Welcome to the website of the Data and Application Security Group!
Article reporting on a study on the human-centered design of a GDPR-compliant data protection tool for data processors was accepted for publication in Behaviour & Information Technology
Our work entitled “Data Cart - Designing a tool for the GDPR-compliant handling of personal data by employees” by Jan Tolsdorf, Florian Dehling and Prof. Dr.-Ing. Luigi Lo Iacono has been accepted for publication in Behaviour & Information Technology under the special issue “Usable Security and Privacy with User-Centered Interventions and Transparency Mechanisms”. The article addresses the issue of usable tools for the data protection compliant processing of personal data by employees acting under the authority of a data controller. We report on a user-centered design study in which we developed a concept and tool incorporating Privacy by Design. Working with 19 employees of two public organizations in Germany, we present a concept that supports employees in handling personal data and complying with data protection laws. Through a series of workshops and usability tests, we demonstrate the solution’s potential for improving the usability of data protection compliant tools for managing personal data. At the same time, we show how data controllers benefit from improved compliance.
The DAS Group attends the USP Day 2022 with two presentations
The DAS Group is pleased to attend this year’s USP Day with two presentations: “Data Cart - Designing a tool for the GDPR-compliant handling of personal data by employees.” - Jan Tolsdorf “Usable Security and Privacy of Risk-based Authentication” - Stephan Wiefling Details about the event USP Day 2022 February 11, 2022 Start 9 a.m. Click here to register for the event - participation is free of charge!
OpenStack RBA Plugin Coming Soon
Risk-Based Authentication can strengthen password security while maintaining usability. However, there is a current lack of available Open Source RBA solutions which provide good security and usability. Our OpenStack plugin aims to close this gap. This also allows websites with small budget to protect their users with RBA. We will release the plugin to the public soon. Until then, you can find first information about the plugin at the official GitHub project.
Project MedISA has started
From patient records to diagnostic equipment, hospital care is based on the secure use and operation of information technology. In practice, however, insufficient awareness of information security among medical staff often poses a challenge to secure operations. As part of the MedISA (Medical Centre Employee Centered Information Security Awareness) research project, the DAS Group is developing strategies to raise awareness of IT security and data protection among employees in medical care facilities. The project is funded by the German Federal Ministry of Health (BMG). Associated partners are the Universitätsklinikum Aachen and the Universitätsklinikum Düsseldorf. Other institutions interested in participating are welcome to contact us.
Paper on employees' privacy perceptions accepted for PETS 2022
The paper entitled “Employees’ privacy perceptions: exploring the dimensionality and antecedents of personal data sensitivity and willingness to disclose.” by Jan Tolsdorf, Prof. Dr.-Ing. Delphine Reinhardt and Prof. Dr.-Ing. Luigi Lo Iacono has been accepted for the 22nd Privacy Enhancing Technologies Symposium (PETS 2022).
Risk-based Authentication privacy paper accepted at IWPE '21
The paper Privacy Considerations for Risk-Based Authentication (RBA) Systems by Stephan Wiefling, Jan Tolsdorf, and Luigi Lo Iacono was accepted at the 2021 International Workshop on Privacy Engineering (IWPE ‘21), co-located with 6th IEEE European European Symposium on Security and Privacy (EuroS&P ‘21). The work proposed and tested several mechanisms to enhance privacy in RBA models that are apparently used by the majority of online services on the Web. The full paper is available at our RBA website.
Paper presented at IFIP SEC 2021
Two papers were recently published and presented at the IFIP SEC 2021 conference. The paper XML Signature Wrapping Still Considered Harmful: A Case Study on the Personal Health Record in Germany by Paul Höller, Alexander Krumeich, and Luigi Lo Iacono found security weaknesses that can be exploited in the German personal health record. The paper Less is Often More: Header Whitelisting as Semantic Gap Mitigation in HTTP-Based Software Systems by Andre Büttner, Hoai Viet Nguyen, Nils Gruschka, and Luigi Lo Iacono introduce the header whitelisting (HWL) approach to address the semantic gap in HTTP message processing pipelines.
Paper published in IEEE Transactions on Software Engineering
The paper “I just looked for the solution!” - On Integrating Security-Relevant Information in Non-Security API Documentation to Support Secure Coding Practices by Peter Leo Gorski, Sebastian Möller, Stephan Wiefling and Luigi Lo Iacono is published in the IEEE Transactions on Software Engineering (TSE) journal. The work shows an eye-tracking to investigate how developers use code examples in non-security API documentation. The observations suggest that developers mostly focused on code-examples, and that these significantly help to produce secure solutions.
