UT Institute of Computer Science Graduation Theses Registry


Privacy Enhanced Secure Tropos: A Privacy Modeling Language for GDPR Compliance
Name Ilhan Çelebi
Abstract The European Union General Data Protection Regulation (GDPR) compliance is becoming a legal necessity for software systems that process and manage personal data. As a result of that fact, GDPR compliance and privacy components need to be considered from the early stages of the development process and software engineers should analyze not only the system but also its environment. Hereby with this study, Privacy Enhanced Secure Tropos (PESTOS) is emerging as a privacy modeling language based on Tropos methodology, which covers the goal and rule perspective, for helping software engineers by assessing candidate PETs, while designing privacy-aware systems, in order to make them compatible with GDPR. Although in Article 5(2) of the GDPR, the accountability principle requires organizations to show compliance with the principles of the GDPR, (To the best of our knowledge, currently there is no other privacy modeling language especially focuses on the GDPR compliance and enhanced based on Security Risk-Aware Secure Tropos methodology) there were not any practical social modeling languages supply the demand driven by industrial and commercial needs. This is a serious issue for public institutions and private sector in EU-zone because GDPR brings very serious charges for data controllers and data processors, therefore organizations do not feel themselves ready to face with those regulations and software engineers have a lack of methods for capturing change requests of the information systems. This paper applies a structured privacy modeling language that is called as PESTOS which has a goal-oriented solution domain that aims to bring a high compatibility with GDPR by covering Privacy by Design strategies for assessing proper privacy-enhancing technologies(PETs) in a respect of the goal-actor-rule perspective. Among the 99 articles of GDPR, 21 articles can be identified as technical level of requirements that PESTOS is able to transform them into GDPR goals needs to be fulfilled in order to support business assets. A survey conducted by identity & security experts validates that proposed model has a sufficient level of correctness, completeness, productivity and ease of use.
Graduation Thesis language English
Graduation Thesis type Master - Cyber Security
Supervisor(s) Raimundas Matulevicius
Defence year 2018
PDF