Data breaches in organisations - Designing a protocol to prevent damage

University of Amsterdam

Bachelor thesis Information science

June 21, 2015

Data breaches in organisations

-Designing a protocol to prevent

damage

Author:

Thomas Parmentier

Supervisor:

Dr. Alexander Boer

Abstract

The advancements in technology make it possible for an organisation to collect and process data regarding its customers, which in turn is used to, for example, the enlargement of the organisation’s marketshare or increasing profits. How-ever, the mass collection of data also creates the risk of data breaches, in the form of both damage to the corporate image as well as financial damage. Con-sequently, the organisation’s future is at risk. Therefore the purpose of this research is the creation of a protocol on how to adequately deal with these breaches. For this to be successful, the current characteristics of data handling had to be investigated. Next to that, scenarios were created with the purpose of discovering threats in simulated environments. Lastly, this study made use of a questionnaire to obtain the data subjects’ opinions on the current state of data handling and privacy, through using a sample of European citizens. The results from these methods suggest that the creation of a protocol is possible. Secondly, the study points out that a protocol can only be successfully implemented if an organisation has analysed its own situation, as threats and surroundings vary from organisation to organisation. It is therefore suggested that further research is completed on threat- or case-specific countermeasures.

1

Glossary and Abbreviations

Beta-chance - The alpha-chance in the scientific world deals with the signifi-cance of statistical analysis, whether an analysis is true or not. The beta-chance is an addition suggested by De Valk to indicate how much threats can be missed in a research, which in case of the protocol needs to be as low as possible. The lower the beta-chance, the lower the amount of threats missed by the research (De Valk, 2005).

BDSG - German Data Law, or in German: Bundesdatenschutzgesetz.

Data - Data are raw, unrefined and unfiltered variables directly coming from sensors and other collection devices (Amidon, 1997).

Data breach - A data breach is an incident that involves the unauthorized or il-legal viewing, access or retrieval of data by an individual, application or service.1 DPA - United Kingdom’s Data Protection Acts.

DPD - European Data Protection Directive. ECHR - European Convention of Human Rights.

GDPR - European General Data Protection Regulation, to be implemented in late 2015 or 2016.

NIST - US National Institute of Technology and Standards.

IDS/IPS - Intrusion Detection System or Intrusion Prevention System. These systems detect an intrusion in a computer system, and in case of the IPS handle accordingly to prevent the threat.

Information - Information is data, equipped with context and usable for anal-ysis and further processing (Amidon, 1997).

ISO/IEC - ISO (International Organiation for Standardization) is an indepen-dent, non-governmental membership organisation which defines industry stan-dards for a large variety of industries ISO/IEC 27001 and ISO/IEC 27002 are standards for the implementation of data and information security.

Knowledge - Knowledge resides in the the human mind, and can be used in the organisation for the achievement of set goals or to get insights (Amidon, 1997).

1_{Janssen, C (No date). Data Breach. http://www.techopedia.com/definition/13601/}

Personal record - data containing privileged information about an individual that cannot be readily obtained through other public means, which information is only known by an individual or by an organisation under the terms of a con-fidentiality agreement (Howard and Gulyas, 2014).

SDPA - Swiss Data Protection Act.

WBP - Dutch Personal Data Protection Law, or in Dutch: Wet Bescherming Persoonsgegevens.

Contents

1 Glossary and Abbreviations 2

2 Introduction 5

3 Scope 6

3.1 Overview of data breaches . . . 7

4 Methodology 7 5 Data breaches 8 6 Literature Review 11 6.1 Added value of information . . . 11

6.2 Privacy . . . 13

6.3 Law . . . 15

6.4 Data handling models . . . 20

6.5 Prevention of breaches . . . 25

6.6 Cleaning up a data breach . . . 34

6.7 Results for protocol . . . 36

7 Scenarios 38 7.1 Best case - Victoriam . . . 40

7.2 Worst case - Aeger . . . 42

7.3 Mainline - Liberum . . . 45

7.4 Privacy-sensitive organisation - Sub Rosa . . . 46

7.5 Governmental institutions - Dominion . . . 48

8 Questionnaire 51 8.1 Acceptance and consent . . . 51

8.2 Individual’s Knowledge . . . 52

8.3 Individual’s opinion . . . 53

8.4 Upset . . . 56

8.5 Results for protocol . . . 59

9 Protocol 60 9.1 Pre-leak . . . 60 9.2 Post-leak . . . 64 10 Conclusions 65 11 Discussion 68 12 Personal Reflection 69 13 Appendix 74 13.1 Appendix 1 - Questionnaire . . . 74

2

Introduction

The collection and analysis of customer data is a huge opportunity for organ-isations in the 21st century. Huge databases are designed and filled with as much information as is legally allowed. Names, telephone numbers and e-mail addresses are only the most basic elements of the collected customer data. A selection of news articles shows that organisations collect and process passport-, insurance- and credit card numbers.23 _{However, as Murphy’s famous law}

dic-tates: ”Anything that can go wrong, will go wrong.”

A data-collecting organisation can suffer from a data breach, which Techno-pedia defines as ”a data breach is an incident that involves the unauthorized or illegal viewing, access or retrieval of data by an individual, application or service.”4 _{Research shows that more than 200 of such data breaches occurred}

between 2005 and the third quarter of 2014, in Europe alone (Howard and Gulyas, 2014). These breaches hit almost all industries and organisations of all sizes by a variety of causes. A large insurance organisation might be hit by hackers, while a small painting business that is merely collecting names and telephone numbers of its customers might suffer from faulty anti-virus software. When dealing with customer data and information, which almost every organisation nowadays does, security should be among the highest priorities. Cleaning up a leak costs about $150-$200 per customer, thus a relatively small leak of ’only’ 250.000 pieces of customer data as suffered by Twitter in 2013 could already cost up to $50 million Dollars (Layland, 2007, p. 44). 5 _This

price is expected to fluctuate depending on what data is leaked, and might be far more costly when data is more privacy-sensitive. Not only does this have direct financial consequences, customer confidence in the organisation might de-cline. This may lead to indirect costs, or even bankruptcy when an organisation is not able to rebuild this trust.

An organisation should focus its data protection on safeguarding the indi-vidual’s privacy, both for its own sake and that of this individual. By providing a data breach policy, based on legal, human-oriented, technical and organisa-tion factors, an organisaorganisa-tion can defend itself against threats that may affect its corporate image or have monetary consequences (Cherdantseva and Hilton, 2013).

Therefore this thesis will focus on the creation of a protocol against data breaches. It will be based on other IT risk management policies and laws defined by the European Union and various nations. Currently, ideas on how to prevent

2_{Kerr, D. (2015). Uber breach could affect the data of 50K drivers. CNET. http://www.}

cnet.com/au/news/uber-breach-could-affect-the-data-of-50k-drivers/

3_{Matyszczyk, C. (2015). Hack of online dating site Adult}

FriendFinder exposes millions. CNET. http://www.cnet.com/au/news/ hack-of-online-dating-site-adult-friendfinder-exposes-millions/

4_{Janssen, C (No date). Data Breach. http://www.techopedia.com/definition/13601/}

data-breach

5_{Lord, B. (2013). Twitter’s statement on keeping users secure after a series}

of digital infiltrations in big organisations. Twitter https://blog.twitter.com/2013/ keeping-our-users-secure

data breaches widely vary in effectiveness and scientific literature regarding how to handle a data breaches is lacking. Consequently, a uniform protocol should be defined.

