Visible to the public Real-time Privacy Risk Evaluation and Enforcement - January 2017Conflict Detection Enabled

Public Audience
Purpose: To highlight progress. Information is generally at a higher level which is accessible to the interested public.

PI(s): Travis Breaux (CMU)

1) HARD PROBLEM(S) ADDRESSED (with short descriptions)

This refers to Hard Problems, released November 2012.

  • Security-Metrics-Driven-Evaluation, Design, Development and Deployment. Our research investigates new methods to measure privacy risk based on how systems collect and share personal information.

  • Understanding and Accounting for Human Behavior. Our research applies theory from psychology and judgement and decision science concerning how individuals perceive benefits, assess risks and make decisions to sharing cybersecurity information.


  1. J. Bhatia, T.D. Breaux, L. Friedberg, H. Hibshi, D. Smullen. "Privacy Risk in Cybersecurity Data Sharing," In Proc. 3rd ACM Workshop on Information Sharing and Collaborative Security (WISCS), Vienna, Austria, October 24, 2016.
  2. M. Bokaei Hosseini, S. Wadkar, T.D. Breaux, J. Niu. "Lexical Similarity of Information Type Hypernym and Meronyms in Privacy Policies," In Proc. Fall AAAI Symposium on Privacy and Languages Technologies, Arlington, VA, November 17 - 19, 2016.


The project produced an empirically validated framework for measure perceived privacy risk. The framework consists of a factorial vignette survey design for collecting privacy risk measures from individuals given the benefits of sharing cybersecurity information to respond to cyber threats, and an algorithm for computing predicted privacy risk scores for independent information types. The research found that, while individuals can perceive increased risk with increased likelihood, the contribution to overall risk perception is sub-linear: there are greater perceived differences among the risks of sharing different information types, than the differences due to solely to increased likelihood of a privacy harm for a single information type. Moreover, the research shows that individuals are more willing to share information about what they do, than they are willing to share information about who they are. This indicates that privacy risk may increase non-linearly when identifiable information is combined with sensitive information types. With respect to scalability, we are currently investigating techniques to scale the information type ontology, to investigate the effect of data aggregation, and to identify cost-effective ways to re-sample privacy risk measures from individuals.

4) COMMUNITY ENGAGEMENTS (if applicable)

  • Presented "Measuring Perceived Privacy Risk in Cybersecurity Information Sharing," at the Science of Security Quarterly Lablet Meeting, University of Illinois, Urbana-Champagne, July 27, 2016.
  • Presented "Privacy Impacts of Industry Sharing Cybersecurity Indicators with (US) Government Entities" at NATO Lecture Series IST-143 Cyber Security and Science Engineering, Arlington, Virginia, November 8, 2016.

5) EDUCATIONAL ADVANCES (if applicable)