DATA PRIVACY AND SECURITY

DATA PRIVACY
& SECURITY

DECEMBER 2019|

DEITEO PUBLISHER

TABLES OF CONTENTS

Personalized Privacy In Open 1
Data Sharing 5
A model-based Approach to 9
Support Privacy Compliance 13
Privacy, consumer trust and
big data : privacy by design Where to Next? Scotland, Iceland and Ireland 34
and the 3 C's 

Information security in an 23
organization 27
A survey of intrusion 33
detection and prevention 37
systems
Information security
management in human
aspect in organizations

Economic perspective 20
analysis of protecting big data 28
security and privacy 28
Big data's impact on privacy,
security and consumer welfare

VISIT

http://online.anyflip.com/onyf/lijr/mobile/in
dex.html

PERSONALIZED PRIVACY IN OPEN
DATA SHARING

Everybody in the world have their own service‚ such as identity verification‚

personal information. In computer marketing product or personal

system it was called as data. In this profiling. Growth of personal data

era‚ it was easy to find sharing‚ there are increasing
social understanding of privacy
information about our “ 64 percent of threats that uncontrolled
collection and exploitation of
internet users this personal data may
produce. In May 2014‚ US
identities through from developed

countries think

government database‚ that technology

advances have

commercial platform or negative impact

on their

privacy” –

social network. As we Miicrosoft‚2015

know‚ personal data was Federal Trade Commission

something valueable. So ‚ the published that data collection and use

exploitation on data have become an practice is most relevant data broker

extremely lucrative business. For that put spotlight on the privacy risk

example‚ data broker‚ who compile and they pose to consumer. So that‚

analyze consumer information to implementation of mechanism that

resell it or to provide business enable consumer to access their data

and give them the ability to opt out

of having them shared for

secondary use was suggested.

Because of huge amount of data

need to manage‚ privacy-by-design

requires the existence of privacy-

preserving technologies that prevent depend on our privacy
the disclosure of sensitive requirement.
information through the life cycle of  Possibility to compile‚ link and
data release. For the last year‚ they aggregate our data that get
has designed a few anonymization incrementally published in
mechanism and models for ensuring different platforms significantly
privacy. The result show most of expands the knowledge that third
privacy-preserving mechanisms cannot party gain about us.
avoid the disclosure risk.  Privacy has a time-depended
element.
One-to-one privacy
The main element of general
It was individual privacy protection in component and workflow was
dynamic open data sharing privacy protection infrastructure.
environment. A privacy-preserving
paradigm that builds on following Because of the incremental nature
premises: of the approach‚ the more data
release‚ the stricter protection of
 Privacy expectations and data new data.
sensitivity are relative‚ and
Data protection is thus
tailored to the privacy
needs of the individual
whom the data refer to‚
and consider the whole life
cycle of the data releases

through time.

Challenges one – to – one  The system should be assess the
privacy privacy risks of the data to be
published within the context of the
 To manage individuals’ requirement publication record of the individual
and publication record. to whom the data refer to.

 To perform accurate assessment of Even though privacy – preserving data
privacy risk. transformation methods can be
applied to all scenarios‚ we also can
 To implement an appropriate rely on access control as an
protection of data. alternative in controlled environment
in which users are authenticated‚ and
Solutions of one – to – one the access to the resources is
privacy managed by a centralized entity that
implements the privacy protection
 Define the privacy requirement of infrastructure.
an individual.
As we know‚ authorized parties will
 Individual should state their need of gain full access to the data and ‚ thus‚
sensitive topic. perfect utility‚ whereas unauthorized

 Ascertaining how much parties will not
information can be disclosed for learn anything
each sensitive topic. of the
individual.

Proof of Concept Privacy - enforcing data protection in an
Enabled Social Network automatic and personal way.

Most of data published in social Other Applications and
network are unstructured plain text‚ Future Directions
which are challenging to analyze and
protect by standard statistical One-to-one privacy paradigm can be
method. So ‚ social network become applied in less controlled and
core sources of personal data for centralized than social network. It
data broker. was like ‚ data broker may adopt one-
to-one privacy to fulfill the privacy-
HOW A NETWORK OPERATOR by-design. To do that ‚ data broker
FOLLOW PRIVACY-BY-DESIGN should consider privacy requirement
PRINCIPLE ? first. Then ‚ they need to rely on
automatic assessment of privacy risk
Firstly ‚they allow user to define their to detect the semantic inferences
own privacy requirement and making enabled by the compiled data.
them aware of the privacy risk
inherent to their publication.
Secondly‚ suggesting actions to
mitigate those risk. And the lastly was

In organization‚ privacy compliance “…incorporating privacy
was very important because it will
protect the data of that requirements into the early stages
organization. An established
organization will have a good record of development process requires
system that have high level of appropriate interpretation of legal‚
protection or privacy.
social and politic concern” -
Privacy can define as multifaceted
concept that has legal‚ social and Gurses
politic aspect. Typically ‚ privacy is
articulated at a high level of and maintaining system.
abstraction. Its concrete
manifestation are ambiguous to These challenges lead to a
those concern with data protection
and those responsible for developing disconnect between policy-maker

and software engineer with regards

to the actual meaning of privacy. To

overcome this challenges‚ abstract

personal data lifecycle (APDL) and

unified modeling language (UML) was

developed. APDL will serve as a

stepping stone for modeling privacy-

related concept along with

associated properties and

relationship‚ and for representing

data-processing activities in a way

that is amenable to risk analysis and

compliance checking. UML has been

adopted to support APDL models

main concept and integration into UML and APDL
software engineering processes.
Process of personal data is done UML can be extend to communicate
fairly and lawfully. Legal framework new intention in particular domain.
and standard related to privacy and It was like :
data protection in particular. The
most important is privacy goals can  Stereotypes : used to extend
be used by multiple stakeholders to the vocabulary of UML.
express their privacy concern and
expectation. A number of privacy  Tagging Value : used to
requirement engineering approaches extend properties of UML
have been proposed to support the model element.
elicitation of privacy requirement.
The principle of data minimization APDL will represent data-

has been proposed as a necessary processing activities in
and foundational first step for
engineering system according to the contextual and fined-grained
principle.
manner to support risk analysis

and compliance checking.

Approach to Support
Privacy Compliance

 Refinement
 Conceptualization
 Representation
 Evaluation

Refinement

Aim of refinement was to refine the
abstract purpose into a set of
concrete purpose that can be assign
as responsibility. It can be achieve

by specifying the abstract purpose  List of action and conditions need to
at a certain level of detail as be identified.
concrete purpose. The main step of
this activity are :  A conceptual model that describe the
problem and solution in term of
 The abstract purpose need to be domain vocabulary needs to be
refined into concrete purpose. developed.