This protocol should be effective whatever the size of the organisation and wherever the threat may come from. Furthermore, for this protocol to be valid, the acceptance of its data subjects should be present. It should respect these subjects’ information privacy. Westin defines information privacy as ”the claim individuals, groups or institutions to determine when, how and to what extent about them is communicated to others.” (Westin, 1968, p. 7). The question is whether or not the collection of data through, for example, an unread set of ’Terms and Conditions can be considered ethical (GeorgiaTech, 1996).

Even when a breach happens, not all is lost. By managing the situation through a proper post-leak protocol, it is most likely that both monetary dam-age as damdam-age to the corporate imdam-age can be limited. This research will thus also focus on the clean-up phase of a data breach.

Previous breaches show that each differs in form and impact, which makes planning against it hard. A uniform yet specific protocol should be defined, on which businesses can base their data and subsequent privacy structure. This leads to the following research question:

“How can an organisation defend itself against a breach in security and han-dle the eventual subsequent possible leak of privacy-sensitive customer data?”

The following subquestions can subsequently be defined: 1. What is the current state of data protection in organisations? 2. What are the legal requirements of an organisation storing data?

3. What steps should an organisation take to protect customer data based on previous findings?

4. Are the customers of an organisation satisfied with the current state of data or privacy protection and could thus the protocol be based on this state?

3

Scope

The introduction introduced the problematic data breaches organisations can suffer from. The logical next step is to define the scope of this research.

To be able to answer the research question within the time frame of this thesis, while still being able to make decisions based on a large enough set of examples and rules, European organisations are chosen. It is wide enough to have enough practical examples of breaches, yet small enough to almost fall under one central European law.6

This research will not be a plea for or against the collection of customer data. In addition, it also will not be focused on customer-related privacy issues. However, the acceptance of this research’s protocol by the general public is necessary for an organisation to use it to its fullest extend, and thus will be tweaked with the opinions of potential customers through a questionnaire. This thesis will thus be a protocol on how to prevent data breaches, which will in turn be tested against protocols and a questionnaire.

3.1

Overview of data breaches

The importance of such a protocol can be claimed by the significant amount of data breaches in Europe. Between 2005 and the third quarter of 2014, more than 200 data breaches containing personal records occurred in Europe. Ac-cumulated, these breaches leaked more than 600 million personal records, or after taking the amount of European citizens and Internet users in account, 43 lost personal records per 100 citizens. Of these incidents, 113 involved data being stolen. Furthermore, hackers were involved in 94 cases, accounting for 556,106,552 stolen personal records (Howard and Gulyas, 2014). Kaspersky even raises the number of data breaches, with an expectancy that 28 percent of all organisations suffered from a data breach of varying sizes.7

Most data breaches occur in commercial organisations, accounting for 51 percent of the incidents. These organisations lost 538,349,868 personal records, or 89 percent of the total lost personal records. The commercial sector is followed by governments at 24 percent of all incidents. These governments lost around 10 percent of the total personal records lost (Howard and Gulyas, 2014).

Most data breaches in Europe happen in the United Kingdom, with 245 personal records compromised per 100 Internet-using citizens. Greece, Norway and Germany have respectively 140, 83 and 79 personal records compromised per 100 Internet-using citizens. Fifth placed is The Netherlands, with 24 breached personal records per 100 Internet-using citizens (Howard and Gulyas, 2014).

4

Methodology

A protocol based on IT risk management models and privacy protocols will be created. It will be based on an as small as possible beta-chance, an analogy defined by De Valk (De Valk, 2005). In other words, the protocol will be designed in such a way that the risk of missing a threat is minimised. Next to that, the protocol will contain steps to follow when previous steps fail and data leaks to the public. It will be tested against several scenarios and pitched to the satisfaction of potential customers through a questionnaire.

The protocol will first of all be based on a literature review. This literature review will accumulate various models and theories, which in turn will be

com-7_{B2B International and Kaspersky. (2013). Global Corporate IT}

Se-curity Risks: 2013. http://media.kaspersky.com/en/business-security/ KasperskyGlobalITSecurityRisksSurveyreportEngfinal:pdf

bined into a protocol against data breaches. It will primarily function as a basis with the other methods used in this thesis as modifiers.

The scenarios will be based on the ’simple scenarios’ method used by Heuer and Pherson (2010). This is, according to Heuer and Pherson, the only method that can be used by a single analyst without the support of a group or coach. A focal issue should be defined, as well as forces, factors and events that are likely to influence the future of an organisation. At least four different scenarios should be created - a best case, a worst case, the mainline and at least one other by assigning different values (-, ±, +) to each driver. A single page should be written for every scenario to describe what the future looks like and how it comes about. The drivers should be incorporated in this story. Last, a list of wild-cards should be thought up. These are so unlikely but with such a high impact that the defined scenarios can immediately be considered useless (Heuer and Pherson, 2010).

The questionnaire will be used to tweak the protocol for the acceptance of potential customers. Respondents cannot be asked theoretical questions regard-ing the protocol, but can be used to test the acceptance of for example data collection initiatives. The questionnaire should be clear enough for the customer to understand but informative enough to deliver good feedback on which the protocol can be further tweaked. This questionnaire will be distributed to an as diverse as possible group of people living in Europe.

5

Data breaches

It is estimated that the information available on the Internet doubles every 5.32 years (Zhang et al., 2008). Organisations see opportunities in this growth of data and try to discover patterns that give an edge over competitors. Most of the more useful data is collected by these organisations, through transaction data, customer accounts and online tracking tools (Han and Kamber, 2011; Froomkin, 1995).

Data breaches in the field of customer data occur when a customer’s, or data subject’s, data is accidentally lost or stolen (Romanosky et al., 2011). These breaches are valued in the amount of personal records lost and can thus be used both for the quantification of a breach as for showing the necessity for this research. A personal record can be defined as 1) ”data containing priv-ileged information about an individual that cannot be readily obtained through other public means” and ”this information only known by an individual or by an organisation under the terms of a confidentiality agreement.”(Howard and Gulyas, 2014). This means it is likely that one individual has multiple personal records and is a data subject of multiple organisations.

Howard and Gulyas define a set of types or categories which can be used to label specific data breaches. These types usually vary in impact and in aggressor, but have in all cases a large impact on an organisation. An organisation should therefore be aware of all possible types of breaches, and should plan separately for each and every single one (2014).

Type of loss Description # of accidents Administrative Error Accidentally displacing private data, for example

sold hardware of which the location known. 22 Exposed Online

Personal records are made available online, by publishing online, software error or accidental disclosure.

