Journal of Information Security and Applications最新文献_第6页

A feature vector-based modeling attack method on symmetrical obfuscated interconnection PUF 对称混淆互连PUF的特征向量建模攻击方法

IF 3.7 2区计算机科学

Journal of Information Security and Applications Pub Date : 2025-08-16 DOI: 10.1016/j.jisa.2025.104187

Huanwei Wang , Fushan Wei , Fagen Li , Jing Jing , Tieming Liu , Wei Liu

{"title":"A feature vector-based modeling attack method on symmetrical obfuscated interconnection PUF","authors":"Huanwei Wang , Fushan Wei , Fagen Li , Jing Jing , Tieming Liu , Wei Liu","doi":"10.1016/j.jisa.2025.104187","DOIUrl":"10.1016/j.jisa.2025.104187","url":null,"abstract":"<div><div>Physical unclonable function (PUF) are widely used in solutions such as device authentication and lightweight encryption due to their tamper-resistant, key-free storage and lightweight properties. However, the security of PUFs is threatened by modeling attacks. In this paper, we propose a novel modeling attack method for the symmetrical obfuscated interconnection physical unclonable function (SOI PUF) based on feature vectors. The proposed method introduces an innovative feature vector transformation technique and vector response pair to capture higher-order relationships with complex PUF architectures. Meanwhile, we propose two important principles for designing deep neural network (DNN) attack models. The experiments are systematically validated for the novel SOI PUF and cSOI PUF architectures, and the results show that, under equivalent dataset conditions, the proposed method achieves a higher attack success rate compared to the traditional challenge-response pair-based modeling approaches, achieving an accuracy of 98.42% in modeling SOI PUF. This study provides valuable theoretical and practical insights for enhancing PUF security and designing attack-resistant PUF architectures.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"93 ","pages":"Article 104187"},"PeriodicalIF":3.7,"publicationDate":"2025-08-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144858084","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Robust zero-watermarking method for medical images based on FFST and Daisy descriptor 基于FFST和Daisy描述符的医学图像鲁棒零水印方法

IF 3.7 2区计算机科学

Journal of Information Security and Applications Pub Date : 2025-08-16 DOI: 10.1016/j.jisa.2025.104193

Guangyun Yang , Xinhui Lu , Yu Lu , Xiangguang Xiong

{"title":"Robust zero-watermarking method for medical images based on FFST and Daisy descriptor","authors":"Guangyun Yang , Xinhui Lu , Yu Lu , Xiangguang Xiong","doi":"10.1016/j.jisa.2025.104193","DOIUrl":"10.1016/j.jisa.2025.104193","url":null,"abstract":"<div><div>With the continuous development of digital medical imaging technologies, ensuring the security of the medical images has become critically important. In this study,the Daisy descriptors’ stability against attacks was first experimented with, and the findings show that it provides superior robustness. With this, a robust zero-watermarking method is designed to maintain medical image integrity and enable copyright protection by combining the fast finite Shearlet transform (FFST), Daisy descriptor, and Hessenberg decomposition. First, FFST was performed on the medical image to extract the low-frequency component and divide it into blocks of equal size. Second, each block’s Daisy descriptor matrix is calculated and its 8<span><math><mo>×</mo></math></span> 8 block is selected, after which the Hessenberg decomposition is performed for each block, and a feature image is derived from the magnitude comparison between the maximum value of each block and the global mean. Additionally, the copyrighted image is first encrypted by using a 2D Logistic-Sine coupling mapping, and then combined with the feature image through an exclusive OR operation to produce an unrecognizable binary image. The experimental results on ten medical images and three benchmark image databases (COVID-19, OASIS-1, and SIPI) show that the proposed method is highly resistant to most attacks, and the normalized correlation coefficient is always maintained higher than 0.95. Compared to typical methods, our method achieves superior robustness and improves the average performance by approximately 3.2%.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"93 ","pages":"Article 104193"},"PeriodicalIF":3.7,"publicationDate":"2025-08-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144852573","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Efficient NTT/INTT processor for FALCON post-quantum cryptography 猎鹰后量子密码的高效NTT/INTT处理器

IF 3.7 2区计算机科学

Journal of Information Security and Applications Pub Date : 2025-08-15 DOI: 10.1016/j.jisa.2025.104177