Paper accepted at the 18th International Conference on Trust, Privacy and Security in Digital Business (TrustBUS 2021)
The paper entitled “Components and Architecture for the Implementation of Technology-driven Employee Data Protection” authored by Florian Dehling, Denis Feth, Svenja Polst, Bianca Steffes and Jan Tolsdorf has been accepted for presentation at the 18th International Conference on Trust, Privacy and Security in Digital Business (TrustBUS 2021). The paper describes how to successfully implement technology-enabled employee data protection. It presents the necessary components and classifies them from a legal perspective. The paper concludes with an architectural concept that allows a gradual implementation of the components in order to ensure that companies become legally compliant at an early stage without being overburdened.
Article published in IEEE Security & Privacy
The article Verify It’s You: How Users Perceive Risk-based Authentication by Stephan Wiefling, Markus Dürmuth, and Luigi Lo Iacono is published at IEEE Security & Privacy. The article covers the RBA usability study published at ACSAC 2020, but targeted towards a general audience. We also included some new results.
ODEA.5G project started
The ODEA.5G project has started as part of the 5G.NRW Competence Center. In the ODEA.5G project, the H-BRS University of Applied Sciences and the University of Cologne are setting up 5G campus networks at both universities to test and evaluate state-of-the-art e-assessment systems.
Paper on FIDO2 account recovery accepted at OID 2021
The paper “Evaluation of Account Recovery Strategies with FIDO2-based Passwordless Authentication” by Johannes Kunke, Stephan Wiefling, Markus Ullmann, and Luigi Lo Iacono was accepted for presentation at the Open Identity Summit 2021 (OID ‘21). The paper does a heuristic evaluation of 12 account recovery mechanisms regarding their properties for FIDO2 passwordless authentication. The conference will take place online June 1-2, 2021.
Paper accepted at the 9th Annual Privacy Forum (APF)
The paper entitled “A case study on the implementation of the right of access in privacy dashboards” authored by Jan Tolsdorf, Michael Fischer and Prof. Dr.-Ing. Luigi Lo Iacono has been accepted for presentation at the 9th Annual Privacy Forum (APF). The paper was based on the results of Michael Fischer’s bachelor thesis, in which he examined various privacy dashboards in terms of their compliance with the right of access.
Paper on mental models of privacy at work accepted for PETS 2021
The paper entitled “Exploring Mental Models of the Right to Informational Self-Determination of Office Workers in Germany” by Jan Tolsdorf, Florian Dehling, Prof. Dr.-Ing. Delphine Reinhardt and Prof. Dr.-Ing. Luigi Lo Iacono has been accepted for the 21st Privacy Enhancing Technologies Symposium (PETS 2021).
RBA long term study accepted at FC 2021
The paper What’s in Score for Website Users: A Data-driven Long-term Study on Risk-based Authentication Characteristics is accepted for FC 2021. A quick summary including a PDF version of the paper can be found on the study website.
Mehrere Beiträge aus TrUSD im DuD-Schwerpunktheft Beschäftigtendatenschutz
In der Ausgabe 1/2021 widmet sich die Zeitschrift DuD Datenschutz und Datensicherheit dem Schwerpunktthema Beschäftigtendatenschutz. Fünf Beiträge und das Editorial des Hefts wurden vom Projekt TrUSD beigesteuert. Die Beiträge geben einen Überblick über aktuelle Arbeiten zum Thema Beschäftigtendatenschutz – von der Erfassung des aktuellen Ist-Zustandes und Einführung in das Problemfeld, über die Analyse und Bewertung der Rahmenbedingungen, bis hin zu den Wegen für eine effektive praktische Umsetzung. Die Gruppe für Daten- und Anwendungssicherheit war an den folgenden drei Beiträgen beteiligt:
RBA perception study accepted at ACSAC 2020
The paper More Than Just Good Passwords? A Study on Usability and Security Perceptions of Risk-based Authentication is accepted for ACSAC 2020. A quick overview of the study results and an Open Access version of the paper can be found on the study website. “Security guru” Bruce Schneier published a blog article on our study.
Evaluation of Risk-based Re-Authentication Methods published
The paper Evaluation of Risk-based Re-Authentication Methods, to appear at IFIP SEC ‘20, is published. A quick overview of the study results can be found on the paper website.
UTE project started
In the research project “User Trust Experience” (UTE), the H-BRS University of Applied Sciences has been commissioned by TÜV TRUST IT in cooperation with Huawei UCD Center to examine influencing factors on users’ trust in technical components. More information can be found on the UTE project page.
ODEA.5G project recommended for funding
Within the framework of the 5G.NRW competition, the North Rhine-Westphalian state government has recommended 13 projects for funding, including the ODEA.5G project. ODEA.5G aims to work on an e-assessment environment based on a 5G campus network together with University of Cologne. This project is a cooperation with Deutsche Telekom AG, Electric Paper Evaluationssysteme GmbH, and Lucerne University of Applied Sciences and Arts.