49 Insider Abuse or Theft Personal records disclosed by an employee 25 Missing or Stolen Hardware Misplaced or stolen hardware of which the location

is unknown 29 Stolen - Hacker Lost personal records through a digital attack. 94 Unspecified No information on lose of personal

records disclosed 4

Total 223

Table 1: Types of loss an organisation can suffer with the corresponding leaks in Europe between 2005 and late 2014. (Howard and Gulyas, 2014)

Each type of incident varies and has other culprits. Stolen data obtained by hackers can again be split in five different categories. Ablon et al. define the individuals and small groups, who hack for financial gain. Secondly, they name organised criminals, who also hack for financial gain. These groups are more organised and can consist of networks of individuals and small groups. Third are the nation-states, with the intent to monitor, exploit or attack threats. Nation-states may attack both organisations and governments, as well as crim-inal organisations. Fourth are cyberterrorists, who attack governments and or-ganisations with the intent to degrade, destroy or sabotage computer systems. However, though Ablon et al. do not mention it, it is likely that terrorist or-ganisations can use hacking as a method of obtaining funds for their operations. The fifth and final group are hacktivists, who try to gain notoriety or visibility for their position on controversial topics (Ablon et al., 2014).

Another interesting type of incident is that of the insider abuse or theft. Colwill names some of the key issues that can lead to an insider threat, but to fully be able to grasp these issues, a definition for the insider threat needs to be found. Anyone with access to systems, applications or networks can be seen as an insider. This can range from ex-employees to external contractors (Brancik, 2007). Consequently, an insider threat comes from someone entrusted with access who instead of fulfilling business processes, exploits the system for various reasons (Jones, 2013; Schultz, 2002). Employees might sell obtained data to competitors (Thomson et al., 2006). It is suggested that a failing economy has a direct correlation with insider data theft.8 _{Fear, uncertainty or doubt can}

also be issues that lead an employee to leak data (Colwill, 2009).

The breaches caused by each party have serious effects. Such a breach can affect the organisation in both financial way as well as have a negative effect on the corporate image. As Layland defined, the loss of one personal record can cost up to $200 (2007). A breach of ’only’ 10 000 personal records can thus already cost up to $2 000 000. Multiple of these breaches, or a single larger one, have a

8_{Mohamed, A. (2009). Security trends for 2009. Computer Weekly. http://www.}

serious negative effect on the organisation’s profits. Kaspersky mentions a lower average cost of $627 000 for large European organisations.9 Either way can it be expected that mitigating threats will cost less than solving a data breach, if only for preserving the corporate image. Not only can a breach have direct monetary effects, it is also possible that, due to the breach, corporate image is affected and customers no longer trust an organisation. This could have as an effect that customers no longer do their business with this organisation.

To fully grasp the effect of a data breach on the organisation’s image, a definition for this image should be defined. Scientific literature is divided over two main views, those that see the image only as how customers perceive the organisation, and those who see the image as how all stakeholders, including those who work at the organisation, see the organisation.

”... by which an audience can recognise the company and distinguish it from others and which can be used to represent or symbolise the company.”

- Russel Abbrat (Abratt, 1989, p. 68) ”Identity means the sum of all the ways a company chooses to iden-tify itself to all its publics the community, customers, employees, the press, present and potential stockholders, security analysts, and investment bankers. Image, on the other hand, is the perception of the company by these publics”

- Walter P. Margulies (Margulies, 1977, p. 66) It is unclear to what degree customers take a data breach so seriously that they consider the organisation’s image so tainted that they change to a competi-tor. This also depends on the sector this organisation operates. This might be a monopoly, with no other options for a customer to take his business to another organisation. When taking the complete view by Margulies in consideration, corporate image can have an even bigger effect. Investment bankers and poten-tial stockholders might no longer view the organisation as trustworthy, which limits the monetary flow into the organisation.

Another serious impact of a data breach is that often business processes cannot continue, due to investigations or even sabotage. Almost one fifth of the organisations that suffer a security breach cannot continue their services within 24 hours.10 _{This can both have indirect monetary consequences as can it}

affect the corporate image of an organisation. 35 minutes of downtime in 2014

9_{B2B International and Kaspersky. (2013). Global Corporate IT Security}

Risks: 2013. http://media.kaspersky.com/en/business-security/Kaspersky_Global_IT_ Security_Risks_Survey_report_Eng_final.pdf

10_{Zapolyansky, V. (2015). Business Continuity Risks. Kaspersky. https://business.}

cost Facebook around $854 700.11 It is most likely that downtime affects every organisation different, based on its position in society. For example, Facebook is a market leader in an industry where there are almost no competitors, while if a news website were to get shut down, individuals might just go to another website to get their news. The same can be said about physical organisations. If public transport gets shut down people have almost no alternatives, as they based their whole transportation planning around this public transport organisation, whereas as a supermarket shuts down, customers might get their groceries at another supermarket.

Summarising, an organisation can be seriously hindered by a data breach, whatever the source or type of threat. When striving to defend its corporate image, limit monetary damage and continue business processes, an organisation should design a protocol focused on handling all types of breaches.

6

Literature Review

6.1

Added value of information

For an organisation to invest into data collection, they first need to see the added value of big data and information. From this information, an organisation can obtain knowledge. In turn, this knowledge can be used to gain a competitive edge over other parties or sharpen their marketing to handle customer sup-port more efficient. First of all, the difference between data, information and knowledge needs to be defined.

Data is the raw, unrefined and unfiltered data directly coming from sensors and other collection devices. For this data to become information, it needs to be filtered and organised. Information is data, equipped with context. In this form, it is useful for analysis. Analysis of this data equipped with context will, if done correctly, yield usable knowledge (Amidon, 1997). Knowledge resides in the the human mind, and can be used in the organisation for the achievement of set goals. It can also be used to obtain insights, which in turn can act as a framework to value new information and experiences (Syd¨anmaanlakka, 2002). For this data, information and knowledge to be useful, it needs to be man-aged. In 2007, Liew coined the terms datamanagement, information manage-ment and knowledge managemanage-ment. Liew defines data management as ”the capture, storage, structure, compilation, retrieval, and analysis of [personal] records.” Second, the information management is about collecting context, through for example market intelligence, predicting future events and analysis for deci-sion making and/or problem solving. Third is the actual knowledge manage-ment, which is more likely human-oriented managemanage-ment, as tacit knowledge is found in the human mind. Knowledge management includes the flow of infor-mation, thus the sharing of knowledge and sustaining the competitive advantage

11_{Mosendz, P. (2014). When It Goes Down, Facebook Loses $24,420 Per}

Minute. The Atlantic. http://www.theatlantic.com/technology/archive/2014/10/ facebook-is-losing-24420-per-minute/382054/

(Liew, 2007).

With this in mind, it can be concluded that this thesis will most likely focus on data management. However, both information- and knowledge management cannot be neglected. Information management is present when an organisation is actually using the data, which is when data is at risk to administrative errors and abusive employees. Knowledge management is the least necessary type of management for the prevention of data breaches, although it must be noted that an organisation needs to put an effort in preventing employees taking knowledge to a competitor.

In 1995, Froomkin already recognised that the Internet and data collection created new opportunities voor organisations. He suspected that Internet com-merce would be evolving in two directions, the trade in physical goods and that what he defines as ’information commerce’. This last type of commerce would benefit from fast communication, but would have the downside of being inse-cure(Froomkin, 1995). Besides that, he quotes Gandy Jr, who mentions the collection of data. Gandy Jr makes the following statement:

”The most important part of the emerging database phenomenon, however, arises from the combination of the growth in computer processing power with the likelihood that routine personal data collec-tion will soon become nearly ubiquitous. As the cost of data storage plummets, these trends will make it possible to assemble an individ-ual data profile of extraordinary detail by cross-referencing multiple, extensive, databases.”