 Each concrete purpose needs to be Representation
expressed in term of actions and
events that trigger the execution of Aim of representation was to model
these action.
the abstract and concrete purpose
 Minimum amount necessary of
personal data need to be derived from together with the key aspects of
actions of concrete purpose.
abstract privacy principle as
 Concrete purpose need to be assigned
to the capable actors according to their requirement model. It can be
roles and associated responsibilities.
achieve by adopting UML profile for
Conceptualization
APDL model as means for
Aim of conceptualization was to
representation. The main step of
derive and model the key aspect of
this activity are :
abstract privacy principles. It can
 Main step of refinement activity need
be achieved by classifying the to be conducted.

primary term. The main step of this  Main step of conceptualization need
to be conducted.
activity are :
 The abstract and concrete purpose ‚
 Sources from which knowledge can be along with concepts and actions
acquired need to be identified. derived from the abstract privacy
principles.
 Most appropriate technique for
deriving useful and potentially usable
concept and actions need to be used.

 List of concept‚ meaning and
properties need to be identified.

Evaluation certain level of abstraction to
facilitate compliance checking.
Aim of evaluation was to specify the
constrain through which abstract Then ‚ the second activity concern
purpose can be operationalize. These deriving and modeling the key
constrain can be used to specify aspects of abstract privacy principle
conditions on concept and action that stated in legal frameworks and
identified in conceptualization standard as concepts and actions.
activity. The main step of this
activity are : After that‚ concerns modeling the
abstract and concrete purpose
 Each concept identified in the together with the useful and
conceptualization activity‚ all possible potentially usable concepts and
invariant condition need to be actions derived from abstract
established. privacy principles was the third
activity.
 Each action identified in the
conceptualization activity‚ all possible The last one was concerns
pre- and post-conditions that must be establishing and modeling suitable
satisfied need to be established. rules that provide a set of criteria
against which the requirements
 The established rules need to be model is evaluated to determine
specified. whether it fulfill the privacy
requirement. So that‚ it show
As I mention just now ‚ there are demonstrate the usefulness and
four main activities need to be applicability of the extension
conduct to facilitate reasoning about mechanism.
privacy compliance with legal
frameworks or standards.

The first activity concern modeling
the purpose for which personal data
are collected and processed at a

DATA PRIVACY

PRIVACY, CONSUMER TRUST The alternative would be a future world
AND BIG DATA: devoid of any privacy, the very basis upon
PRIVACY BY DESIGN AND which our individual freedoms are built. This is
THE 3 C’S precisely what we have to consider – the
growth of ICTs and the resulting data
by Michelle Chibba and Ann Cavoukian explosion could pave the way for the
surveillance of our lives, at an unimaginable
It is a world where everything is discoveries, new and innovative economic scale, thereby undermining any potential
connected – not only online, but also in the drivers, predictive solutions to otherwise benefits. The growth of ICTs and the
physical world of wireless and wearable unknown, complex societal problems. resulting data explosion could pave the way
devices. Through the global convergence for the surveillance of our lives and diminish
of ICTs and the capability of these Yet, with each statement or discussion of our democratic freedoms, at an unimaginable
technologies to capture, digitize the critical success factors to unlocking or scale. Consumer mistrust of an organization's
and make sense of an unknown magnitude unleashing the benefits of Big Data, privacy ability to safeguard their data is at an all time
of data, we are now in the era of Big Data. and security looms large. At the same high and this has negative implications for Big
The promise and value of Big Data extends timethat powerful computing devices are Data. The timing is right to be proactive about
beyond the imagination and is limited only now literally ‘in the hands’ of individuals, designing privacy into technologies, business
by our own human capabilities and the associated applications and services processes and networked infrastructures.
resourcefulness. Make no mistake, providing connectivity, ubiquity and Inclusiveness of all objectives can be
organizations must seriously consider not predictability provide less control over one’s achieved through consultation, co-
just the use of Big Data but also the personal information. Since informational operation, and collaboration (3 C's). If
implications of a failure to fully realize self-determination is the basis for the privacy is the default, without diminishing
thepotential of Big Data. Big Data and big definition of data privacy, we must find functionality or other legitimate interests,
data analytics, promise new insights and ways to engender trust in these then trust will be preserved and innovation
benefits such as medical/scientific technologies. will flourish.

PRIVACY Ubiquity of the ICTs and flow of data
AND leading to greater opacity rather
than transparency
CONSUMER Correlation, pattern identification
TRUST and sense-making algorithms that
contribute to increased risk of re-
Informational privacy refers to the right or ability of identification on poorly anonymized
individuals to exercise control over the collection, use or de-identified datasets.
and disclosure by others of their personal Decisions based on questionable
information. No doubt, ICTs present challenges to data quality, false positives, lack
what constitutes personal information, extending it of causality.
from obvious tombstone data (name, address,
telephone number, date of birth, gender) to the Inference-dependency leading to
innocuous computational or meta data once the decision-making bias as
purview of engineering requirements for well as power imbalances.
communicating between devices. Addresses, such as
the Media Access Control (MAC) number that are
designed to be persistent and unique for the purpose
of running software applications and utilizing Wi-Fi
positioning systems to communicate to a local area
network can now reveal much more about an
individual through advances in geo-location services
and uses of smart mobile devices.

Sometimes, information security is taken to mean that
privacy has been addressed. While security certainly
plays a vital role in enhancing privacy, there is a
distinction - security is about protecting data assets.
It is about achieving the goals of confidentiality,
integrity and availability. Privacy related goals
developed in Europe that complement this security
triad are: unlinkability, transparency and
intervenability.

Notwithstanding the need for security, some of the
key privacy challenges in Big Data are:

Data maximization
(collection, storage,
retention) rather than data
minimization.

Emphasis on “unknown
potential” uses of
information and results
that override purpose
limitation.

7 Use proactive rather than Personal data must be
FOUNDATIONAL reactive measures, automatically protected
PRINCIPLES IN in any given IT system or
PRIVACY BY anticipate and prevent
DESIGN privacy invasive events business practice. If an
individual does nothing,
Privacy by Design (PbD) is a set before they happen
of seven foundational principles (Proactive not Reactive; their privacy still
that serves as an overarching remains intact (Privacy
framework for inserting privacy Preventative not
and data protection early, Remedial). as the Default).
effectively and credibly into
information technologies, Privacy must be The 7
organizational processes, embedded into the design Foundational
networked architectures and,
indeed, entire systems of and architecture of IT Principles
governance and oversight. The systems and business
goals are to ensure user control, practices. It is not bolted Security is applied
enhance transparency and on as an add-on, after the throughout the entire
establish confidence and trust.
Importantly, it does not rely solely fact. (Privacy lifecycle of the data
on regulatory measures, which Embedded into Design). involved. (End-to-End
serve as effective means for Security — Full Lifecycle
enforcement and penalty All legitimate interests
determination and are often and objectives are Protection).
technology neutral.
accommodated. (Full Architects and operators must
The 7 Foundational Principles that Functionality — keep the interests of the
make up Privacy by Design Positive-Sum, individual uppermost by
express not only the universal not Zero-Sum). offering such measures as
principles of the Fair Information strong privacy defaults,
Practices (FIPs) but incorporate a For accountability, all appropriate notice, and
design-thinking approach. stakeholders are assured that empowering user-friendly
Integrally linked, the principles whatever the business practice options (Respect for User
address the need for robust data or technology involved, it is in
protection and an organization’s fact, operating according to Privacy — Keep it User-Centric).
desire to unlock the potential of
datadriven innovation. the stated promises and
objectives, subject to

independeny verification.
(Visibility and Transparency —

Keep it Open).

