- Data and Application Security Group

New article accepted for publication in IEEE Security & Privacy

The article “Eight Lightweight Usable Security Principles for Developers” by Peter Leo Gorski, Luigi Lo Iacono, and Matthew Smith has been accepted for inclusion in IEEE Security & Privacy. The article proposes eight usable security principles that provide software developers with a lightweight framework to help them integrate security in a user-friendly way. The principles are supposed to help developers who must weigh usability and security tradeoffs to facilitate adoption.

Paper on an interview study with data protection officers on privacy challenges in digital ecosystems accepted for presentation at SPOSE 2022

The paper entitled “Data Protection Officers’ Perspectives on Privacy Challenges in Digital Ecosystems” by Stephan Wiefling, Jan Tolsdorf, and Luigi Lo Iacono has been accepted for presentation at the 4th Workshop on Security, Privacy, Organizations, and Systems Engineering (SPOSE). The paper presents the result of an interview study with seven data protection officers from Germany on challenges in implementing data protection requirements and data subject rights in digital ecosystems.

Jan Tolsdorf successfully defended his dissertation

Jan Tolsdorf successfully defended his dissertation entitled “Investigation of Information Privacy in Employment: Fundamental Knowledge and Practical Solutions for the Human-Centered Design of Measures to Preserve the Right to Informational Self-Determination in Employment” in Göttingen on 08 August 2022. His dissertation project was carried out as part of a collaboration between the DAS-Group of Prof. Luigi Lo Iacono at H-BRS and the Computer Security and Privacy Research Group of Prof. Delphine Reinhardt at the University of Göttingen. Here Jan has undergone the PhD Programme in Computer Science at the Georg-August University School of Science. Congratulations!

Risk-Based Authentication (RBA) Studied on 3.3 Million Users: Paper and Data Set Published

The DAS Group cooperated with the multinational telecommunications provider Telenor to study how RBA behaves on a large-scale online service with 3.3 million users and more than 30 million login attempts per year. The results of this study are published in the ACM Transactions on Privacy and Security journal.

To foster RBA development and research in the wild, we published the data set in synthesized form on GitHub and Kaggle. This data set, which is based on real-world data, can be used to improve and test RBA implementations.

You can get the paper and the data set on the official website.

Article reporting on a study on the human-centered design of a GDPR-compliant data protection tool for data processors was accepted for publication in Behaviour & Information Technology

Our work entitled “Data Cart - Designing a tool for the GDPR-compliant handling of personal data by employees” by Jan Tolsdorf, Florian Dehling and Prof. Dr.-Ing. Luigi Lo Iacono has been accepted for publication in Behaviour & Information Technology under the special issue “Usable Security and Privacy with User-Centered Interventions and Transparency Mechanisms”.

The article addresses the issue of usable tools for the data protection compliant processing of personal data by employees acting under the authority of a data controller. We report on a user-centered design study in which we developed a concept and tool incorporating Privacy by Design. Working with 19 employees of two public organizations in Germany, we present a concept that supports employees in handling personal data and complying with data protection laws. Through a series of workshops and usability tests, we demonstrate the solution’s potential for improving the usability of data protection compliant tools for managing personal data. At the same time, we show how data controllers benefit from improved compliance.

The DAS Group attends the USP Day 2022 with two presentations

The DAS Group is pleased to attend this year’s USP Day with two presentations:

“Data Cart - Designing a tool for the GDPR-compliant handling of personal data by employees.” - Jan Tolsdorf

“Usable Security and Privacy of Risk-based Authentication” - Stephan Wiefling

Details about the event

USP Day 2022

February 11, 2022

Start 9 a.m.

Click here to register for the event - participation is free of charge!

OpenStack RBA Plugin Coming Soon

Risk-Based Authentication can strengthen password security while maintaining usability. However, there is a current lack of available Open Source RBA solutions which provide good security and usability. Our OpenStack plugin aims to close this gap. This also allows websites with small budget to protect their users with RBA.

We will release the plugin to the public soon. Until then, you can find first information about the plugin at the official GitHub project.

Project MedISA has started

From patient records to diagnostic equipment, hospital care is based on the secure use and operation of information technology. In practice, however, insufficient awareness of information security among medical staff often poses a challenge to secure operations. As part of the MedISA (Medical Centre Employee Centered Information Security Awareness) research project, the DAS Group is developing strategies to raise awareness of IT security and data protection among employees in medical care facilities. The project is funded by the German Federal Ministry of Health (BMG). Associated partners are the Universitätsklinikum Aachen and the Universitätsklinikum Düsseldorf. Other institutions interested in participating are welcome to contact us.

More information about the project can be found here.

Paper on employees' privacy perceptions accepted for PETS 2022

The paper entitled “Employees’ privacy perceptions: exploring the dimensionality and antecedents of personal data sensitivity and willingness to disclose.” by Jan Tolsdorf, Prof. Dr.-Ing. Delphine Reinhardt and Prof. Dr.-Ing. Luigi Lo Iacono has been accepted for the 22nd Privacy Enhancing Technologies Symposium (PETS 2022).

Risk-based Authentication privacy paper accepted at IWPE '21

The paper Privacy Considerations for Risk-Based Authentication (RBA) Systems by Stephan Wiefling, Jan Tolsdorf, and Luigi Lo Iacono was accepted at the 2021 International Workshop on Privacy Engineering (IWPE ‘21), co-located with 6th IEEE European European Symposium on Security and Privacy (EuroS&P ‘21).

The work proposed and tested several mechanisms to enhance privacy in RBA models that are apparently used by the majority of online services on the Web. The full paper is available at our RBA website.