Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Discovering Constructs and Dimensions for Information Privacy Metrics
Stockholm University, Faculty of Social Sciences, Department of Computer and Systems Sciences. (SecLab)
2013 (English)Doctoral thesis, comprehensive summary (Other academic)
Abstract [en]

Privacy is a fundamental human right. During the last decades, in the information age, information privacy has become one of the most essential aspects of privacy. Information privacy is concerned with protecting personal information pertaining to individuals.

Organizations, which frequently process the personal information, and individuals, who are the subjects of the information, have different needs, rights and obligations. Organizations need to utilize personal information as a basis to develop tailored services and products to their customers in order to gain advantage over their competitors. Individuals need assurance from the organizations that their personal information is not changed, disclosed, deleted or misused in any other way. Without this guarantee from the organizations, individuals will be more unwilling to share their personal information.

Information privacy metrics is a set of parameters used for the quantitative assessment and benchmark of an organization’s measures to protect personal information. These metrics can be used by organizations to demonstrate, and by individuals to evaluate, the type and level of protection given to personal information. Currently, there are no systematically developed, established or widely used information privacy metrics. Hence, the purpose of this study is to establish a solid foundation for building information privacy metrics by discovering some of the most critical constructs and dimensions of these metrics. 

The research was conducted within the general research strategy of design science and by applying research methods such as data collection and analysis informed by grounded theory as well as surveys using interviews and questionnaires in Sweden and in Sri Lanka. The result is a conceptual model for information privacy metrics including its basic foundation; the constructs and dimensions of the metrics. 

Place, publisher, year, edition, pages
Kista: Department of Computer and Systems Sciences, tockholm Univeristy , 2013. , 169 p.
Series
Report Series / Department of Computer & Systems Sciences, ISSN 1101-8526 ; 13-003
Keyword [en]
Information privacy, Privacy metrics, Data protection, Personal information
National Category
Computer and Information Science
Research subject
Computer and Systems Sciences
Identifiers
URN: urn:nbn:se:su:diva-89336ISBN: 978-91-7447-637-8 (print)OAI: oai:DiVA.org:su-89336DiVA: diva2:617312
Public defence
2013-06-10, sal C, Forum 100, Isafjordsgatan 39, Kista, 13:00 (English)
Opponent
Supervisors
Funder
Sida - Swedish International Development Cooperation Agency
Note

At the time of the doctoral defense, the following paper was unpublished and had a status as follows: Paper 6: Accepted.

Available from: 2013-05-16 Created: 2013-04-22 Last updated: 2013-05-15Bibliographically approved
List of papers
1. Attitudes toward Privacy amongst Young International Academics
Open this publication in new window or tab >>Attitudes toward Privacy amongst Young International Academics
2006 (English)In: Innovations for a Knowledge Economy: Proceedings of the 8 th International Information Technology Conference IITC2006 Colombo Sri Lanka, 2006, 66-72 p.Conference paper, Published paper (Refereed)
Abstract [en]

Article 17 and 25 of the EU Directive 95/46/EC, on the protection of individuals with regard to the processing of personal data and on the free movement of such data, state that the nature of the data should be taken into account in determining the appropriate level of security for processing and transferring personal data. Except Article 8, which mentions special category of personal data called sensitive data, the directive is silent on the nature of the data. The main objective of this study was to identify the relationship between the level of protection required for the personal data and the nature of the data. Another aspect of this study was to identify under what circumstances individuals were willing to compromise their information privacy. A survey was conducted among young academics in the field of information and communication technology. The participants demanded a higher level of protection for their bank account details, credit and debit card transaction details, income tax details, medical reports on serious illnesses, credit report details and general medical reports. On the other hand, age, both academic and professional qualifications, marital status, hobbies and occupations were considered as low privacy concerned items. Other interesting finding was that the participants prefer to compromise their privacy for public safety and health care rather than compromise their privacy for national security. A large number of participants were not willing to compromise their privacy for research activities. More than one third of the participants were willing to pay for privacy enhancing technologies while one third of the participants were willing to compromise their privacy for short term financial benefits. Even though article 8 of the EU Directive 95/46/EC imposes strict rules for processing sensitive data, the participants did not demand much protection for such data. This study shows the importance of introducing sector specific guidelines for personal data protection. It also highlights the demand for more user friendly privacy enhancing technologies and more privacy awareness among the future driving forces of the Information Technology.