BIG DATA AND CHARACTERISTICS AND
PRIVACY BY DESIGN DESIGN FEATURES OF
SUCH BIG DATA
Contrary to what some may believe, privacy requirements ANALYTICS
are not obstacles to innovation or to realizing societal
benefits from Big Data analytics—in fact, they can TECHNOLOGIES SHOULD
actually foster innovation as well as widespread and INCLUDE:
enduring user trust in ICTs.
Data source and transaction
Technologies such as strong de-identification techniques pedigree (full data attribution).
and tools, and applying appropriate re-identification risk
measurement procedures, make it possible to provide a Data tethering that facilitates real-
high degree of privacy protection, while ensuring a level time data currency.
of data quality that may be appropriate for secondary use
in Big Data analytics. However, de-identification can and Ability to conduct advanced analytics
should be done effectively. on encrypted data.

Organizations should perform an initial risk assessment, Tamper-resistant audit logs that
taking into account the current state of the art in both de-
identification techniques and re-identification attacks. support transparency and
Since deidentification is neither simple nor
straightforward, policy makers should support the accountability of the systems and
development of strong tools, training, and best practices
so that these techniques may be more widely adopted. In administrators.
particular, a governance structure should be in place that
enables organizations to continually assess the overall Preference for false negatives and
quality of their de-identified datasets to ensure that their additional checks/balances.
utility remains high, and the risk of reidentification
sufficiently low. Self-correcting false positives.

Information transfer dashboards to
account for all uses and transfers of
the data.

Information
SOercguarniitzyatiinonan

BY MOHAMMED MAHFOUZ ALHASSANA
AND ALEXANDER ADJEI-QUAYEB

Information security is of great If threats to information and bfuirssinte! ss needs
importance and interest to systems didn't exists, this
everybody in the world of energy could be channeled INFORMATION SECURITY PERFORMS 4
technology today, whether you towards improving the systems IMPORTANT FUNCTIONS FOR AN
are a mobile phone or a that support the information. ORGANIZATION:
personal computer user, this is However, attacks on
why information security is of information systems are daily 1.Protects the organization's ability to
the most importance in our occurence, and the need for function.
everyday life, and in the IT information security increase as
technology fields especially in the sophistication of such 2.Enables the safe operation of
managing data of records in an attacks increase. applications implemented on the
organization. organization's IT systems.
Organization must, therefore,
Unlike any other aspect of understand the environment in 3.Protects the data the organization
information technology, which information security collects and uses.
information security's primary operates and the problems it
mission is to ensure that must address in order to protect 4.Safeguards the technology assets in
systems and their contents the records data located in the use at the organization.
remain the same. Organizations systems of an organization.
spend hundreds of thousand of
dollars and expend thousand of
man-hours to maintain their
information systems.

WHAT IS 

ATTACK 

An attack is an act or Malicious Code Back Door
action that takes
advantage of a Attacks that include the Attacks in which an
vulnerability to execution of viruses, worms, attacker gains access to
compromise a Trojan horses & active Web
controlled system. It is system or network
accomplished by a scripts with the intent to resources through an access
threat agent that destroy/steal information.
damages or steals an path that bypasses usual
organization's Cracking security controls.
information or
physical asset. A Attacks involving attempts Spoofing
vulnerability is an to reverse -calculate a
identified weakness in Attacks in which an intruder
a controlled system, password; may use a brute sends messages to a
where controls are not force approach or a
present or are no dictionary attack. computer with an IP address
longer effective. unlike that indicates that the
threats, which are Spam
always in existence, message is coming from a
attacks exist when a Attacks involving sending trusted host.
specific act or action unsolicited commercial e-
comes into play and Sniffers
may cause a potential mail. 
loss. Major types of Device that monitor data
attack are: Social engineering travelling over a network &
used for legitimate network
Attacks in which an management and functions &
attacker uses social skills to for stealing information from
convince people to reveal
access credentials or other network.

valuable information. Buffer Overflow

Attacks involving an application
error that occurs when more
data is sent to a buffer that it
can handle; during this error,
the attacker can gain control
over the target system.

8 DATA SECURITY TIPS FOR

SMALL BUSINESSES

Data Security has become one of the hottest issues that are surrounding
the news nowadays. But what is more surprising is that small businesses, in
particular, are fast becoming the favored targets of digital attackers. In
fact, the latest Government Security Breaches Survey revealed that 74% of
small organizations reported a security breach in 2015.

Having said that, it is quite certain that the cyber-criminals from 10
years ago are not only hacking into computers for the sole purpose of
showing off, but rather are getting on their way to gain access to valuable

business data-such as customer contact information and credit card
accounts- in which they can use to distribute malicious software, or
worst, gain illicit access to financial accounts of the business and
customers.

If you are successful in your own small business, do not rest on your
laurels and take proactive measures to mitigate the said data security risk
posed by hackers. On the next page we have gathered up the top eight
security tips to strengthen the security of your business data, giving you the
peace of mind that you truly deserve.















DATA SECURITY

Data Security Issue, December 6, 2019

A Survey Of Intrusion
Detection And Prevention
Systems

Introduction : For several years now, Many companies have a web presence as Ahmed Patel
society has been dependent on information an essential part of their business. The Qais Qassim
technology (IT). With the rise of internet and research community uses computer Christopher Wills
e-commerce this is more applicable now than systems to undertake research and to
ever. People rely on computer networks to disseminate findings. Computers control Amateur hackers, rival corporations,
provide them with news, stock prices, e-mail national infrastructure components such terrorists and even foreign governments
and online shopping. People’s credit card as the power grid. The integrity and have the motive and capability to carry out
details, medical records and other personal availability of all these systems have to be sophisticated attacks against computer
information are stored on computer systems. protected against a number of threats. systems. Therefore, the field of information
Many companies have a web presence as an and communication security has become
essential part of their business. vitally important to the safety and economic
well being of society as a whole. Moreover,
to expose privacy breaches, security needs
powerful intrusion detection and prevention
systems (ID/PSs).