- Oscar H Gandy Jr (Froomkin, 1995; Gandy Jr, 1993) Froomkin mentions that these individual data profiles will see heavy use in both commerce and law-enforcement. However, his main point of writing on data collection is his fear that the value of these collected individual data profiles will shift the power balance between for example consumers and merchants. When these merchants exactly know what these customers want to buy, they can influence the prices and margins in such a way that profit is maximised. He especially fears for inter-linking databases, which contain data from multiple sources and can thus create a more detailed personal record. This way an organisation not only gains the data they specifically mine, but also the added value of information when this data is equipped with context and meaning (Froomkin, 1995).

Organisations are beginning to recognise the potential of this data collection, especially when this is classified as big data. A study performed by researchers of KPMG shows that nearly 40 percent of the 200 medium-sized organisations that were questioned already used customer data. Almost 60 percent of these organisations have at least a strategy or protocol in place for the use of big data. Furthermore, 97.3 percent of the organisations see big data as added value to the organisation (Groenteman et al., 2014). The information that follows this

collection and analysis is primarily used for improving customer service, which Froomkin named as an advantage of data collection, and getting insight in the customer’s demands and wishes. These are followed by using data to determine the company’s strategy, which 43.8 percent of the organisations note as their view on how to use big data. The same percentage of organisations see data analysis as a resource to improve their competitive position in comparison to other organisations (Groenteman et al., 2014).

An organisation can thus gain in a lot of different fields from the collection of data. If added value can be generated by combining mined data with al-ready known information, an organisation might be able to add value to the organisation, improve customer service or improve their competitive position.

6.2

Privacy

Collection of data cannot be initiated without thinking of a data subject’s pri-vacy. Intrusion of privacy might seem one of the more recent developments that people need to worry about. After all, the technology to perform mas-sive digital data collection is only a few decades old. However, it is shallow to think individuals before the twentieth century did not worry about their private information.

The word ’privacy’ is derived from the Latin privatus, a term used in Roman society. In contrary to the Latin term publicus, the term privatus was used as a substantive for citizens that were not occupied as a public official or member of the military corps (Berger, 1953). A similar distinction can be found in ancient Greece, where Socrates made a distinction between ’Inner’ and ’Outer’ (Moore Jr., 1983).

Holvast gives a short history of privacy. During the colonisation of America the distance between homesteads made physical privacy a key privilege and a characteristic of life. In the late Medieval Ages, individuals went to court to charge one another for eavesdropping and opening personal letters. Late in the nineteenth century, the focus of privacy shifted to not only protecting the privacy at home and private communication, but also protecting an individuals control over his or her own information (Holvast, 2009, p.15).

Privacy can thus historically be defined as the control of ones information, in the form of communication and physically. While originally based on physical and verbal forms of communication, the same statements still stand for the digital age.. Especially the control on private communication is of importance in the digital mass collection of customer data. As Westin states, information privacy is ”the claim individuals, groups or institutions to determine when, how and to what extent about them is communicated to others.” (Westin, 1968, p. 7) Westin’s claim was written in 1968, at the beginning of the technological advancements that make big data collection possible.

However, these technological advancements pose a much larger risk than ever before. The mass collection of data has significant impact on what organisations know about its customers (Froomkin, 1995). This may in turn lead to customers being at risk of identity theft after a data breach. The vast amount of private

information saved online makes for a large risk. With data that customers exchange with organisations, fraudsters can subscribe to magazines, rent cars and even sell property (Saunders and Zucker, 1999; Solove, 2002).

An interesting case is that of Dutch municipalities that, as of 2015, use a system called Suwinet, which contains data on all Dutch citizens. This data is interlinked with data systems from the Employee Insurance Agency (In Dutch UWV), the organisation that implements national insurance (In Dutch SVB) and other (semi-)governmental institutions. The system could be used by almost every single civil servant, to look up information on a Dutch citizen if this was needed for his or her job. However, it turned out access-rights have been given to parties that have no right to this data. This lead to abuse, such as individuals that looked up women living in a protected and expected to be anonymous women’s shelter.12

While the case of Suwinet is a clear case of violation of privacy, other cases are not. It is necessary to define the expectancy of privacy. What does an individual see as privacy and how much can he expect of it? Fitting is the The Mischange Principle, as defined by Tunick (1998) and presented by McArthur in ”Reasonable expectations of privacy” (2001) is as follows:

”We cannot reasonably expect to maintain privacy over that which another person could discover, overhear, or come to know without concerted effort on his/her part to obtain this information.”

- Mark Tunik (1998) in Reasonable Expectations of Privacy (McArthur, 2001) Dropping a personal letter on the sidewalk, even though many countries have a law forbidding the opening of this letter, can in one way violate your privacy. From another viewpoint, you can expect someone to read this letter, and you cannot blame him. The question is whether or not these can be seen as a violation of privacy, or as a unlucky circumstance in which data has become public (McArthur, 2001). The Mischange Principle is fitting in a lot of examples. If you accidentally mail private information to an organisation, instead of to a friend, you cannot blame the organisation for violating your privacy.

Context is also of importance, as you can expect your wares to be searched on an airport, but do not expect so when you walk in a supermarket. However, one may voluntarily give up private information, by going to the airport. You cannot expect to maintain privacy, as you know in advance you will be searched. An individual takes the ’breach’ of privacy for taken, by reasoning that he or she cannot expect his or her privacy to observed. This leads to the Voluntary Principle:

”If I choose to decrease the relative amount of privacy for myself and information under my control by exposing it to view, I thereby

12_{Radio report by Cornelisse, A. and Van de Beek, H. in Argos for the VPRO. (2015, 20-6).}

decrease the reasonableness of any expectation that this privacy will be observed..”

- Robert L. McArthur (McArthur, 2001) When an individual publishes something on his open Facebook or blog page, it could be discovered without much effort. He or she does not expect privacy in this instance, as it is clear people can find his data without much effort. This leads to a situation often seen in the last decade. Through the use of social media, a lot of information can be found without too much effort. Individuals post a lot of personal information like telephone numbers, for instance in replies to helpdesks on Twitter. One lowers his expectations of privacy in exchange for better service.

Hinssen argues in The New Normal that privacy will be substituted by trans-parency, as the new generation has a different view on privacy than their parents or grandparents. He questions whether private information published on the In-ternet may be read by an organisation. Hinssen gives the example of services that delete all your private information on the Internet for an arbirtrary amount of money, while he immediately counters this by providing the fact that one of the iPhone’s most popular apps functions as a screening-tool of your potential partner (Hinssen, 2010, p. 39-41). A conclusion that can be drawn from this shift to transparency is that when large amounts of data become more trans-parent, the confidential data becomes worth more.

