Difference between revisions of "Privacy Harms"
From MgmtWiki
(→Taxonomy) |
(→Harms) |
||
| Line 15: | Line 15: | ||
==Harms== | ==Harms== | ||
| + | * [https://internetsafetylabs.org/resources/references/digital-harms-dictionary-2-0/ Me2B Privacy Harms] | ||
==References== | ==References== | ||
Revision as of 21:49, 17 March 2023
Full Title or Meme
Privacy Harms takes the view of the Subject in a privacy Exploit.
Context
- Normally the Privacy Risk of any transaction is measured in terms of the risk to the Enterprise that holds the user data.
- This page is about the risk to the Subject of the data that is disclosed.
- The Exploit of using the Subject's private data can be any of a variety of entities, inlcuding the Entity that acquired the data from the Subject.
- As in many web transactions, the benefit of the transaction typically accrues to the Enterprise and the cost to the Subject.
Taxonomy
- Cyber risk is the intersection of assets, threats, and vulnerabilities. It’s the potential for loss, damage, or destruction of an asset when a threat takes advantage of a vulnerability. or Risk = {Asset Value} * {expected chance of exploit}. That equation only works in the Enterprise.
- Enterprise in this paper means either of (1) the data controller, (2) the data processor, (3) the data issuer, or (4) the attacker, which in this case covers all of the other entities that my benefit from having the Subject's data. (n.b. Some may quibble that the issuer is just another processor, but I believe it is instructive to treat them separately here.)
- Subject is the natural person that the data is about. (All the harms here are related to natural persons.)
- Payor is the entity that bears any monitary cost of an exploit. This may be the Subject, the Enterprise, or some third party payor, like an insurance company.
