……
...…
… ...
An Economic Valuation Approach for (Privacy Enhancing) Identity Management Services
Session: The economics of privacy
FIA - Future Internet Assembly2011-05-18/19Budapest, Hungary
Prof. Dr. Kai RannenbergT-Mobile Chair ofMobile Business & Multilateral SecurityGoethe University Frankfurt, Germanywww.m-chair.net
……
...…
… ...
Challenges to be addressed
Innovative business models for privacy Pricing for/of privacy Privacy as a service (product?)
An Economic valuation approach for privacy-enhancing Identity Management (IdM) services
2
……
...…
… ...
Economic valuation of privacy-enhancing IdM
services Motivation:
Valuation approach to overcome the shortcomings of decision making processes
Decision making processes of IdM service providers on market introductions of (or investments in) privacy-enhancing IdM services
Results: Set of decision relevant economic
consequences of adopting, mediating or providing privacy-enhancing IdM services
An indication to which extent privacy-enhancing IdM services are economically feasible
Testing by: Real-life IdM infrastructure scenarios
3
……
...…
… ...
Process & Structure Model
Process Model
Step 1: Description of the Baseline Option and feasible Delta Options
Step 2: Identification of each Stakeholder’s Costs and Benefits
Step 3: Selection of Key Costs and Benefits for each Stakeholder
Step 4: Clustering and Mapping of Key Costs and Benefits
Step 5: Assessment and Aggregation of clustered and mapped Key Costs and Benefits
Step 6: Visualisation of assessed and aggregated Key Costs and Benefits
Structure Model
Perspectives for each Stakeholder
Cost and Benefit Dimensions for private and institutional Perspectives
Costs and Benefits for each Dimension
Key Costs and Benefits Cause Effect Chains for
each Key Cost and Benefit Weighting Factors for each
Cause Effect Chain Dimension Values Decision Values
4
……
...…
… ...Identity Management Service
Scenarios
5
Baseline Option Delta Option 1
Attribute Verification Service Scenario
Authentication Service Scenario
Privacy Policy
Enforcement
Service Scenario
Delta Option 2
……
...…
… ...Identity Management Service
Scenarios
6
Baseline Option Delta Option 1
Attribute Verification Service Scenario
Authentication Service Scenario
Privacy Policy
Enforcement
Service Scenario
Delta Option 2
……
...…
… ...Identity Management Service
Scenarios
8
Baseline Option Delta Option 1
Attribute Verification Service Scenario
Authentication Service Scenario
Privacy Policy
Enforcement
Service Scenario
Delta Option 2
……
...…
… ...
Results of the Valuation – Exemplary Application
10
Dimension Values(Aggregated Costs
& Benefits)
Decision Values(Aggregated Dimension
Values)
……
...…
… ...
Results of the Valuation - Summary
11
Dimension Values
Decision Values
Attribute Verification Service Scenario
Authentication Service Scenario
Privacy Policy
Enforcement
Service Scenario
……
...…
… ...
BenefitsSummary
Takes into account monetary as well as non-monetary costs and benefits
Presents decision-relevant information in a simple and structured way without over-challenging the decision maker
Integrates perspectives of different stakeholders, so that interdependencies can be evaluated
Enables a stronger focus on (and integration of) privacy-effects on consumers as an essential factor for economic success
12
……
...…
… ...
BenefitsProcessing of input
Considers individual value perceptions of stakeholders to
enable application field-specific valuations of IdM services
interdependencies between costs and benefits by using cause-effect chains
Enables the aggregation of costs and benefits to a one dimensional decision factor
Offers a standardized and balanced evaluation approach by
using predetermined holistic value-systems for stakeholders
standardized procedure for a repeatedly occurring decision problem for a better comparison beyond company and department boundaries
13
……
...…
… ...
BenefitsOrganisation of decision
making Leads to an improved decision making basis and to a
higher transparency of the decision making process Reduces intuitive (and consequently highly subjective)
valuations, or rather, makes them at least more transparent for others
Structures complex decision processes and simplifies a separation into transparent sub-aspects
Enables a division of work and thereby a specialization on sub-
problems parallelization of separate evaluation- and decision-steps
Provides a structured basis for discussions within a decision making group
Considers impacts on the decision maker’s individual goals and overall strategy
14
Example (economic and business) concerns
Typical issues with regard to the dependence on thecloud computing provider:
1. Risks for availability and business continuity;2. Absence of contracts between the customer
and provider;3. Lack of “power-balancing” regulation, that
exists for other utilities.
