Privacy-enhanced system design modeling based on privacy features

Abstract

To ensure that their stakeholders' privacy concerns are addressed systematically from the early development phases, organizations can perform a privacy enhancement of the system design. Such a privacy enhancement needs to account for three crucial types of input: First, risks to the rights of natural persons. Second, potential interrelations and dependencies among the privacy controls. Third, potential trade-offs regarding the costs of the controls. Despite numerous existing privacy enhancing technologies and catalogs of privacy controls, there has been no systematic methodology to support privacy enhancement based on these types of input. In this paper, we propose a methodology to support the coherent privacy enhancement of a system design model. We consider an extensive variety of privacy controls, including privacy-design strategies, patterns, and privacy enhancing technologies. Representing these controls as privacy features, we explicitly maintain their interrelations and dependencies in a feature model. In order to identify an adequate selection of controls, we leverage a model-based cost estimation approach that analyzes the associated costs and benefits. We further demonstrate how the selected features can be integrated into the system model, by applying reusable aspect models to encapsulate the required changes to the system design. We evaluated our methodology based on three practical case studies.