Does an individual consider browsing on the Internet private? This question arises when an organisation considers the collection of data from their website or digital store. From one point of view, an organisation could argue that it is known that cookies and trackers follow our every step. However, from another view one could argue that as long as not every person knows about these procedures, automatic collection could violate an individual’s privacy. As long as not every single Internet user has the knowledge that his or her every step is tracked, tracking can be considered privacy-invasive when consent of an individual is lacking.

Privacy is thus one’s control over his own information. He or she may choose what party has specific information, and what party has not. While the Inter-net and consequently the rise of transparency on social media seem open and somewhat privacy-free, an organisation should ask itself whether it is willing to take the risk that a individual takes offence of the fact that an organisation col-lected his data without his or her consent. As long as not all individuals agree with Hinssen’s shift towards transparency, an organisation should not collect or process data without obtaining consent from an individual.

6.3

Law

For the protocol to be integrated, it should fall within the borders of the law. Therefore will this section analyse European privacy and data laws. Next to

that, the nation-specific laws of a variety of European nations will be further evaluated.

Article 8 of the European Convention of Human Rights [Hereafter ECHR] states that ”1. Everyone has the right to respect for his private and family life, his home and his correspondence.” and ”2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of na-tional security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.”13 _{Interesting to see is that}

European law in the second clause immediately states what the limitations of ones privacy are. European nations have to base their privacy law on article 8 of the ECHR and have to be at least as strict as the European Union.

Article 10 of the Dutch constitutional law states that every individual has the right of respect of his privacy. This includes but is not limited to communi-cation through phone and other means, the right that others will safely handle personal information and that the government cannot use the personal informa-tion unwarranted.14 In addition, article 13 of Dutch constitutional law defines the privacy of correspondence may not be violated, except when courts order differently.15 _{In the Netherlands, the ECHR article 8 rulings have precedence}

over Dutch law, whereas in Germany it has a dual function with the national law.

The Dutch Wet Bescherming Persoonsgegevens [Hereafter WBP] states var-ious rules regarding the handling of personal records, and is therefore an ex-tension of the European laws. The WBP has as most important rulings that personal records may only be processed and collected if this is done fairly and lawful.16 _{These may also only be collected and processed if this serves a}

le-gitimate purpose17_{, and consent from the data subject has been obtained.}18

Important for the protocol is the clause that data must be saved anonymously, or has to be made anonymously as soon as identicating variables are no longer necessary.19

German privacy law, or Bundesdatenschutzgesetz [Hereafter BDSG], is a federal data protection act in place to protect individuals from having their privacy affected by the handling of their personal data.20 _{It applies to the}

col-lection, handling, use and processing of data.21 _{Organisations need to inform}

the individual when they collect his data, as well as inform him or her how, for

13_{Art.8 European Convention of Human Rights} 14_{Art. 10 Gw.} 15_{Art. 13 Gw.} 16_{Art. 6 WBP} 17_{Art. 7 WBP} 18_{Art. 8a WBP} 19_{Art. 10a WBP} 20_{Art. 1.1 BDSG} 21_{Art. 1.2 BDSG}

what purpose and for how long the data may be used.22 Private organisations may however also collect data from generally accessible sources, though condi-tions apply.23 Furthermore, organisations need to have policies and strategies in place for all types of data that are collected.

Private organisations need to store personal data depersonalised, with the data needed to re-personalise this data again on a separate system.24 _Private

organisations shall erase data if certain conditions apply, for example when they contain health matters, criminal records, or when they contain political or religious views that cannot be confirmed. They also need to be erased when storage of this data is no longer needed.25

Interesting to see is the need to appoint a data protection officer for organ-isations with at least five employees. The data protection officer is in charge of monitoring the proper use of data processing programs. This officer is also responsible for educating employees of the German privacy acts.26

The United Kingdom has no freestanding right to privacy at common law and links most cases of privacy-related issues to intentional infliction of harm to an individual.27 Data-related issues will be dealt with through the Data Protection Acts (1998) [Hereafter DPA]. The main principle of the DPA is that data will be processed fairly and lawfully, and shall not be processed unless con-ditions are met.28 _{Just like German law, English law states that data should}

be accurate and up-to-date. Furthermore, it needs to be adequate, relevant and proportionate for business processes.29 _{A data subject needs to give his consent}

before any data processing can occur.30

French information law act N78-17 deals with all information questions and is thus a document consisting of 72 acts. Just as ruled in other nations, data needs to be collected and used fairly and lawfully. Another point that is again important is the notion that collection of data must not be excessive.31 _It

is prohibited to collect data that may, directly or indirectly, reveal racial or ethnic origins, as well as political, religious, philosophical and affiliation to trade unions.32 Data subjects will have to give express consent to the organisation to process their data, except when certain conditions apply.33 Organisations that start to process data need to contact CNIL, the national data processing

22_{Art. 4.1-2 / Art. 33 BDSG} 23_{Art. 28.1 BDSG}

24_{Art. 30 BDSG} 25_{Art. 35 BDSG} 26_{Art. 36-37 BDSG}

27_{Home Office v Wainwright (2001) EWCA Civ. 2081.} 28_{DPA 1.1}

29_{DPA 1.2-5}

30_{DPA 1.1 Conditions relevant for purposes of the first principle: processing of any personal}

data

31_{N78-17 art. 6} 32_{N78-17 art. 8.1} 33_{N78-17 art. 8.2.1}

agency.34

Any person may object to the collection of his data, if he can do so on legit-imate grounds.35 Similar to other nations’ rulings, a data subject has the right on information regarding the processing of his information.36

An interesting case is Switzerland. While not part of the European Union, it has partially implemented the European Data Protection Directive [Hereafter DPD]. Just like other nations, Switzerland implemented a privacy and informa-tion laws in addiinforma-tion to the DPD. Article 13 of the Swiss Federal Constituinforma-tion guarantees privacy in the first place. Furthermore, Switzerland implemented a set of rules through the Swiss Data Protection Act [Hereafter SDPA].

In contrary to many other nations, the SDPA protects both personal data as data of legal entities. This leads to the fact that organisations should keep an close eye on Swiss law when collecting and processing data regarding com-petitors. Due to the position Switzerland takes by staying out of the European Union, complicating situations can occur. Transferring data to another country is immediately regarded as transferring data to a third-country, while data can travel relatively freely between EU-countries.

Just like earlier noted European privacy laws, European organisations will have to follow European data handling regulations. These laws are currently defined by individual states, directed by the European Union in the DPD.37

As described earlier, many nations combine their IT privacy and data laws in the same articles. For that reason, they will not described again. However, the aim is to change this in 2015 or 2016 in one central set of laws as defined by the European Union in the General Data Protection Regulation [Hereafter GDPR].38_{As these laws are not complete at the moment of writing, the protocol}

defined in this thesis will use the DPD the individual countries used. However, the downside of this decision is that the DPD do not consider globalisation and technological advancements like cloud computing and social networks. To combat this downside, the decided laws that will be part of the GDPR will act as an inspiration.