This is another They are any set of actions FACEBOOK IN
background studies that threatens the PRIVACY BREACH
integrity, availability or
Background : In order to into a system or disrupt confidentiality of the Availability means that a
understand the ID/PSs, the normal operations of information and the system that has the
first one must understand actions that attempt to information system, where required data ensures that
the nature of the event bypass security integrity means that data It is accessible and usable
they attempt to detect. An mechanisms of computer have not been altered or upon demand by an
intrusion is a type of attack systems. destroyed in an authorized system user.
on information assets in unauthorized manner and
where confidentiality
means that information is
not made available or
disclosed to unauthorized
individuals, entities or
processes.

Page 1

Data Security Issue, December 6, 2019 DATA SECURITY

“Passwords are like underwear: make them personal, make them exotic, and change them on a regular basis.” — overheard at SecureWorld Atlanta

ID is the process of in one of several ways, vulnerability to attempted
monitoring computers or which includes displaying intrusion, thereby maintaining
networks for unauthorized an alert, logging the event or confidence and trust in the
entry, activity or file even paging an institution. Security concerns
modification. An intrusion administrator can quickly erode customer
detection system (IDS) is a confidence and potentially
software or hardware device decrease the adoption rate and
that automates the ID rate of return on investment
process. IDSs can respond to for strategically important
suspicious events products or services. An
effective risk management
Importance of risk process is an important
management component of a successful IT
security program. The
It is expected that all computer Risk is the net negative impact principal goal of an
and communication systems, of the exercise of vulnerability, organization’s risk
including all the applications, considering both the management process should
system softwares and probability and the impact of be to protect the organization
occurrence. Risk management and its ability to achieve its
infrastructure and networking is the process of identifying mission, rather than simply its
services, are protected from risk, assessing risk and taking IT assets. Risk-based
accidents and abuse by a set of steps to reduce risk to an protection strategies are
safety measures composed from acceptable level. A strong
security, privacy, trust, audit, security program reduces levels characterized by identifying,
of threat to reputation, understanding, mitigating as
digital forensics and fault- operational effectiveness, legal appropriate and explicitly
tolerance functions, in order that and strategic risk by limiting an accepting the residual risks
organization’s- associated with the operation
and use of information
systems. To help protect
organizations from the
adverse effects of ongoing,
serious and increasingly
sophisticated threats to
information systems,
organizations should employ a
risk-based protection strategy
along with ID/PSs, as a
complete system of protection
to ensure the integrity,
availability and confidentiality
of the information and the
information systems.

they are to be available, reliable
,trusted, safe, identifiable and
auditable.

An IPS can respond to a detected threat in several ways:

An intrusion prevention system (IPS) is a  it can reconfigure other security
software or hardware device that has all the controls in systems such as a firewall or
capabilities of an IDS and can also attempt to router to block future attacks;
stop possible incidents. An IPS can respond to
a detected threat in several ways:  it can remove malicious content of an
attack in network traffic to filter out the
threatening packets; or

 it can (re-)configure other security and
privacy controls in browser settings to
prevent future attacks.

Intrusion detection and prevention systems

Intrusion prevention is the process of performing ID and attempting to stop detected possible incidents. The IPS is a device or software application
that has all the capabilities of an IDS and can also attempt to stop possible incidents. IPS is designed and developed for more active protection to
improve upon the IDS and other traditional security solutions. An IPS is definitely the next level of security technology with its capability to provide
security at all system levels from the operating system kernel to network data packets (Martin, 2009). IPSs are designed to protect information systems
from unauthorized access, damage or disruption, IDS informs of a potential attack, whereas IPS makes attempts to stop it. IPS has another benefit or
advantage over IDS in that it has the ability to prevent known intrusion detected signatures, besides the unknown attacks originating from the database
of generic attack behaviors (Beal, 2005). Modern ID/PSs are comprised two basically different approaches, network-based and host-based. A
relatively recent addition of special IDS called application-based is a refinement of the host-based ID (Brown et al., 2002).

Continue on page 3

DATA SECURITY Data Security Issue, December 6, 2019

Both servers and workstations Network ID/PS devices are -but it means the Intrusion detection and
are protected by host-based deployed in-line with the prevention systems
intrusion detection/prevention network segment being organization can mark this
systems (HID/PSs) through protected (Martin, 2009). Know more about Data Security?
secure and controlled software All data that flows between event to gather evidence Data security refers to the process of protecting data from
the protected segment and unauthorized access and data corruption throughout its lifecycle.
communication channels the rest of the network against the would be Data security includes data encryption, tokenization, and key
between system’s applications must pass through the intruder, without the management practices that protect data across all applications and
and operating system kernel. network ID/PS device. As platforms
The software is preconfigured the traffic passes through intruder’s knowledge.
to determine the protection the device, it is inspected
for the presence of an Regardless of whether they
rules based on intrusion and attack. When an attack is operate at the network, host
attack signatures. The HID/PS identified, the network
will catch suspicious activity on ID/PS discards or blocks or application level, all
the system and then, the offending data from
passing through the system ID/PSs use one of two
depending on the predefined to the intended victim thus detection methods;
rules, it will either block or blocking the attack.
allow the event to happen. NID/PS will intercept all signature-based or
HID/PS monitors activities network traffic and
such as application or data monitor it for suspicious anomaly-based (Whitman
activity and events, either and Mattord, 2005). For
requests, network connection blocking the requests or
attempts and read or write passing it along should it instance, packet content
attempts to name a few. One be deemed legitimate
potential disadvantage with traffic. signatures and/or header
content signatures can
this approach is that, given the
necessarily tight integration indicate unauthorized
with the host operating system,
future operating system actions. The occurrence of a
upgrades could cause
signature might not signify
problems. Network-based an actual attempted
intrusion detection/prevention
system (NID/PS) is a software unauthorized access (for
or dedicated hardware system
that connects directly to a example, it can be an honest

network segment and protects mistake), but it is a good
all of the systems attached to
the same or downstream idea to take each alert
network segments.
seriously. Depending on the
robustness and seriousness

of a signature that is

triggered, some alarm,
response or notification

should be sent to the proper

authorities.

According to the recent Data Breach Investigation Report by Verizon, 32% of confirmed data breaches
were due to phishing attacks.

This means that these systems
are not unlike virus detection
systems, they can detect many
or all known attack patterns, but
they are of little use for as yet
unknown attack methods. An
interesting point to note is that
anomaly detection systems try
to detect the complement of
“bad” behavior. Misuse
detection systems try to
recognize known “bad”
behavior. The main issues in
misuse detection systems are
how to write a signature that
encompasses all possible
variations of the pertinent
attack, and how to write
signatures that do not also
match non-intrusive activity
(Newmanetal.,2004). The main
advantage of misuse detection
paradigm is that it can
accurately and efficiently detect
instances of known attacks. The
main disadvantage of misuse
detection method is that it lacks
the ability to detect the newly
invented attacks. Signature
databases must be constantly
updated, and IDSs must be able
to compare and match activities
against large collections of
attack signatures.