Keyword
Privacy, Information privacy, Data protection
National Category
Computer and Information Science
Identifiers
urn:nbn:se:su:diva-89823 (URN)955-8974-04-8 (ISBN)
Conference
International Information Technology Conference (IITC)
Available from: 2013-05-11 Created: 2013-05-11 Last updated: 2013-05-15Bibliographically approved
2. Workplace Communication Privacy in the Digital Age
Open this publication in new window or tab >>Workplace Communication Privacy in the Digital Age
2005 (English)In: Will IT matte? The role of IT in development: Proceedings of the 7th International Information Technology Conference, 2005, 8-16 p.Conference paper, Published paper (Refereed)
Abstract [en]

This paper attempts to lay the foundation for future research into an area that has been called the “hottest workplace privacy topic of the next decade.” The existing empirical studies and the literature reviewed of this area suggest that the latest intrusive monitoring technologies which have been introduced to the current workplace has undoubtedly created an unwanted and  nexpected imbalance and developed a wide gap in the 21st century employer/employee relationship. The paper argues for the introduction of privacy enhancing technologies empowered with legal instruments in protection of workplace privacy. In addition, the paper is of the view that employees’ awareness and training on workplace privacy policy developments are decisive factors to achieve this objective and this in turn creates trust and confidence and beneficial to both employees and employers in the current workplace. The paper proposes a contractarian framework to protect employers’ interests and employees’ on-line rights. This paper suggests that employees’ views and opinions are more important in computer monitoring to develop a privacy policy in the workplace. To attain these objectives an empirical survey was conducted in five government sector organizations in Sri Lanka to gather factual information and to examine attitudes, beliefs and opinions on computer monitoring. The results of the study could be used as a guide for policy-makers and for legislatures involved in drafting privacy legislation, and  ssociated policies relevant to the Sri Lankan workplace.

National Category
Computer and Information Science
Identifiers
urn:nbn:se:su:diva-89824 (URN)955-8974-03-x (ISBN)
Conference
The 7th International Information Technology Conference
Available from: 2013-05-11 Created: 2013-05-11 Last updated: 2013-05-15Bibliographically approved
3. Towards Bridging the Knowledge Gap between Lawyers and Technologists
Open this publication in new window or tab >>Towards Bridging the Knowledge Gap between Lawyers and Technologists
2008 (English)In: International Journal of Technology Transfer and Commercialisation, ISSN 1470-6075, E-ISSN 1741-5284, Vol. 7, no 1, 34-43 p.Article in journal (Refereed) Published
Abstract [en]

Although Information and Communication Technology (ICT) has made our lives more comfortable, it has also increased threats to our privacy by making the processing and storing of personal information more convenient and economical. Consequently, a huge demand has been created for the proper handling of personal information. Some countries have introduced data protection and privacy legislation measures to ensure the proper handling of personal information. Data controllers deploy organisational and technological measures to protect personal information. Technologists are then involved in designing, implementing and operating these measures to a great extent. It has been shown, however, that a knowledge gap exists between legal privacy advocates and technologists who protect personal information. In order to hold a healthy dialogue, a common platform must be created for technologists and legal privacy advocates. This paper proposes a methodology for bridging the knowledge gap between technologists and legal privacy advocates. This platform facilitates a way for both parties to have a fruitful dialogue.

Keyword
information privacy; information security; information technology; legal understandability; legal information; IT law; ICT; personal information; data protection; legal privacy
National Category
Computer and Information Science
Identifiers
urn:nbn:se:su:diva-89898 (URN)10.1504/IJTTC.2008.020695 (DOI)
Available from: 2013-05-14 Created: 2013-05-14 Last updated: 2017-12-06Bibliographically approved
4. The Principle of Security Safeguards: Accidental activities
Open this publication in new window or tab >>The Principle of Security Safeguards: Accidental activities
2008 (English)In: Proceedings of the ISSA 2008 Innovative Minds Conference, 2008, 81-98 p.Conference paper, Published paper (Refereed)
Abstract [en]

The principle of information security safeguards is a key information principle contained in every privacy legislation measure, framework, and guideline. This principle requires data controllers to use an adequate level of safeguards before processing personal information. However, privacy literature neither explains what this adequate level is nor how to achieve it. Hence, a knowledge gap has been created between privacy advocates and data controllers. This paper takes a step to bridge the aforementioned knowledge gap by presenting an analysis of how data protection and privacy commissioners have evaluated the level of adequacy of security protection given to personal information in selected privacy invasive cases. This study addresses security measures used to protect personal information against accidental incidents. This analysis also lays a foundation for building a set of guidelines for data controllers on designing, implementing, and operating both technological and organizational measures used to protect personal information.