The European DPD aims to be a guide on how to handle personal data, whether this is processed automatically or not. It defines this personal data as ”any information relating to an identified or identifiable data subject[..]”. They key-directive of the DPD is that data should not processed at all, unless certain conditions are met. These conditions are sorted in three categories: Trans-parency, legitimate purpose and proportionality.39 _{This collected data may not}

contain information that may directly or indirectly reveal racial origins,

politi-34_{N78-17 art. 22} 35_{N78-17 art. 38} 36_{N78-17 art. 39}

37_{Data Protection Directive 95/46/EC - L281, 23/11/1995, p. 31–50} 38_{General Data Protection Regulation - 2012/0011/COD}

cal, religious or philosophical views and any affiliation to ethnic origins.40 Other data must be kept up-to date.41 Furthermore, consent by the customer must be present before the collection of data. 42 A data subject may object to the collection and processing of his data.43 Also, data cannot be transferred to third countries when data protection is not adequate.44. Furthermore, an organisa-tion and countries should employ a data controller ”which alone or jointly with others determines the purposes and means of the processing of personal data.”45

It seems from this selection of European countries that each has similar rulings on information and data processing, based on the ECHR and DPD. The fair processing of data, within the limits of transparency, legitimate purpose and proportionality comes back in every national form of data law. As all national laws must be based on the European directive, these also contain rulings on, for example, the appointment of a data protection officer, how to handle transferring data to third parties and how data must be depersonalised. From these rulings, a legal framework can be defined which will be necessary for the protocol.

Data needs to be processed fairly and lawful, with the latter for protocol purposes being within the borders of the most strict country. This collected data may not contain information that may directly or indirectly reveal racial origins, political, religious or philosophical views and any affiliation to ethnic origins. Summarised, it may not contain data that might be harmful to the individual. Third, data needs to be kept up-to-date. A personal might for example change his address or even name. Fourth, an organisation with at least five employees shall appoint a data officer. Fifth, an individual may object to the collection of data at any point and will be allowed to receive information on how his data is used. However, before an organisation can start defining a protocol, they should have the consent of its data subjects to collect and process their data.

Consent

An violation of above laws might happen when organisations leak customer data to third parties. After all, in this situation the customer has lost the control of his own information or correspondence. To counter this, organisations have to ask potential data subjects for their consent.

Three types of consent an individual can give to an organisation can be de-fined, explicit consent, implicit consent and opt-out consent. The first, explicit consent, is clear to both the customer and organisation. For example, a su-permarket asks a customer if he’s willing to give up his postal code. Implicit consent is also known as deemed or indirect consent. It is when it is deemed legal and obvious that an organisation collects information, or that you give up

40_{Data Protection Directive 95/46/EC art. 25} 41_{Data Protection Directive 95/46/EC art. 6d} 42_{Data Protection Directive 95/46/EC art. 7} 43_{Data Protection Directive 95/46/EC art. 14} 44_{Data Protection Directive 95/46/EC art. 25} 45_{Data Protection Directive 95/46/EC art. 2}

personal information when it clearly benefits you. An example of implicit con-sent is when you attach a list of references to a motivation letter. Anyone giving a reference deems it fair that an organisation might call them when needed.

Opt-out consent is a type of consent used by most mass data collecting organisations. This type of consent happens when an individual explicitly has to make known he does not want his information to be collected. Opt-out consent is, for example, used by webshops that ask whether or not you want to collect a newsletter. Another example is that of American ISP AT&T, that offers a basic subscription where your information is collected, and a more expensive subscription where less of the individual’s information is obtained.46

It is expected that while opt-out consent is the most convenient for an organi-sation, customers prefer giving explicit consent. This informed consent indicates that a customer understands what is asked from him or her, that he or she is willing to give up part of his or her privacy and that he or she has a clear pick between agreeing or declining (Friedman et al., 2000). Friedman et al. also argue that agreeing to give up information through explicit consent also shows competence, or in other words that the individual giving the explicit consent is also mentally capable of making this decision (2000). This might in turn affect liability.

An organisation should always try to obtain explicit consent from customers, for example by informing them in comprehensible language. By presenting customers the implications that might happen if they choose a type of consent, instead of presenting the technical mechanisms, a user becomes aware of what will happen with his or her data (Friedman et al., 2000). Only in that case can an organisation defend itself against accusations from other parties when a data breach occurs. Needless to say, an organisation should always strive to avert a data breach. For that exact reason, organisations implement data handling protocols and methods.

6.4

Data handling models

To guarantee the validity of the final protocol, a section must be devoted to data handling models. These are often based on a set of conditions or factors, either defined by law or by researchers in various studies. Data handling in Europe is subject to a set of conditions, categorised in three sets: Transparency, legitimate purpose and proportionality.47 _{Additionally, many information (or}

data) security strategies are based on the CIA triad of confidentiality, integrity

46_{Early 2015 American ISP AT&T presented a plan for a new type of subscription}

by which they were allowed to collect and analyse the websites that are visited, the time that is spent on those websites, the search terms that are used and more. This analysis would be presented to advertisers who could send personalised advertisements through websites and e-mail. By paying a monthly ’privacy fee’ of at least $30 dollars, customers could opt-out of this subscription and would only be subject to basic analy-sis. Brodkin, J. (2015). ATT’s plan to watch your Web browsing—and what you can do about it. ArsTechnica. http://arstechnica.com/information-technology/2015/03/ atts-plan-to-watch-your-web-browsing-and-what-you-can-do-about-it/

and availability.48 However, both of these sets do not offer a comprehensive set of factors to monitor.

To maintain full data security, McCumber argues that the state of data should be known. He defines these as ’transmission’, ’storage’ and ’process-ing’ McCumber combines these states other factors in the ’McCumber Cube’, designed for the evaluation of information security. In his model, as can be seen in Figure 1 and Figure 2, the states make up for the Y-axis. These are mapped against the X-axis, which contains the types of measures required to maintain full data security. These are ’technology’, ’policy and or practices’ and the ’human factor’. Third, these both axises are mapped against a diago-nal axis containing three security perspectives: ’Confidentiality’, ’integrity’ and ’availability’ (McCumber, 1991).

Figure 1: The McCumber Cube (McCumber, 1991)

Another interpretation of these states is defined by Liu and Kuhn, who categorise data in ’data in motion’, ’data in rest’ and ’data at endpoint’ (Liu and Kuhn, 2010). Cherdantseva and Hilton argue that basis security only on the state of data is not enough. Instead, state of data should be supplemented by sensitivity, location and format (Cherdantseva and Hilton, 2013).

Organisations utilise multiple methods of saving and using customer data. To analyse this, first we must define the state the data is in. This can either be ’data in motion’, ’data in rest’ and ’data at endpoint’ (Liu and Kuhn, 2010). Data in Motion is the data in digital state of transportation. ’Data in rest’

48_{Perrin, C. (2008). The CIA Triad. http://www.techrepublic.com/blog/security/}

Figure 2: The McCumber Cube (McCumber, 1991)

is the state when data is saved on, for example, a server. Third is ’data at Endpoint’, when the data is being used in an application or system. Data saved on portable harddisks are also given the state ’at endpoint’. For each state, a different strategy should be defined in the final protocol.

Sensitivity needs to be included for two reasons. The first reason is that countermeasures will differ for each type of sensitivity. A public press release does not have to be as secure as a private document for shareholders. Second, a sensitivity scheme needs to be defined following ISO/IEC 27002:2005 7.2.49

This task asks of organisations to negotiate within the organisation what data gets what classification. Cherdantseva and Hilton write that this is an crucial, but hard task, as every party has other priorities and thus other uses of data. ISO/IEC 27001 mention the creation of a classification guideline, to ensure that every piece of information gets the proper protection.