Ghada Alsuhli , Hani Saleh , Mahmoud Al-Qutayri , Baker Mohammad , Thanos Stouraitis

{"title":"Efficient NTT/INTT processor for FALCON post-quantum cryptography","authors":"Ghada Alsuhli , Hani Saleh , Mahmoud Al-Qutayri , Baker Mohammad , Thanos Stouraitis","doi":"10.1016/j.jisa.2025.104177","DOIUrl":"10.1016/j.jisa.2025.104177","url":null,"abstract":"<div><div>FALCON is a lattice-based post-quantum cryptographic (PQC) digital signature standard known for its compact signatures and resistance to quantum attacks. Since its recent standardization, its hardware implementation remains an open challenge, particularly for key generation, which is significantly more complex than the simple and well-studied signature verification process. In this paper, targeting edge devices with constrained resources, we present an energy-efficient and area-optimized NTT/INTT architecture tailored to the specific requirements of FALCON key generation. By leveraging NTT-friendly primes and reducing the size of the multipliers in the Montgomery reduction algorithm — optimized for ASIC implementation — our design minimizes hardware complexity, achieving the lowest power and area consumption compared to state-of-the-art Montgomery reduction implementations. The proposed hardware architecture features a processing element array, distributed SRAMs, and ROMs, with three levels of reconfigurability, supporting both NTT and INTT operations. Designed using the Global Foundries’ 22 nm FD-SOI process, an Application-Specific Integrated Circuit (ASIC) is estimated to occupy 0.04 mm<span><math><msup><mrow></mrow><mrow><mn>2</mn></mrow></msup></math></span> and consume 18.2 mW at 1 GHz. The proposed processor achieves 700 times greater energy efficiency and performs computations 200 times faster than software implementations on the ARM Cortex-M4. It also achieves the lowest area–time product and highest energy efficiency among state-of-the-art NTT/INTT hardware accelerators. By carefully balancing power consumption and computational speed, this design offers an efficient solution for deploying FALCON key generation on devices with limited resources.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"93 ","pages":"Article 104177"},"PeriodicalIF":3.7,"publicationDate":"2025-08-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144841758","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

SecureLoc: A fully homomorphic encryption-based privacy protection scheme for location-based services SecureLoc：用于基于位置的服务的完全同态的基于加密的隐私保护方案

IF 3.7 2区计算机科学

Journal of Information Security and Applications Pub Date : 2025-08-14 DOI: 10.1016/j.jisa.2025.104190

Qiqi Xie , Hong Zhang , Liqiang Wang , Miao Wang , Wanqing Wu , Yilong Liu

{"title":"SecureLoc: A fully homomorphic encryption-based privacy protection scheme for location-based services","authors":"Qiqi Xie , Hong Zhang , Liqiang Wang , Miao Wang , Wanqing Wu , Yilong Liu","doi":"10.1016/j.jisa.2025.104190","DOIUrl":"10.1016/j.jisa.2025.104190","url":null,"abstract":"<div><div>As Internet of Things (IoT) technology advances, a growing number of devices can access real-time location information and engage with other devices and platforms. Consequently, this expansion enriches the data sources and application scenarios for Location-Based Services (LBS). The computational tasks of LBS are often outsourced to a third-party service (<em>TPS</em>) for processing in order to improve computational efficiency on users’ devices. However, sensitive and private data stored with a semi-honest <em>TPS</em> poses the risk of data abuse or data leakage. In this paper, we propose a robust privacy-preserving scheme called SecureLoc within outsourced computing environments. Utilizing the collaborative capabilities of the <em>TPS</em> and the Trajectory Matching Server (<em>TMS</em>), we present a fully homomorphic encryption approach to protect the privacy of location and sensitive information. Specifically, we present an improved CKKS-based trajectory comparison algorithm that ensures trajectory matching without exposing sensitive plaintext data. In addition, by utilizing complex numbers to store location coordinates and ciphertext expansion, we greatly improve the computational efficiency. We also combine the K-anonymity algorithm with CKKS to further enhance the protection of user privacy by anonymizing and generalizing sensitive information such as phone numbers, ID numbers, and LBS request times. Finally, we prove SecureLoc is secure against semi-honest <em>TPS</em> and malicious eavesdroppers, and demonstrate that our method outperforms other state-of-the-art methods in terms of security, feasibility, and accuracy.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"93 ","pages":"Article 104190"},"PeriodicalIF":3.7,"publicationDate":"2025-08-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144841927","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