Keyword
Information privacy, information security, accidental disclosure, accidental loss, personal information
National Category
Computer and Information Science
Identifiers
urn:nbn:se:su:diva-89899 (URN)978-1-86854-693-0 (ISBN)
Conference
ISSA 2008 : Information Security South Africa (ISSA) Conference 2008
Available from: 2013-05-14 Created: 2013-05-14 Last updated: 2013-05-15Bibliographically approved
5. The principle of security safeguards: Unauthorized activities
Open this publication in new window or tab >>The principle of security safeguards: Unauthorized activities
2009 (English)In: The Computer Law and Security Report, ISSN 0267-3649, E-ISSN 1873-6734, Vol. 25, no 2, 165-172 p.Article in journal (Refereed) Published
Abstract [en]

The principle of information security safeguards is a key information privacy principle contained in every privacy legislation measure, framework, and guideline. This principle requires data controllers to use an adequate level of safeguards before processing personal information. However, privacy literature neither explains what this adequate level is nor how to achieve it. Hence, a knowledge gap has been created between privacy advocates and data controllers who are responsible for providing adequate protection. This paper takes a step toward bridging this knowledge gap by presenting an analysis of how Data Protection and Privacy Commissioners have evaluated the adequacy level of security protection measures given to personal information in selected privacy invasive cases. This study addresses both security measures used to protect personal information against unauthorized activities and the use of personal information in authentication mechanisms. This analysis also lays a foundation for building a set of guidelines that can be used by data controllers for designing, implementing, and operating both technological and organizational measures used to protect personal information.

Keyword
Information privacy, Information security, Data control, Privacy guidelines, Unauthorized data usage, Information systems design, Password/passphrase
National Category
Computer and Information Science
Identifiers
urn:nbn:se:su:diva-89900 (URN)10.1016/j.clsr.2009.02.012 (DOI)
Available from: 2013-05-14 Created: 2013-05-14 Last updated: 2017-12-06Bibliographically approved
6. TOWARDS BUILDING INFORMATION PRIVACY METRICS TO MEASURE ORGANIZATIONAL COMMITMENT TO PROTECT PERSONAL INFORMATION
Open this publication in new window or tab >>TOWARDS BUILDING INFORMATION PRIVACY METRICS TO MEASURE ORGANIZATIONAL COMMITMENT TO PROTECT PERSONAL INFORMATION
2010 (English)Other (Refereed)
Abstract [en]

Organizations want to protect the personal information of parties dealing with them and these parties are interested in the level of protection given to their personal information. However, there is no good mean to communicate organizational commitment to protect personal information to outsiders. Metrics, which are widely used for decision‐making purposes, are capable to bridge the gap. This paper proposes a methodology to build information privacy metrics (IPM). The methodology is based on design science principles and constructs are derived from surveys questions and information privacy and security protection measures.

National Category
Computer and Information Science
Identifiers
urn:nbn:se:su:diva-89901 (URN)
Note

This paper was accepted. The first part of the acceptance letter states "I am pleased to inform you that your full paper titled “Towards Building Information Privacy Metrics to Measure Organizational Commitment to Protect Personal Information” to the World Conference on Information Technology – 2010 has been accepted for oral presentation. Papers are oral presentations lasting 15 – 20 minutes, plus some time for questions. Your paper will be published in Procedia-Computer Science Journal (ISSN: 1877-0509) and at the same time indexed on the ScienceDirect, Scopus and Thomson Reuters Conference Proceedings Citation Index (Web of Science).