Data location is crucial for the physical protection of data. This data can either be at a ’fully controlled’, ’partially controlled’ or ’uncontrolled’ location. These closely correspond with Liu and Kuhn’s data states, where ’data in rest’ is most likely at a fully controlled server room. ’Data at endpoint’ could be at an partially controlled location such as a meeting room of a partnering organi-sation, on a employees device. However, it could also easily be at a uncontrolled location on a device an employee decides to take with him. Furthermore, when embedding data the physical location differs from the location where the data is used.

Format is of less importance for this research. Cherdantseva and Hilton ar-gue that information format can be found in three different formats, namely digital, on paper and verbal. As this research focuses on the prevention of dig-ital data breaches, the only format used will be digdig-ital.

These factors are useful for both the analysis of online and offline threats. Both need to be addressed before one can fully focus on countermeasures, which

49_{Many countries, including a lot of European nations, use ISO/IEC standards 27001 and}

27002 as an information security standard. It was published by the International Organization for Standardization (ISO) and by the International Electrotechnical Commission (IEC), and revised in 2005.

can be introduced in the ’Prevention’-section. Nonetheless, occasionally remarks might be made how an introduced problem could be solved. These might be added to the final protocol, if they do not contradict any later observations. Online

’Data in motion’ or ’data in transmission’ and ’data at endpoint’ or ’data in processing’ are the two states where an organisation risks the data being lost through online means. Nowadays, both when the data is in transportation as when it is saved on a server, a connection with the Internet is made.

’Data in motion’ could quite easily be secured through the use of encryption protocols, such as TLS.50 _{It uses a secure form of asymmetric cryptography to}

identify the other computer and then a symmetric encryption to communicate between the two. Another example of such a protocol is SSH, which is used for both controlling remote machines in a secure manner as for transferring files between servers.51

Location is one of the factors that come in play when data is in transporta-tion. An organisation should ask itself where its sensitive data is located.52 Data is being send from one point to another, most likely through a set of nodes of which not all are under control of the organisation. When an organisation sends something over the Internet, said digital package will be transported through different routers. These are not within the control-range of the organisation, and might pose a risk if said package is sent through high-risk countries.

Hackers constantly try to break encryption protocols, both for sport and crime.5354 _{Because of this, an organisation has to constantly update encryption}

protocols. This means downtime of the system, as it should be fully secured and offline when the system is upgraded. Upgrading is a necessity for all organ-isations, not only for encryption protocols, but also for applications or software. These patches and upgrades are meant to be fix holes and bugs in these appli-cations, which left unpatched can be exploited.

However, there are more means to digitally infiltrate an organisation. Vari-ous threats analysed by Kaspersky, an IT-security organisation, show a variety of infiltrations in European countries. For example, a spying virus called ’Re-mote Control System’ [Hereafter RCS] could copy data from user accounts and

50_{Dierks, T. Rescorla, E. (2008). The Transport Layer Security (TLS) Protocol Version}

1.2. The Internet Engineering Task Force. http://tools.ietf.org/html/rfc5246

51_{Network Working Group of the IETF. (2006). The Secure Shell (SSH) Authentication}

Protocol. The Internet Engineering Task Force. http://tools.ietf.org/html/rfc4252

52_{Ilyin, Y. (2015). IT security questions that every small business}

needs to ask themselves. Kaspersky https://business.kaspersky.com/ it-security-questions-that-every-small-business-needs-to-ask-themselves/3563

53_{Hackerconference DEFCON hosts a yearly ’Capture The Flag’ tournament. The goal of}

this tournament is to steal the digital ’flag’ that others have stored behind walls of encryption and other security means. https://www.defcon.org/html/links/dc-ctf.html

54_{FREAK is an example of a ’man-in-the-middle’ attack on OpenSSL. It made it possible}

for hackers to inject JavaScript onto websites and extract customer data, including passwords. https://www.smacktls.com/#freak

online messages, as well as video and audio messages, by infiltrating a machine through a social engineering mail sent to a random employee.55 RCS is a classic example of how one single employee can bring danger to the entire company. These espionage platforms often need only one access-point, after which they can access most of the network. In the ’Prevention’-section of this lecture, social engineering will be addressed.

Another example is that of ’Epic Turla’, which could infiltrate an organisa-tion through e-mails like used in RCS, but also by using a so-called watering hole. In this situation, an attacker observes or guesses what websites will likely be visited by an organisation or individual. Once this knowledge is established, a similar website is created. This website then contains an exploit56 _{or uses}

social engineering to get a user to download a specific file. ’Epic Turla’ sent out e-mails containing attachments called ’NATO position on Syria.scr’, ’bor-der security protocol.rar’ and ’Security protocol.scr ’. For the watering hole-technique, ’Epic Turla’ mimicked the website of the City Hall of Pinor, Spain, a website promoting starting a business in Romania and the website of the Pales-tinian Authority Ministry of Foreign Affairs. It was thus most likely focused on governmental institutions.57

Many of these dedicated viruses leave components behind, which can, in a later stadium, act as easy accesses for hackers or as senders of data. IT-personnel might think they removed the virus, only to discover that after some time data is again flowing out of the organisation. These components open, for example, backdoors58 _{or act as communication protocol that sends sensitive data.}

In theory, most data can be accessed through online means whatever the sensitivity and format. Yet, it is most likely that more sensitive data is stored more securely. To be fully protected against a data breach, this data needs to be secured by being saved offline. However, this may hinder business processes. This means that per organisation the consideration must be made between being more secure or being at more at risk for the sake of convenience.

It should be mentioned that data cannot be fully secured. So-called zero-days make it possible to use an unknown vulnerability to infiltrate a system or application. Where known viruses are detected by an IPS or firewall by a corresponding digital signature in a central database, these signatures of these zero-days are not known yet and cannot be detected yet. For these threats to be limited, countermeasures other than technical measures should be taken.

55_{Golovanov, S. (2013). Kaspersky. https://securelist.com/analysis/publications/}

37064/spyware-hackingteam/

56_{An exploit is a piece of software or a set of commands to take advantage of a vulnerability}

in a computer system.

57_{Kaspersky Labs’ Global Research Analysis Team. (2014). The Epic}

Turla Operation. Kaspersky. https://securelist.com/analysis/publications/65545/ the-epic-turla-operation/

58_{A virus or hacker might leave a backdoor behind, through which they can quickly and}

without trouble access the system again. These so called backdoors allow the hacker to skip over the normal authentication components of a login system.

