Xavier. “Legal evaluation”, MUSES project, D7.4 (2015).Google Scholar
  32. Van Der Sype, Yung Shin, Seigneur, Jean-Marc, Mora Garcia, Antonio, and Stanik, Christoph. “Policy Recommendations for the Existing Legal Framework”, MUSES project, D7.2 (2014).Google Scholar
  33. Warkentin, Merrill, and Willison, Robert. “Behavioral and policy issues in information security systems security: the insider threat”, European Journal of Information Systems 18 (2009): 101–105.CrossRefGoogle Scholar
  34. Yayla, Ali. “Controlling insider threats with information security policies”, Proceedings European Conference on Information Systems (2011), paper 242.Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Yung Shin Van Der Sype
    • 1
  • Jonathan Guislain
    • 2
  • Jean-Marc Seigneur
    • 2
  • Xavier Titi
    • 2
  1. 1.Centre for IT & IP LawKU LeuvenLeuvenBelgium
  2. 2.ISS CUI, Medi@Law, G3SUniversity of GenevaCarougeSwitzerland

Personalised recommendations