Available from: 2013-05-14 Created: 2013-05-14 Last updated: 2013-05-15Bibliographically approved
7. Taxonomy for Information Privacy Metrics
Open this publication in new window or tab >>Taxonomy for Information Privacy Metrics
2011 (English)In: Journal of International Commercial Law and Technology, ISSN 1901-8401, E-ISSN 1901-8401, Vol. 6, no 4, 194-206 p.Article in journal (Refereed) Published
Abstract [en]

A comprehensive privacy framework is essential for the progress of the information privacy field. Some practical implications of a comprehensive framework are laying foundation for building information privacy metrics and having fruitful discussions. Taxonomy is an essential step in building a framework. This research study attempts to build taxonomy for the information privacy domain based on empirical data. The classical grounded theory approach introduced by Glaser was applied and incidents reported by the International Association of Privacy Professionals (IAPP) are used for building the taxonomy. These incidents include privacy related current research works, data breaches, personal views, interviews, and technological innovations. TAMZAnalyzer, an open source qualitative data analysis tool, was used in coding, keeping memos, sorting, and creating categories. The taxonomy is presented in seven themes and several categories including legal, technical, and ethical aspects. The findings of this study helps practitioners understand and discuss the subjects and academia work toward building a comprehensive framework and metrics for the information privacy domain.

National Category
Computer and Information Science
Identifiers
urn:nbn:se:su:diva-89902 (URN)
Available from: 2013-05-14 Created: 2013-05-14 Last updated: 2017-12-06Bibliographically approved
8. Is your email box safe?
Open this publication in new window or tab >>Is your email box safe?
2010 (English)In: Journal of Information Privacy and Security, ISSN 1553-6548, Vol. 6, no 1Article in journal (Refereed) Published
Abstract [en]

Electronic mail (email) is a widely adopted communication mechanism often used for communicating sensitive and confidential information. Therefore, safeguarding the security of email communication has become an important issue. There are frequent media reports pertaining to security problems with email accounts. Therefore, studies on strengths, limitations, and possible improvements about email security are essential. This paper examined security and privacy protection mechanisms of four leading email service providers including Gmail, Yahoo Mail, Hotmail, and AOL Mail. A number of observations and experiments were conducted in order to understand existing security and privacy protection mechanisms of these providers. After that, this paper proposes some recommended protection mechanisms which can be implemented by service providers, system developers, and email users. This study also explores several research avenues for academia.

Keyword
Privacy, Security, Email
National Category
Information Science
Research subject
Computer and Systems Sciences
Identifiers
urn:nbn:se:su:diva-51942 (URN)
Available from: 2011-01-12 Created: 2011-01-12 Last updated: 2017-12-11Bibliographically approved
9. A Self Reflection on Privacy
Open this publication in new window or tab >>A Self Reflection on Privacy
2011 (English)Other (Other academic)
Abstract [en]

Privacy is very subjective and has been interpreted in a number of ways. Additionally, there are several paradoxes in the field. For example, a number of researches have shown a substantial gap between privacy attitude and related behaviors. These kinds of paradoxes hinder the progress of the field. One way of addressing these issues is studying privacy attitudes and underlying rationality behind these attitudes of individuals. This study presents this researcher’s frame of reference on privacy, with a special emphasis on information privacy. This paper explains privacy in religious, social, and legal contexts, reasons for privacy invasive behaviors, privacy protection means, and reasons for demanding privacy. The aim of this paper is to take a step in building a common understanding, which is essential in developing a global data protection regime. At the end, elaborating some real–world examples, this paper discusses the importance of information privacy for information system researchers. Furthermore, this paper invites the readership to compare and contrast their own views on privacy. 

Place, publisher, year, pages
Social Science Research Network (SSRN), 2011
National Category
Computer and Information Science
Identifiers
urn:nbn:se:su:diva-89903 (URN)
Note

Paper in Social Science Research Network (SSRN)

Available from: 2013-05-14 Created: 2013-05-14 Last updated: 2013-05-15Bibliographically approved

Open Access in DiVA

fulltext(1794 kB)1329 downloads
File information
File name FULLTEXT02.pdfFile size 1794 kBChecksum SHA-512
17b388cebe5c51d55a69d7a1906f7d18f4e870bcc354fa818a69bb506352500671f24fe853cbc334bd9e7a462ecdcd25a105708fbc296fb21a0024cb905a9b52
Type fulltextMimetype application/pdf

By organisation
Department of Computer and Systems Sciences
Computer and Information Science

Search outside of DiVA

GoogleGoogle Scholar
Total: 1329 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

isbn
urn-nbn

Altmetric score

isbn
urn-nbn
Total: 784 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf