Maritta Heisel’s research while affiliated with University of Duisburg-Essen and other places

What is this page?


This page lists works of an author who doesn't have a ResearchGate profile or hasn't added the works to their profile yet. It is automatically generated from public (personal) data to further our legitimate goal of comprehensive and accurate scientific recordkeeping. If you are this author and want this page removed, please let us know.

Publications (273)


Creating Privacy Policies from Data-Flow Diagrams
  • Chapter

March 2024

·

39 Reads

Lecture Notes in Computer Science

Jens Leicht

·

Marvin Wagner

·

Maritta Heisel

Privacy policies are often used to fulfill the requirement of transparency of data protection legislation like the General Data Protection Regulation of the European Union. The privacy policies are used to describe how the data subject’s data are handled by the data controller. Domain and legal experts mostly create these policies manually. We propose a tool-supported method to improve the creation of accurate privacy policies based on information from the development phase of a system. During privacy and security threat analyses information about system behavior is collected in form of data-flow diagrams. These diagrams describe which data flows from where to where within the system and to which external actors. Based on this data-flow information we can create the basic structure of a privacy policy, already containing the data-flows. The extracted information is one of the most important parts of a privacy policy, providing transparency when data is transferred to external parties.




Mining process followed to extract and generate both datasets
Profile attributes disclosed by unengaged and engaged users (frequencies)
Average self-disclosure of (a) unengaged and engaged users, and (b) unengaged, proactive, and reactive users
Practical implications (envisaged interface)
Cybersecurity discussions in Stack Overflow: a developer-centred analysis of engagement and self-disclosure behaviour
  • Article
  • Full-text available

December 2023

·

56 Reads

Social Network Analysis and Mining

Stack Overflow (SO) is a popular platform among developers seeking advice on various software-related topics, including privacy and security. As for many knowledge-sharing websites, the value of SO depends largely on users’ engagement, namely their willingness to answer, comment or post technical questions. Still, many of these questions (including cybersecurity-related ones) remain unanswered, putting the site’s relevance and reputation into jeopardy. Hence, it is important to understand users’ participation in privacy and security discussions to promote engagement and foster the exchange of such expertise. Objective: Based on prior findings on online social networks, this work elaborates on the interplay between users’ engagement and their privacy practices in SO. Particularly, it analyses developers’ self-disclosure behaviour regarding profile visibility and their involvement in discussions related to privacy and security. Method: We followed a mixed-methods approach by (i) analysing SO data from 1239 cybersecurity-tagged questions along with 7048 user profiles, and (ii) conducting an anonymous online survey (N=64). Results: About 33% of the questions we retrieved had no answer, whereas more than 50% had no accepted answer. We observed that proactive users tend to disclose significantly less information in their profiles than reactive and unengaged ones. However, no correlations were found between these engagement categories and privacy-related constructs such as perceived control or general privacy concerns. Implications: These findings contribute to (i) a better understanding of developers’ engagement towards privacy and security topics, and (ii) to shape strategies promoting the exchange of cybersecurity expertise in SO.

Download

Pattern-Based Risk Identification for Model-Based Risk Management

August 2023

·

19 Reads

Lecture Notes in Computer Science

In a previous publication, we have introduced Risk Issue Questionnaires (RIQs) that serve to support risk identification for critical systems. The starting point of our risk identification method are architectural patterns contained in a system architecture, e.g., process control loops or interactive systems. A RIQ enumerates the typical risks associated with such a pattern. By assessing for each issue contained in a RIQ whether it is relevant or not, risks for the system under analysis are identified in a systematic way.In this paper, we complement the RIQ method by a method to set up and validate CORAS threat models for documenting the identified risks. In this way, we provide a basis to perform the further steps of a model-based risk management process. We equip our RIQs with modeling hints that specify what kind of modeling element should be used to represent a given issue in a threat model. Furthermore, we define formal validation conditions (VCs) that allow the risk modeler to check the generated threat models for coherence and completeness, and present a modeling tool that is able to check the defined VCs.




PriPoCoG: Guiding Policy Authors to Define GDPR-Compliant Privacy Policies

October 2022

·

41 Reads

·

2 Citations

Lecture Notes in Computer Science

The General Data Protection Regulation (GDPR) makes the creation of compliant privacy policies a complex process. Our goal is to support policy authors during the creation of privacy policies, by providing them feedback on the privacy policy they are creating. We present the Privacy Policy Compliance Guidance (PriPoCoG) framework supporting policy authors as well as data protection authorities in checking the compliance of privacy policies. To this end we formalize the Layered Privacy Language (LPL) and parts of the GDPR using Prolog. Our formalization, ‘Prolog-LPL’ (P-LPL), points out inconsistencies in a privacy policy and problematic parts of a policy regarding GDPR-compliance. To evaluate P-LPL we translate the Amazon.de privacy policy into P-LPL and perform a compliance analysis on this policy.KeywordsPrivacy policyPolicy languageGeneral Data Protection RegulationFormalizationProlog


ENAGRAM: An App to Evaluate Preventative Nudges for Instagram

September 2022

·

14 Reads

·

1 Citation

·

·

·

[...]

·

Matthias Brand

Online self-disclosure is perhaps one of the last decade’s most studied communication processes, thanks to the introduction of Online Social Networks (OSNs) like Facebook. Self-disclosure research has contributed significantly to the design of preventative nudges seeking to support and guide users when revealing private information in OSNs. Still, assessing the effectiveness of these solutions is often challenging since changing or modifying the choice architecture of OSN platforms is practically unfeasible. In turn, the effectiveness of numerous nudging designs is supported primarily by self-reported data instead of actual behavioral information. Objective: This work presents ENAGRAM, an app for evaluating preventative nudges, and reports the first results of an empirical study conducted with it. Such a study aims to showcase how the app (and the data collected with it) can be leveraged to assess the effectiveness of a particular nudging approach. Method: We used ENAGRAM as a vehicle to test a risk-based strategy for nudging the self-disclosure decisions of Instagram users. For this, we created two variations of the same nudge (i.e., with and without risk information) and tested it in a between-subjects experimental setting. Study participants (N=22) were recruited via Prolific and asked to use the app regularly for 7 days. An online survey was distributed at the end of the experiment to measure some privacy-related constructs. Results: From the data collected with ENAGRAM, we observed lower (though non-significant) self-disclosure levels when applying risk-based interventions. The constructs measured with the survey were not significant either, except for participants’ External Information Privacy Concerns (EIPC). Implications: Our results suggest that (i) ENAGRAM is a suitable alternative for conducting longitudinal experiments in a privacy-friendly way, and (ii) it provides a flexible framework for the evaluation of a broad spectrum of nudging solutions.


ENAGRAM: An App to Evaluate Preventative Nudges for Instagram

August 2022

·

82 Reads

·

1 Citation

Online self-disclosure is perhaps one of the last decade's most studied communication processes, thanks to the introduction of Online Social Networks (OSNs) like Facebook. Self-disclosure research has contributed significantly to the design of preventative nudges seeking to support and guide users when revealing private information in OSNs. Still, assessing the effectiveness of these solutions is often challenging since changing or modifying the choice architecture of OSN platforms is practically unfeasible. In turn, the effectiveness of numerous nudging designs is supported primarily by self-reported data instead of actual behavioral information. This work presents ENAGRAM, an app for evaluating preventative nudges, and reports the first results of an empirical study conducted with it. Such a study aims to showcase how the app (and the data collected with it) can be leveraged to assess the effectiveness of a particular nudging approach. We used ENAGRAM as a vehicle to test a risk-based strategy for nudging the self-disclosure decisions of Instagram users. For this, we created two variations of the same nudge and tested it in a between-subjects experimental setting. Study participants (N=22) were recruited via Prolific and asked to use the app regularly for 7 days. An online survey was distributed at the end of the experiment to measure some privacy-related constructs. From the data collected with ENAGRAM, we observed lower (though non-significant) self-disclosure levels when applying risk-based interventions. The constructs measured with the survey were not significant either, except for participants' External Information Privacy Concerns. Our results suggest that (i) ENAGRAM is a suitable alternative for conducting longitudinal experiments in a privacy-friendly way, and (ii) it provides a flexible framework for the evaluation of a broad spectrum of nudging solutions.