MLAF-VD: A vulnerability detection model based on multi-level abstract features MLAF-VD：一种基于多级抽象特征的漏洞检测模型

IF 3.7 2区计算机科学

Journal of Information Security and Applications Pub Date : 2025-08-13 DOI: 10.1016/j.jisa.2025.104189

Qinghao Li, Wei Liu, Yisen Wang, Weiyu Dong

{"title":"MLAF-VD: A vulnerability detection model based on multi-level abstract features","authors":"Qinghao Li, Wei Liu, Yisen Wang, Weiyu Dong","doi":"10.1016/j.jisa.2025.104189","DOIUrl":"10.1016/j.jisa.2025.104189","url":null,"abstract":"<div><div>As key factors that threaten software security, software vulnerabilities need to be effectively detected. In recent years, with the prosperity of deep learning technology, the academic community has witnessed the emergence of numerous software vulnerability detection methods based on deep learning. These methods usually use different-level abstract features such as code snippets, AST, or CFG as feature representations of vulnerability samples, and then feed them into neural networks to learn patterns of the vulnerabilities. However, these abstract features lack direct relevance to vulnerability detection (i.e., they are not specifically designed for vulnerability detection), which makes it difficult for these abstract features to represent the vulnerability semantics accurately. In addition, single-level abstract features face challenges in comprehensively reflecting code information. In this paper, we propose a semantic-level danger structure graph (DSG), which aims to represent the semantic part of the code that is related to the vulnerability. A graph neural network with global attention, Global-GAT, is also proposed to capture the global dependencies of the graph representation. Based on DSG and Global-GAT, we propose a vulnerability detection model based on multi-level abstract features, named MLAF-VD. MLAF-VD learns the sequence-level, structure-level, and semantic-level abstract features of the code with multiple attention mechanisms, and alleviates the influence of noise information through a denoising module. We evaluate MLAF-VD on 3 representative public datasets, and the results show that MLAF-VD outperforms the best baseline methods by 4.88%, 7.40%, and 12.60% in terms of F1-Score, respectively. In practical applications, MLAF-VD detects 20 N-Day vulnerabilities from 6 open-source projects, demonstrating its effectiveness in detecting software vulnerabilities.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"93 ","pages":"Article 104189"},"PeriodicalIF":3.7,"publicationDate":"2025-08-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144829717","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

New privacy-respecting access control-based approach for data placement in an Internet of Things environment 物联网环境中基于访问控制的数据放置新方法，尊重隐私

IF 3.7 2区计算机科学

Journal of Information Security and Applications Pub Date : 2025-08-12 DOI: 10.1016/j.jisa.2025.104192

Sana Said, JalelEddine Hajlaoui, Mohamed Nazih Omri

{"title":"New privacy-respecting access control-based approach for data placement in an Internet of Things environment","authors":"Sana Said, JalelEddine Hajlaoui, Mohamed Nazih Omri","doi":"10.1016/j.jisa.2025.104192","DOIUrl":"10.1016/j.jisa.2025.104192","url":null,"abstract":"<div><div>The future internet landscape is increasingly dependent on social networks and the Internet of Things (IoT), leveraging diverse communication technologies. While early internet usage primarily involved web browsing, multimedia services, and social networking, the rapid proliferation of the IoT has made data confidentiality and security paramount. This paper presents a novel approach that integrates Formal Concept Analysis (FCA) with Role-Based Access Control (RBAC) to strengthen access control and optimize data confidentiality in IoT environments. Our proposed <strong>D</strong>ata <strong>P</strong>lacement in IoT using <strong>P</strong>rivacy-respecting <strong>A</strong>ccess <strong>C</strong>ontrol (DPPAC) framework addresses two critical challenges: minimizing unauthorized access risks and ensuring robust data confidentiality through optimal security component placement. A comprehensive evaluation demonstrates DPPAC’s superiority over traditional RBAC and FCA methods across key metrics, including Authorization Rate (AR), Rejection Rate (RR), Precision, Recall, and <span><math><msub><mrow><mi>F</mi></mrow><mrow><mtext>measure</mtext></mrow></msub></math></span>. Experimental results show that DPPAC achieves significantly higher AR and lower RR compared to traditional approaches, confirming its enhanced security capabilities.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"93 ","pages":"Article 104192"},"PeriodicalIF":3.7,"publicationDate":"2025-08-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144829712","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