Data Security Issue, December 6, 2019 DATA SECURITY

Every organization using and information systems by Even a truly secure International Security
information systems rejecting the future access of system is vulnerable to Computer Day
must take information detected attacks and by abuse by insiders who
security seriously. The providing useful hints on how abuse their privileges. With each passing day, Internet-based
fact that information to strengthen the defense. In order to understand businesses that operate 24/7 are becoming
security is a discipline the needs for new more and more popular. This phenomenon
that relies on experts in advanced ID/PSs, a is causing large numbers of people to
addition to technical deeper look into the integrate the Internet, smartphone, and
controls to improve the reported data breaches even smart appliances into their lives.
protection of an should be examined.
organization’s According to Kouns et al.
information assets cannot (2009), the total number
be overemphasized. Most of incidents occurred
organizations solely during the last year were
implement perimeter- about 436, which
based security solutions, affected about
even though the greatest 218,756,349 records
threats are from internal from different
sources. Additionally, organizations and
companies implement companies.
network-based security
solutions that are Why be serious
designed to protect about intrusion?
network resources,
despite the fact that the Cryptographic methods
information is more often have their own
the target of the attack. problems. Passwords
ID/PSs can supplement can be cracked, users
protection of network- can lose their passwords
and entire crypto-
systems can be broken.

“USBs are the devil. They just are.” — overheard at Secure World Atlanta

Don’tForgetThis Conclusion and future Strategy is the key and
recommendations: selecting the right ID or
Year’s‘Tech prevention system will be
Talks’ inUITM’S Today’s interrelated computer network is instrumental in ensuring
a dangerous realm, filled with people that that an enterprise’s
have millions of man-hours available to networks and systems
employ against the strongest of security remain secure. As security
strategies. The only way to beat them is to incidents become more
know when they are attempting an attack numerous, ID/PS and
and counter their attempts. supporting tools are
becoming increasingly
necessary. These
intelligent ID/PSs and
tools should use a
combination of several
intelligent techniques
from the subject areas of
autonomic computing,
machine learning,
artificial intelligence and
data mining to assist
them to determine what
qualifies as an intrusion,
versus normal activity, by
building a knowledge
base which grows as and
when new facts or
knowledge come to light.

DATA SECURITY

ISSUE 2, DEC 6, 2019

Information security
management and the

human aspect in
organizations

Harrison Stewart
Jan Jürjens

Introduction : The rapid Information security risks These issues occur because of
growth of information technology related to human activity are various factors such as poor
(IT) has increased security risks in observed in employees from information security awareness
both industrial and financial large- and medium-sized among employees, poor employee
sectors. Currently, human activity businesses where employees information security training and
violate company security policies poorly managed teams. These
is considered the most critical or personally engage in security factors are major threats to a
factor in the management of theft (Vance etal.,2013). company’s information security.
information security. Compliance to a company security
policy and frequent information
security training of employees can
positively impact the human
aspects of security.

Although senior -organization’s
In some organizations, the human resource management alone network, and they
department plays a major role in IT security cannot guarantee are intended to All about data…
successful risk prevent fraud and
by checking, controlling and redirecting management, it is embezzlement
employee conduct toward successful essential for senior (Compston,2009).
information security management. Simply These policies ban
management criminal activities –
put, human resource departments are individuals to for example an
managed by an organization’s management execute and control employee hacking
board, and the management board is information security into a computer
responsible for planning, acquisition, activities. system or network,
information security training, as well as Organizational employees visiting
directing human activities, in the business inappropriate
domain. This indicates that the management security policies are websites or the
sets of rules and stealing of company
board is responsible for controlling and regulations that software by/or
directing these activities to enhance the enabled by
awareness of information security among govern an employees.
employees.

ISSUE 2, DEC 6, 2019 DATA SECURITY

“To competently perform rectifying security service, two critical incident response elements are necessary:
information and organization.”
― Robert E. Davis

Other studies have also demonstrated that Here, there
many organizations neglect the centrality of searchers neglected
human behavior in information security security policy
management, and that this has caused compliance based
failures in information security. Webb et al. on individual
(2014) proposed a situation-aware employees. Li et al.
information security risk management (SA- (2010) argued how
ISRM) model to supplement the ISRM recent studies on
procedure; however, their model was only information
focused on the deficiencies of ISRM security
management have
Human role in neglected the
information security perceived benefit of

degenerate
behavior,
individual norms
and organizational
settings.

They also recommended the significance of considering compliance decisions as driven by a cost–benefit analysis,
limited by individual standards and organizational setting factors. Therefore, their work did not cover all the
elements of human behavior and social structure in the organization, such as human ability, culture, information
security management, top personnel, technology and how all these factors interrelate and work together. Here, we
emphasize that both Li et al.(2010) and Webb et al. (2014) indicate the limitations of a number of theory-based
empirical studies on employee security policy compliance that we address in this study.

Technology role in
information security

Numerous studies have investigated
cyber-attack prevention. According to
Li et al. (2009), limited
countermeasures are available to
prevent cyber-attacks. Mirkovic and
Reiher (2005) proposed the source-
end defense points.

Continues on P3

DATA SECURITY ISSUE 2, DEC 6, 2019

Chen and Hwang According to Singh et constantly challenging
(2006) also proposed al. (2013), technology issues of information

the core-end defense is not capable of security management,
techniques, while Wang providing a it is important that in
et al. (2007) proposed dependable answer for combination with a
the casualty end hierarchical technical approach,
protection, and Seo et information security employee and
al. (2013) proposed the needs and challenges. organizational factors
versatile probabilistic Werlinger et al. (2009) should also be
filter planning. All the recommended that, to addressed.
above countermeasures overcome the
have been developed to
prevent flood attacks,
but none were aimed at
employees. Other
traditional techniques
such as cryptography
and firewalls have also
been proposed as
distinct options to
avoid intruders and
maintain data
confidentiality,
integrity and
authentication (CIA)
(Wrightetal.,2004).

“It takes 20 years to build a reputation and few minutes of cyber-incident to ruin it.”
― Stephane Nappo

Thefinancialimpacton According to Safa and Ismail (2013), However, Kritzinger
informationsecurity information security breaches cause and von Solms (2010)
financial costs for organizations and based their study on
affect organization reputation. In private and public
addition to adopting technology-based behavior, but neglected
solutions, appropriate data security culture, familiarity,

conduct can mitigate the risk of management,
information security breaches in an technology and how all
organization. Abawajy (2014) these factors interrelate
determined the important role of and work together. Safa
security compliance awareness among et al. (2015) found that
employees, such as conduct and knowledge of
behavior, during a study on security information security
risk mitigation. However, both (information security)
researchers neglected human ability, is linked to better
culture, information security understanding,
management, technology and how all familiarity and capacity
these variables interrelate and need to to manage and
be addressed efficiently in an overcome crises.
organization. .Kritzinger and von
Solms (2010) held a workshop where
they divided users into home and
organizational environments to
confirm the important role that both

groups play in security awareness.