www.cepis.orgwww.cepis.org/index.jsp?p=641&n=825fwww.cepis.org/media/CEPIS_Cloud_Computing_Security_v172.pdf
2011 StatementCloud Computing
Security and Privacy Issues
• Description of common characteristics of the identified most important services
• Possible threats to user’s information privacy & security
• What are the elements of trust, which are currently unsatisfied and what role can technology play
• Technology requirements & roadmap
• Law and policy driven design of technology enabling democratic structures, honours human rights and freedoms
• Validation of important services in the light of upcoming EU legislation
• Investigation of the economic and societal impact of new trustworthy ICT solutions
• Definition of a R&D project portfolio with impact.
16
Working Group meetingsJune 15, Espoo, Finland
……
...…
… ...
17
Conclusion and Outlook
New ICT services are coming ever closer to people. Privacy requires e.g.
Minimisation and decentralisation of data Empowering users (“Multilateral Security”) on e.g. data
flows Privacy by Design Related economic analysis and regulation
PrimeLife Summit Event, 2011-06-07 Lucernewww.sec2011.org
[email protected] www.m-chair.net www.primelife.eu www.picos-project.eu www.abc4trust.eu www.fidis.net www.prime-project.eu
……
...…
… ...
18
References
Ann Cavoukian: Privacy by Design … Take the Challenge; www.privacybydesign.ca FIDIS: Future of Identity in the Information Society; www.fidis.net Stefan Figge, Gregor Schrott, Jan Muntermann, Kai Rannenberg: EARNING M-ONEY - A
Situation based Approach for Mobile Business Models; Forthcoming in: Proceedings of the 11th European Conference on Information Systems (ECIS) 2003; June 19-21, 2003, Naples, Italy
ISO/IEC JTC 1/SC 27/WG 5: Identity Management and Privacy Technologies; www.jtc1sc27.din.de
Kahl, Christian; Boettcher, Katja; Tschersich, Markus; Heim, Stephan; Rannenberg, Kai (2010): How to enhance Privacy and Identity Management for Mobile Communities: Approach and User driven Concepts of the PICOS Project, In: Proceedings of 25th IFIP International Information Security Conference Security & Privacy − Silver Linings in the Cloud (IFIP SEC 2010) Springer (2010), 20-23 September 2010, Brisbane, Australia, ISBN: 978-3642152566
PICOS: Privacy and Identity Management for Community Services; www.picos-project.eu PRIME: Privacy and Identity Management for Europe; www.prime-project.eu PrimeLife: Privacy and Identity Management for Life; www.primelife.eu PrimeLife Deliverable 6.1.2 (upcoming): Economic valuation of Identity Management Enablers Kai Rannenberg: Multilateral Security – A concept and examples for balanced security; Pp.
151-162 in: Proceedings of the 9th ACM New Security Paradigms Workshop 2000, September 19-21, 2000 Cork, Ireland; ACM Press; ISBN 1-58113-260-3
Kai Rannenberg: CamWebSim and Friends: Steps towards Personal Security Assistants; Pp. 173 - 176 in Viktor Seige et al.: The Trends and Challenges of Modern Financial Services – Proceedings of the Information Security Summit; May 29-30, 2002, Prague; Tate International; ISBN 80-902858-5-6
Kai Rannenberg: Identity management in mobile cellular networks and related applications; Information Security Technical Report; Vol. 9, No. 1; 2004; pp. 77 – 85; ISSN 1363-4127
Kai Rannenberg: Contribution to the European Commission Consultation on the legal framework for the fundamental right to protection of personal data; 2009-12-31; http://ec.europa.eu/justice_home/news/consulting_public/news_consulting_0003_en.htm
T-Mobile Chair for Mobile Business & Multilateral Security; www.m-chair.net Jan Zibuschka, Lothar Fritsch, Mike Radmacher, Tobias Scherner, Kai Rannenberg: Enabling
Privacy of Real-Life LBS: A Platform for Flexible Mobile Service Provisioning; in Proceedings of the 22nd IFIP TC-11 International Information Security Conference 2007; 14-16 May 2007, Sandton, South Africa; Springer IFIP Series
Jan Zibuschka, Mike Radmacher, Tobias Scherner, Kai Rannenberg: Empowering LBS Users: Technical, Legal and Economic Aspects; in: Proceedings of the eChallenges conference 2007; The Hague, The Netherlands