An auditable and privacy-preserving user-controllable group signature scheme in blockchain 区块链中一个可审计且保护隐私的用户可控组签名方案

IF 3.7 2区计算机科学

Journal of Information Security and Applications Pub Date : 2025-08-11 DOI: 10.1016/j.jisa.2025.104181

Ao Liu , Jing Chen , Shixiong Yao , Kun He , Ruiying Du

{"title":"An auditable and privacy-preserving user-controllable group signature scheme in blockchain","authors":"Ao Liu , Jing Chen , Shixiong Yao , Kun He , Ruiying Du","doi":"10.1016/j.jisa.2025.104181","DOIUrl":"10.1016/j.jisa.2025.104181","url":null,"abstract":"<div><div>In recent years, the rapid development of Internet information technology has also brought about numerous challenges, with one of the most prominent being data security. In current information systems, platforms control critical data but rely on centralized architectures. As a result, data usage cannot be effectively monitored, leading to issues such as insecure storage and privacy breaches, which are especially critical in financial transaction systems. In this paper, we propose and implement a group signature model based on user behavior. This model maps privacy preservation levels to users’ transaction amounts, achieving a dynamic and user-perceivable multi-level privacy preservation mechanism. As users’ transaction amounts increase, the privacy preservation level of the group signature gradually enhances, allowing authorized parties to reveal more user privacy information. The proposed scheme achieves a balance between user privacy preservation and regulatory, offering a more flexible solution for modern Internet trading systems. To validate the practicality of this group signature, we developed a blockchain-based knowledge payment platform to address issues of data abuse and data leakage in existing knowledge payment platforms. Security and performance analyses confirm the practicality and effectiveness of the proposed scheme.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"93 ","pages":"Article 104181"},"PeriodicalIF":3.7,"publicationDate":"2025-08-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144809657","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Lightweight representation learning for network traffic towards malicious traffic detection in edge devices 面向边缘设备恶意流量检测的网络流量轻量级表示学习

IF 3.7 2区计算机科学

Journal of Information Security and Applications Pub Date : 2025-08-11 DOI: 10.1016/j.jisa.2025.104186

Kumar Anurupam , Karthick Seshadri

{"title":"Lightweight representation learning for network traffic towards malicious traffic detection in edge devices","authors":"Kumar Anurupam , Karthick Seshadri","doi":"10.1016/j.jisa.2025.104186","DOIUrl":"10.1016/j.jisa.2025.104186","url":null,"abstract":"<div><div>With the rapid increase in the number of connected devices in the Internet of Things (IoT) environment, their exposure to threats has increased significantly. The attackers can launch sophisticated attacks on these networks more frequently due to the ease of availability of computing facilities. The devices in the IoT network have limited computational power, storage capacity, and hardware capability, making it challenging to secure them using traditional approaches. Over the years, many machine learning and deep learning-based approaches have been proposed to classify the traffic flowing through the edge devices, but the models have their limitations, such as slow detection of the attacks because of the limited computational power of these devices, thereby rendering parameter-heavy models infeasible to be run on such devices. To overcome this, we propose a structure learning algorithm to create a model whose structure learning is done using correlation analysis and PCA, then is optimized using parent divorcing and Sequential least squares programming, thereby creating a model that exhibits high performance despite being lean with respect to the number of parameters. The chosen features’ relevance for each attack is also validated via qualitative mapping and domain logic. The generated model, evaluated using UNSW-NB15 and TON-IoT datasets, outperformed several state-of-the-art models to classify malicious traffic, especially in terms of inference time and model size. Despite its resource efficiency, it shows comparable results in terms of accuracy, recall, precision, and F1 score with other baseline models.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"93 ","pages":"Article 104186"},"PeriodicalIF":3.7,"publicationDate":"2025-08-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144887586","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

The machines are watching: Exploring the potential of Large Language Models for detecting Algorithmically Generated Domains 机器正在观察：探索大型语言模型检测算法生成域的潜力

IF 3.7 2区计算机科学

Journal of Information Security and Applications Pub Date : 2025-08-11 DOI: 10.1016/j.jisa.2025.104176