ISSUE 2, DEC 6, 2019 DATA SECURITY

Misuse of information security knowledge sharing

The misuse .Strauband Nance Willison (2006)
ofinformationsecurityr (1990) explored how studied the impacts of
esourceshasbeenrecogn to detect computer employee misbehavior
izedinnumerousstudies abuse and how to and subsequent risks
asa significant sanction employees. for information
problem, often They advised security by using
identified during organizations to rational decision and
information security sanction employees crime preventive
mitigations. This severely to prevent methodologies to
supports the other employees from explore the
hypothesis found in conducting the same relationship between
other studies that or similar activities. the culprit and the
assessed employee context. According to
behavior, that workers Willison,
often take part in organizations need to
inappropriate concentrate on the
behaviors increase inappropriate behavior
security risks. These of employees in
findings caused many various levels and
organizations to enforce preventive
concentrate on placing measures to decrease
impediments and employee behaviors
preventative systems that increase
such as sanctions on information security
employees for the risks.
misuse of computers

“You are an essential ingredient in our ongoing effort to reduce Security Risk.”
― Kirsten Manthorne

A study by Lee and Lee (2002) However, Lee and Lee
focused on the deterrence hypothesis based their work on
along with social speculations to how social relationships
clarify the impact of information and traditional counter-
security management, information measures impact the
security programs and organizational decision process
factors. Lee and Lee (2002) analyzed employees that misuse
both insider and outsider information computers by using the
security abuse by evaluating general deterrence
organizational factors and the causes theory (GDT) for
of the security abuse. They guidelines (e.g. as in the
determined that the improvement of work of Straub and
social networks via organizational Nance, 1990). The GDT
factors could eliminate the misuse of is a basis for security
information systems in an awareness, security
organization. training and education
and minimizes cost
(Beccaria, 1963);
however, it comes with
some limitations and
needs to be enhanced
and revised. GDT also
neglects the
interrelationship
between technology
and humans.

DATA SECURITY ISSUE 2, DEC 6, 2019

DATA SECURITY

ISSUE 2, DEC 6, 2019

Information security
management standards

Siponen and Vartiainen (2004) Furthermore, these guidelines An empirical study was conducted
analyzed BS7799, PCI BS, were not meant for international by Kotulic and Clark (2004) in the
ISO/IEC17799: 2000, GASPP/ information security standards sector of security risk management
GAISP and the SSE-CMM to because of their general (SRM) where they proposed a
determine and compare how practices in nature. Owing to conceptual model to enhance SRM
international information security these shortcomings, they on organizational level. However,
management guidelines play a key recommended that information their model was not able to detect
role in managing and confirming security management guidelines and specify information systems
the organizational information should be seen as “a library of security.
security. They realized that those material for information security
listed guidelines were too management for specialists”
generalized and neglected the (Siponen and Vartiainen, 2004).
verification of the difference in
information security requirements
in various organizations.

According to Baskerville (1993), computer The current study - collaboration, All about data…
misuse (i.e. use for purposes other than that will not only evaluate employee familiarity
intended by the company, such as technology and the with security
recreational activities) is the main cause of responses of management,
information security risk, and they individual employees managing director
but will also target skills, governance,
recommended that information security
experts and IT managers should implement individual managers leadership, records
systems that will detect information security because they are management,
a use and specify information systems responsible for the information access,
security. Despite the fact that the vast proper communication,
majority of the data security literature implementation of compliance,
focuses on sanctions and technology-based security compliance. technology and how
solutions, little data are available on the Our study further all these factors
roles management boards, employee analyzes interrelate and work
information security training and organizational together.
collaboration play in information security culture, -
management.

Big data is rapidly changing the This is why, most
face of the global economy. In the fast
growing landscape of network-based organizations go through great
data analytic processes and services,
enterprises and industries with an That is, an important factor lengths to invest and protect
important real-time presence have for current and future economical
faced or will face a data breach which investments is due to the motivation themselves and their
is the result from the data collection of cybercrime activities. Big data
and the use of big data. As more security breaches can result in consumers from privacy
consumer and organization serious legal consequences and
information is digitized and collected reputational damage for companies, concerns, cybersecurity risks, IP
for data analytics, the potential for often more severe than those
cyber threats and cyberattacks also caused by breaches of traditional registrations, and public-
increases. A large amount of data. The impact is far-reaching in
consolidated data can easily be industries, including energy, finance relations risks, the
appealing for cybercriminals, especially and insurance organizations,
when such consolidated data may equipment manufacturing and mechanisms/algorithms, and
comprise of a consumer and automobiles that traditionally have
company’s proprietary data or not played a big role in the devices used to analyze the big
customers’ personal and/or financial information ecosystem. Big data
data. brings with it tremendous promise in data.
the form of exciting innovations,
Traditionally, the most new revenue generation streams, To deal with this,
pressing cyber threats appear from and even revolutionary treatments
emailed attachments and downloads. for life-threatening diseases. national agencies and security
Recently, cyberattacks are increasingly
stealing or compromising data and are specialized companies need to
the potentials for physical damage to
critical infrastructure. The risks of data consider new IT risk appraisal
breach or compromised data collection
is often favored by potential financial methods. The methods may
benefits (e.g., blackmail, fraud, false
information, intellectual property focus on cost–benefit
thefts, business competition) [9–11]
compromises based on

analytical models describing

potential losses and benefits

for big data and their users

(such as cloud providers,

financial sectors, market

participants, healthcare

providers).

Economic perspective Analysis

In this section, the author

stated analyze the economic Intellectual property has become a major competitive advantage in the

perspective of cybersecurity, current age of information. A recent research has revealed that at least 80%

particularly, the data security and of the value of Fortune 500 companies is mainly comprised of intellectual

privacy. We also discuss economic property. More and more assets are being digitized as corporations seek to

reasons for insecurity and lack of embrace the digital age. However, this has brought with it a new risk front.
privacy and economic It is now easier to suffer an attack through digital means than it was in the
countermeasure. The economics of
privacy, on the other hand, involve the past when attacks involved physical compromises to company premises.

economic considerations that a To fix this unfortunate situation, global forums and institutions focused on
corporation or individual takes to the security of cyber-infrastructure have taken to creating rules that every
safeguard their assets. player needs to adhere to so as to uphold the security and privacy of third
parties that they interact with.
This would include the

investment consideration necessary to

purchase the security infrastructure,

the profitability impact of the assets to

the bottom line and availability of the

necessary supporting resources such According the shackelford they
as workforce that is security-aware. have carry out two investigative studies of
Therefore, the economics of privacy, the economics of investment decisions for
on the other hand, involve the proper big data security and privacy includes
collection, processing and storage of financial industry and pharmaceutical
personally identifiable information, and healthcare. They also
online activity of web users and any give a comparison between
information not suitable for public financial and pharmaceutical
access. Online privacy is a sensitive industry. Finally, they show
issue in the 21st century. Private how much a cybersecurity
information is extremely valuable, organizations should invest.
especially on the black market. In economics of investment
decisions for big data security and privacy
the researcher try to come out the study of
financial industry, pharmaceutical and
healthcare, comparison between financial
and pharmaceutical industry and how much
a cybersecurity organization should invest.

Economic perspective of using tools for security and
privacy of big data against threats

The economic perspective of Big data analytics security product should be ready to ingest large

implementing information security amounts of data from numerous devices like servers, endpoints, and the

solutions together with security tools other networked device that has access to the information. These
and policies is complex and costly applications should additionally offer a unified data management
objective. However, the economic resolution, support differing kinds of information, flow and logs, and supply
perspective of not implementing a clear compliance news. The tops two database security and analytic
knowledge security resolution may be applications are Cybereason and Fortscale. Each application provides
a harmful approach that may allow different features and capabilities targeted for a specific solution. For
for a lot of information breaches to example, Cybereason employs “sensors that run-in user-space of end-point
require place, however additionally fin operating systems”, allowing the collection of data while minimizing end-
ancially implicate people who are use disruption. A solution like Fortscale employs statistical analysis and
affected. Although huge information machine learning which automatically adapt to changes in the security
security may be a moving target, it's the environment. Fortscale’s machine learning algorithms allow to detect
responsibility of each organization to changes and update it sets of rules without human intervention.
make it a high priority. During

this section, we tend to discuss some

tools used to analyze and

secure huge information, price of

implementing security and a privacy

tools of huge information, economic

perspective of information

breaches once not implementing a

security tools, and economic cost of

not mistreatment tools in big data . Big

knowledge characteristics have

developed issues concerning the

anonymity of the information collected

and therefore the security of such data. The increased media coverage of data breaches and the
The importance of huge knowledge

analytics and security software system continued number of threats has forced the topic of data protection to
such as Cybereason and Fortscale (now be one of the most discussed subjects in technology. Audit committees,
a part of RSA NetWitness) are essential shareholders and end-users expect to have their data protected from
to successful securing big data authorized access. It is important to note that the implementation of

(Sullivan). Moreover, the importance of data protection which includes the use of specialized software tools as
developing and adhering to rules and well as the development and enforcement of policies and procedures
regulations that protect big data has has been a topic for many years. However, the difference now is value.
reached global attention which cannot The value in securing data is at an all-time high.

be ignored without large financial

implications.

Cybercrime insurance for security and privacy of
big data

Cybersecurity liability insurance is rapidly benefiting businesses where customer data security and privacy

are associated. Now most businesses get assistance from computers that are linked to the internet are at data

security and privacy risk of cyberattacks by hackers. Potential financial benefits are a frequent driver of cyber

attackers or malicious actors committing data breaches and data exfiltration. As the number of threats the security,

attacks, breaches increases, the risks to businesses is increasing. While some of the negative impacts of a data

breach cannot be completely mitigated for example loss of goodwill some can be in financial loss. Using cybercrime

insurance, enterprises can protect themselves from the financial impact of data exfiltration. This paper overviews

the economic perspectives of how cybercrime insurance can address today’s risks around security and privacy

protection of big data needs. Third-party insurance permits safety

for lawsuits and fines for revelation of

consumers’ privacy data. It appears that

conventional liability insurance often omits

cybersecurity liability insurance, therefore,

Insurance coverage distinct insurance protection is essential to
safeguard the businesses in the case of

cyberattacks. Security and privacy liability cover

The exact terms of cybercrime insurance coverage vary third parties for damages that resulted from
depending on the insurance provider. Many providers offer security or privacy breaches. These events
similarly structured policies. The insurers are taking a broad, include:  The third party’s failure to
forward thinking approach to cover clients as cyberattacks
continue to become more advanced. Cyber insurance policies protect an individual’s
are security and privacy liability, and breach event cost information and specifically
coverage. In the USA, some businesses take the first-party focuses on the loss, theft, or
insurance liability or third-party insurance liability. The first- unauthorized disclosure of the
party insurance liability protects the business for forensic information.
analysis expense of deciding how the data breach happened  The destruction of the
and status needed notice to consumers. individual’s data by the third
party.
 The third party’s failure to

disclose a breach in timely

manner.

Overall for this article, the author have discussed Economic perspective of big data
several topic has conducted an investigation of the economic security and privacy, investment decisions,
perspectives of the big data security and privacy to protect fighting cybercrimes through big data, and
the big data in a secure, private, and most effective manner. cyber insurance for big data. This paper will
It has also analyzed economic aspects in several perspectives, help to understand the importance and the
cost spent for data security and privacy in
practice. Exploring each of the areas
presented in this paper needs further
detailed analytical results and tools, which
will be our future work.

Advancements in 1.0 Be ne f i t s , c os t s , a nd e x t e r na l i t i e s of bi g da t a .

telecommunications Big data needs that numerous cost, benefits and externalities be thought of.
Big data clearly incorporates a variety of personal advantages and positive
and computer technologies and externalities. There also are social and economic prices and negative
externalities.
therefore the associated
In social and economic benefits and positive externalities. Data can help
reductions in costs have led to an enhance economic efficiency, improve access to social services, strengthen
security, personalizes services and make increased availability of relevant
exponential growth information and innovations platforms for communications (Kang, 1998; Smolan
& Erwit, 2012). For instance, mapping apps provide drivers with real time
and availableness of information about road congestions, which would allow them to select efficient
routes.
data, each in structured and
Big data can make organizations more efficient by improving operations,
unstructured forms. facilitating innovation and adaptability and optimizing resources allocations.
Therefore, big data also can improve the performance of services provided by
The related phenomenon known government agencies (Lane et al., 2014). For example, big data help law
enforcement agencies to deploy resources more efficiently, respond quickly and
as big data involves various costs, increase presence in crime prone areas (Kang, 1998).

benefits and externalities. Furthermore, in social and economic cost and potential negative
externalities was creepy factors of information which may be too intrusive and
According author, he stated big invasive to personal privacy has been a concern. It is possible to use non-personal
data to make predictions of a sensitive nature such as sexual orientation and
data is “high-volume, high- financial status (Daniels, 2013). Big data may help firms come up with better
advertising/promotional programs and persuasion attempts, which sometimes
velocity and high-variety could be predatory.

information assets that demand

cost-effective, innovative forms

of information processing for

enhanced insight and decision

making” (gartner.com, 2013). Big

data is becoming a key source of

firm’s competitive advantages

and national competitiveness.

Sometimes, big data’s
characteristics are tightly linked
to privacy, security and effects
on consumer welfare, which
have attracted the attention of
scholars, businesses and policy
makers. For instance, a huge
amount of data means that
security breaches and privacy
violations are likely to steer to
additional severe consequences
and losses via reputational
harm, legal liability, ethical
harms and different problems,
that is additionally referred as
associate degree amplified
technical impact (ISACA,2014)

Characteristics of big data in relation to privacy,
security and consumer welfare

Big data according, Characteristics of big data in relation to privacy security and consumer
welfare following:
Mayer-Schonberger and Cukier,
 Volume
2013. Is despite its widespread
An organization is often required to store all data in one location in order
use, there is no rigorous and to facilitate analysis. The higher volume and concentration of data makes a
more appealing target for hackers. Moreover, a higher data volume increases
universally accepted. According the probability that the data files and documents may contain inherently
valuable and sensitive information. Information stored for the purpose of big
Einav and Levin (2013) noted that data analytics is thus a potential goldmine for cybercriminals, which, as noted
earlier, lead to an amplified technical impact (ISACA, 2014).
big data involves the availability
A huge data volume is also related to the demand or even the necessity
of data in real time, at larger of outsourcing. An issue of more pressing concern is determining relevance
within large data volumes and how to use analytics to create value from
scale, with less structure, and on relevant data. Firms may thus rely on CSPs (Content security policies) for
analytic solutions.
different types of availability of
There are also positive and negative welfare effects of huge data volume.
data in real time, at larger scale, Using such data, a firm can offer distinct products to different groups through
quality discrimination or versioning and charge differential pricing (Clemons
with less structure, and on and Hitt, 2000 and Varian, 1997), which is especially effective for information
goods for example books, journals, computer software, music and videos.
different types of variables than
Collection or storing volume:
previously used. Regarding data
 High data volume would likely
sharing and accessibility issues, attract a great deal of attention
from cybercriminals.
outsourcing to CSPs and
 Amplified technical impact
utilization of other third party  Violation of transparency

tools, services and applications principle of FIPs.
 Likely to provide a set of
are critical for creating and
information about the consumer
capturing value. A major required for a more advanced
form of price discrimination
consideration is possible security

breaches associated with

outsourcing. According to

Trustwave, 64% of security

breaches in 2012 involved

outsourcing providers (IFM,

2013). Since most organizations

are not in a position to build a

complete big data environment

in-house (Wood, 2013), a

reliance on CSPs becomes

inevitable for analytical, storage

and other needs. Information

stored in the cloud is a potential

gold mine for cybercriminals.

Storing data in the cloud does not

remove organizations‫׳‬

responsibility for protecting both

from regulatory and reputational

perspectives (Wood, 2013).

 Velocity  Variety

Various examples of high-velocity or fast data Variety is structured and unstructured data from
were discussed earlier. The quickly degrading multiple sources, firms can uncover hidden connections
quality of real-time data is noteworthy between seemingly unrelated pieces of data. In addition
(scaledb.com, 2012). In particular, clickstream data to the amount, a high variety of information in big data
(clickpaths), which constitute the route chosen by makes it more difficult to detect security breaches, react
visitors when they navigate through a site, is appropriately and respond to attacks
typically collected by online advertisers, retailers, (freepatentsonline.com, 2003).
and ISPs. The fact that such data can be collected,
stored, and reused indefinitely poses significant Variety also Data comes in multiple formats such as
privacy risks (Skok, 2000). Some tracking tools can
manipulate clickstreams to build a detailed s t r uc t ur ed, nume r i c dat a in
database of personal profiles in order to target t r adi t i onal dat abas e and uns t r uc t ur ed
Internet advertising (CDT, 2000). An important use t e x t doc ume nt s , e - ma i l , v i de o, a udi o,
of big data is real-time consumer profile-driven f i nanc i al t r ans ac t i ons .

campaigns such as serving customized ads.  Variability

This process often involves passive data collection Variability is related to the time-variant nature of
without any overt consumer interaction. Therefore, security and privacy risks. The volume of data
the lack of individual consent for the collection, collected and stored, which need protection, will
use, and dissemination of such information means grow during the peak data collection and flow
that such a practice violates the individual periods. It is during such periods that organizations
participation principle of FIPs (Teufel, 2008). may lack internal capacity and tools to manage and
protect information.
Collection or storing velocity:
Variability is Data flows can vary greatly with
periodic peaks and troughs. These are related to
social media trends, daily, seasonal and event-
triggered peak data loads and other factors.

Collection or storing variability:

 Increasing consumer • Organizations may lack
capabilities to securely store
concerns over privacy in huge amounts of data and
manage the collected data
the context of behavioral during peak data traffic.

advertising based on real- • Attractiveness as a crime
target increases during peak
time profiling and tracking data traffic.

technologies such as

cookies.

 Violation of the individual

participation principle of

FIPs

 Complexity Discussion

Complexity is Big data often constitutes To sum up this topic discuss the explicit connections of
aggregated data from various sources that are privacy, security and welfare with key dimensions of big data and
not necessarily identifiable. There is thus no linked them with collection, storing, sharing and accessibility
process to request the consent of a person for issues. It has demonstrated how risks associated with owning and
the resulting data, which is often more personal storing data are likely to increase with the size, variety and
than the set of data the person would consent to complexity of data. For instance, the extent and nature of risks
give (Pirlot, 2014). involved differ across data types for example often high risk in
unstructured data, source of data as higher risks for data obtained
A related privacy risk involves re- from illicit sources and volume of data.
identification. It is possible to use a data
aggregation process to convert semi-anonymous Big data’s impact on privacy, security and consumer welfare
or certain personally non-identifiable aim on firm is subjected to higher risks during peak data traffic
information into non anonymous or personally periods. In order to create value from big data, it is important to
identifiable information (ISACA, 2014). share and make data accessible to various entities. However, an
organization is often responsible for any wrongdoing by third
Data comes from multiple sources which parties and various user types such as permanent and temporary
require linking, matching, cleansing and employees and business partners.
transforming across systems.

Collection or storing complexity:

• Resulting data is Big data has some intrinsic features that are tightly linked
often more personal to a number of privacy, security and welfare concerns. Moreover,
than the set of data these concerns are linked with the collection and storing of data
the person would as well as data sharing and accessibility by third parties and
consent to give. various user types. Overall firms‫ ׳‬uses of big data raise a wide
range of ethical issues because they may lead to potential
• Data collected exploitation of consumers and disregard their interests and
from illicit sources sometimes firms even engage in deceptive practices.
is more likely to
have information on Big data is likely to affect welfare of unsophisticated,
technologically less vulnerable and technologically unsaved consumers more
savvy consumers, who negatively. Such consumers may lack awareness of multiple
are likely to suffer information sources and are less likely to receive up to date and
a more negative accurate information about multiple suppliers in a manner that
welfare effect than facilitates effective search and comparisons. They are also not in
technologically more a position to assess the degree of sensitiveness of their online
savvy consumers. actions and are more likely to be tricked by illicit actors.