Automatic online quantification and prioritization of data protection risks

Abstract

Data processing systems operate in increasingly dynamic environments, such as in cloud or edge computing. In such environments, changes at run time can result in the dynamic appearance of data protection vulnerabilities, i.e., configurations in which an attacker could gain unauthorized access to confidential data. An autonomous system can mitigate such vulnerabilities by means of automated self-adaptations. If there are several data protection vulnerabilities at the same time, the system has to decide which ones to address first. In other areas of cybersecurity, risk-based approaches have proven useful for prioritizing where to focus efforts for increasing security. Traditionally, risk assessment is a manual and time-consuming process. On the other hand, addressing run-time risks requires timely decision-making, which in turn necessitates automated risk assessment. In this paper, we propose a mathematical model for quantifying data protection risks at run time. This model accounts for the specific properties of data protection risks, such as the time it takes to exploit a data protection vulnerability and the damage caused by such exploitation. Using this risk quantification, our approach can make, in an automated process, sound decisions on prioritizing data protection vulnerabilities dynamically. Experimental results show that our risk prioritization method leads to a reduction of up to 15.8% in the damage caused by data protection vulnerabilities.