Tomás Pelayo-Benedet , Ricardo J. Rodríguez , Carlos H. Gañán

{"title":"The machines are watching: Exploring the potential of Large Language Models for detecting Algorithmically Generated Domains","authors":"Tomás Pelayo-Benedet , Ricardo J. Rodríguez , Carlos H. Gañán","doi":"10.1016/j.jisa.2025.104176","DOIUrl":"10.1016/j.jisa.2025.104176","url":null,"abstract":"<div><div>Algorithmically Generated Domains (AGDs) are integral to many modern malware campaigns, allowing adversaries to establish resilient command and control channels. While machine learning techniques are increasingly employed to detect AGDs, the potential of Large Language Models (LLMs) in this domain remains largely underexplored. In this paper, we examine the ability of nine commercial LLMs to identify malicious AGDs, without parameter tuning or domain-specific training. We evaluate zero-shot approaches and few-shot learning approaches, using minimal labeled examples and diverse datasets with multiple prompt strategies. Our results show that certain LLMs can achieve detection accuracy between 77.3% and 89.3%. In a 10-shot classification setting, the largest models excel at distinguishing between malware families, particularly those employing hash-based generation schemes, underscoring the promise of LLMs for advanced threat detection. However, significant limitations arise when these models encounter real-world DNS traffic. Performance degradation on benign but structurally suspect domains highlights the risk of false positives in operational environments. This shortcoming has real-world consequences for security practitioners, given the need to avoid erroneous domain blocking that disrupt legitimate services. Our findings underscore the practicality of LLM-driven AGD detection, while emphasizing key areas where future research is needed (such as more robust warning design and model refinement) to ensure reliability in production environments.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"93 ","pages":"Article 104176"},"PeriodicalIF":3.7,"publicationDate":"2025-08-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144809641","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Understanding practitioner perspectives on using privacy harm categories for privacy risk assessment 了解从业者对使用隐私危害类别进行隐私风险评估的观点

IF 3.7 2区计算机科学

Journal of Information Security and Applications Pub Date : 2025-08-05 DOI: 10.1016/j.jisa.2025.104174

Samuel Wairimu , Leonardo Horn Iwaya , Lothar Fritsch , Stefan Lindskog

{"title":"Understanding practitioner perspectives on using privacy harm categories for privacy risk assessment","authors":"Samuel Wairimu , Leonardo Horn Iwaya , Lothar Fritsch , Stefan Lindskog","doi":"10.1016/j.jisa.2025.104174","DOIUrl":"10.1016/j.jisa.2025.104174","url":null,"abstract":"<div><div>Privacy Impact Assessments (PIAs), also known as Data Protection Impact Assessments (DPIAs) under the EU GDPR, and Privacy Risk Assessments (PRAs) have emerged as prominent privacy engineering methodologies, aiding developers and data controllers to systematically identify privacy risk and assign appropriate controls. As part of such methodologies, the concept of privacy harms has been proposed as a valuable, well-structured taxonomy that contributes to the rationalization and justification of assessment decisions made by practitioners. While some PRA methodologies include privacy harms, the impact of these inclusions based on practitioners’ perspectives remains largely unexplored. Hence, this study investigates whether evaluating predefined privacy harm categories, i.e., physical, psychological, financial/economic, reputational, and societal harms, can improve PRA outcomes by exploring PIA/DPIA and PRA practitioners’ perspectives. Using semi-structured interviews, including a workable PRA exercise, opinions and perspectives on privacy harms were elicited and analyzed following a reflexive thematic analysis. In total, 17 privacy practitioners were interviewed, revealing a range of positive (e.g., informative, educational) and negative (e.g., misleading, too broad) opinions on evaluating privacy harm categories. Further results indicate a lack of a standardized definition of privacy harm. In addition, participants noted that privacy harms are highly context-dependent and vary based on the data subject; hence, resulting in difficulty quantifying. Nevertheless, privacy harms are a critical addition to PIA/DPIA and PRA methodologies, supporting more rationalized and justifiable decisions when assessing risk, severity, and implementing mitigating controls. Yet, some prioritization of harm categories is advisable to efficiently allocate time and resources for assessment.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"93 ","pages":"Article 104174"},"PeriodicalIF":3.7,"publicationDate":"2025-08-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"144779861","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0