Offline

Data is offline at risk when its ’at est’ or ’data in storage’. Losing a hard-disk, whether included in a laptop or on its own, means a threat that is not easily handled with. An employee of Dutch ISP Ziggo lost his laptop contain-ing unencrypted customer data on 40.000 individuals, after takcontain-ing it with him to perform a statistical analysis on help desk information. As it was an older laptop, it was unencrypted. Furthermore, it was against company regulations to take the laptop with him. The employee took sensitive information to an uncontrolled location.59

Another imaginable scenario could be that of social engineering, where a physical malicious infiltration happens to the organisation. Criminals try to access the organisation through the careful use of psychological tricks. For ex-ample, social engineering experts Mitnick and Simon describe a situation where a security consultant could access all protected areas in an organisation (Mit-nick and Simon, 2005, p. 212-242). Another example is that of the previously mentioned RDS platform, which could also be installed by tricking an employee in running a specific file from an USB-stick.60

”The social engineer employs the same persuasive techniques the rest of us use every day. We take on roles. We try to build credibility. We call in reciprocal obligations. But the social engineer applies these techniques in a manipulative, deceptive, highly unethical man-ner, often to devastating effect.”

- Brad Sagarin (Mitnick and Simon, 2005, p. 221) In the ideal situation, data should physically not leave the organisation. It prevents scenarios like the breach Ziggo suffered from. To make it even harder for data to leak, access to servers should only be given to people with IT-knowledge or an IT-security clearance. Further countermeasures will be described in the following chapters.

6.5

Prevention of breaches

In this section, countermeasures for the prevention data breaches will be given. This will neither be a complete sketch of all possible measures nor will it contain too specific technical information. The fast turn-over rate of technology and the constant flux of threats makes for the fact that countermeasures should always be evaluated over time.

The prevention of data breaches and thus the protocol ask for a incident-response plan. As can be seen in figure 3, such a plan consists primarily of steps

59_{De Winter, B. (12 October 2013). Medewerker Ziggo verliest}

lap-top met 40.000 klantgegevens. Nu.nl http://www.nu.nl/internet/3600286/ medewerker-ziggo-verliest-laptop-met-40000-klantgegevens.html [In Dutch]

60_{Ilyin, Y. (2015). IT security questions that every small business}

needs to ask themselves. Kaspersky. https://business.kaspersky.com/ it-security-questions-that-every-small-business-needs-to-ask-themselves/3563

regarding planning and asking ”What if ?”. As Bailey, Brandley and Kaplan define61:

”The primary objective of an IR plan is to manage a cybersecurity event or incident in a way that limits damage, increases the confi-dence of external stakeholders, and reduces recovery time and costs.” - Bailey, Brandley & Kaplan (2013) An organisation must define the possible threats, how to handle these threats and organise its ranks in such a way that every employee knows what to do in case of a breach. What data does the organisation actually use and how is that data classified? Without this knowledge, an organisation does not know how to prioritise or might not see the significance of a breach.

For each possible type of threat, a response plan must be defined. These can be inspired by Howard and Gulyas’s set of categories defined in the ’Overview of data breaches’-section of this thesis (2014). For example, an organisation handles a physical infiltration through use of force by its security guards, while a desk-employee calls the police. Another set of response plans must be cre-ated for each information-asset type. For instance, highly classified information must immediately result in the lockdown of the building and shutdown of all computer systems.

Preventing data breaches begins with identifying the possible threats and their sources. These analyses can be achieved following specialised protocols. One of these specialised protocols is that of the US National Institute of Technol-ogy and Standards [Hereafter NIST]. It is a qualitative standard that is designed for technical experts to identify, evaluate and manage risks in information sys-tems. The NIST Special Publication 800-30 consists of the nine steps below. The NIST has introduced this standard for risk assessment on information sys-tems for use in the US federal government, which means it could also be used for the prevention phase of this protocol (Stoneburner et al., 2002). Therefore the cleaning-up phase of the protocol could pass up on steps three and five.

• Step 1: System Characterisation • Step 2: Threat Identification • Step 3: Vulnerability Identification • Step 4: Control Analysis

• Step 5: Likelihood Determination • Step 6: Impact Analysis

61_{Bailey, T., Brandley, J. & Kaplan, J. (2013). How good is your cyberincident-response}

plan? McKinsey. http://www.mckinsey.com/insights/business_technology/how_good_is_ your_cyberincident_response_plan

Figure 3: The McKinsey incident-response plan.62

• Step 7: Risk Determination • Step 8: Control Recommendations • Step 9: Results Documentation

An organisation should analyse its systems, identify threats and vulnera-bilities and do a control analysis. For each threat, a likelihood determination and the subsequent impact should be analysed. An organisation should also determine how much they are at risk, by for example completing a market anal-ysis. By making this risk assessment as thorough as possible, one can limit the beta-chance (De Valk, 2005). Finally, it should be finished by control rec-ommendations and results documentation. These control recrec-ommendations or countermeasures will be further elaborated in the following sections (Stoneb-urner et al., 2002).

These countermeasures can be mapped against a set of categorised coun-termeasures. Hackers are the biggest source of data breaches in Europe, and are thus the main focus of prevention.63 _{However, other threats cannot be}

glected (Howard and Gulyas, 2014). Cherdantseva and Hilton argue that an organisation should focus on four factors, technical-, organisational-, human-oriented- and legal countermeasures (Cherdantseva and Hilton, 2013), which will be further illustrated further in this section.

Most information (or data) security strategies are based on the CIA triad of confidentiality, integrity and availability.64 _{These are the same factors as}

Mc-Cumber’s diagonal axis, which can be seen described in the previous subsection (1991). This triad was expanded with accountability, auditability, thrustwor-thiness, non-repudiation65_{and privacy (Cherdantseva and Hilton, 2013). These}

components can be mapped against possible threats. Accountability is only ap-plicable to the employees and managers, and thus policy does not need to focus on the ’accountability of software’. In contrary, auditability is applicable to all factors in an organisation as defined by Cherdantseva and Hilton, information, people, processes, hardware, software and networks. All factors are also appli-cable to trustworthiness, availability and integrity. Confidentiality is in turn only applicable to information. Non-repudiation is applicable to information and processes. Last, privacy is applicable to information and people.

This information security also needs to comply with European law. It should make an effort to meet conditions set by the European Union in transparency, legitimate purpose and proportionality. While transparency and legitimate pur-pose might not mitigate the risk of a data breach, proportionality can influence the impact of a data breach. When less data is collected, the impact of a breach is lower.

If analysis on threats and data types has been completed, an organisation has to define countermeasures, sorted in the categories defined by Cherdantseva and Hilton (2013). These preventive measures could be hosted in the ’Castle approach’, also know as defence in depth. Originally this method was used in the military, but it also is useful for the prevention of leaks. It theorises that security should consist of multiple layers of defences. One failing layer would not neutralise the entire integrity of the organisation (Hafiz et al., 2004). By using this method, an organisation can use multiple countermeasures against a variety of threats. This will minimise the beta-chance, or in other words the chance that a threat might be missed (De Valk, 2005).

Technical

All hardware, software and network-related issues can be prevented by the same technological systems, to a certain degree. The first line of defence should be a firewall. This forms the barrier between a trusted device or network, and the network that cannot be trusted. It provides one single chokepoint in this barrier, through which traffic flows and which can be controlled or audited (Oppliger, 1997). This choke point can be secured by an Intrusion Detection System

[Here-64_{Perrin, C. (2008). The CIA Triad. http://www.techrepublic.com/blog/security/}

the-cia-triad/488

65_{”An ability of a system to prove (with legal validity) occurrence/non-occurrence of an}

event or participation/non-participation of a party in an event” - Cherdantseva and Hilton (2013)