Citations (59)


... The different phenomena in the case of traits-based access control (ABAC) are more of a dynamic and sophisticated model of authorization that confers access rights upon the features of the users and the environmental attributes [3]. Besides, considering context when making access management policies possible represents an extended functionality for more adaptive and context-sensible security by PBAC [4]. The article explores three primary access control mechanisms in cloud storage: Role-Based Access Control, Attribute-Based Access Control, and Policy-Based Access Control. ...

Reference:

CLOUD ACCESS
P2BAC: Privacy Policy Based Access Control Using P-LPL
  • Citing Conference Paper
  • January 2023

... Recent publications have also drawn attention to the cognitive biases affecting people's privacy decision-making processes [15]. Particularly, they suggest that users of OSNs are prone to replace rational risk judgements with "rules of thumb" or heuristics to reduce the complexity of their cybersecurity choices [16]. In turn, they often adopt sub-optimal privacy configurations and expose their data to untrusted audiences or malicious users. ...

ENAGRAM: An App to Evaluate Preventative Nudges for Instagram
  • Citing Conference Paper
  • September 2022

... Homophily may be based on various attributes, such as age, gender, education, social class, language, colleagues, occupation, religion, interest, etc. [3]. In the academic domain, homophily also affects the creation of co-author ties, which may depend on factors like affiliation, gender, institution, experience, country, etc. Homophily has an important implication for analyzing online communities and understanding various social phenomena, such as perception biases, segregation, inequality, and information diffusion among different groups of individuals [4]. Recently, homophily has also been incorporated into a neural network model that combines network and textual features to improve link prediction and occupation prediction in social networks [3]. ...

Community detection for access-control decisions: Analysing the role of homophily and information diffusion in Online Social Networks

Online Social Networks and Media

... Information trust refers to the tourists' perceptions of the originality and reliability of the information on online review platforms (Borchert & Heisel, 2022). Song et al. (2021) mentioned that information trust seems to be more connected with tourists' perceptions of online information quality. ...

The Role of Trustworthiness Facets for Developing Social Media Applications: A Structured Literature Review

Information

... The 5C architecture of CPS (Smart Connection Level, Datato-Information Conversion Level, Cyber Level, Cognition Level and Configuration Level) is also deeply discussed regarding the CPPS. (Maidl et al. 2021) defined a taxonomy for relevant attack actions for the security of CPSs and formed the taxonomies as a meta-model. This meta-model presents the ways the taxonomy relates the attack action to the endangered part of the cyber-physical system. ...

Model-Based Threat Modeling for Cyber-Physical Systems: A Computer-Aided Approach
  • Citing Chapter
  • July 2021

Communications in Computer and Information Science

... They emphasize the importance of trust but do not consider how to analyze and design a system that should consider trust. It is necessary to have a clear understanding of why trust is important, what it is, and under which circumstances it should be considered [17,18]. The next problem is a lack of a proper modeling method to represent trust and its evidence. ...

Conflict Identification and Resolution for Trust-Related Requirements Elicitation A Goal Modeling Approach
  • Citing Article
  • February 2021

... First, we conducted a census representative survey in 16 countries with non-Western populations to study SMP concerns in the MENA region. Second, we expand insights into SMP concerns beyond those related to service providers and social interaction, two of the most often studied privacy concerns in the literature [64], [65], [66], [67], and examined privacy concerns related to regulators, such as governments. Third, we analyzed SMP concerns hierarchically at the subregion (North Africa, Levant, and Gulf) level, country level, and within each country. ...

Mitigating Privacy Concerns by Developing Trust-Related Software Features for a Hybrid Social Media Application

... It indicates that the inclination to use tools exists but is underutilized. These computer-aided tools can range from web forms [9], [28]- [30] to modeling tools [29], [31], [32], or even use natural language processing techniques [33]- [35]. The distribution of the use of computer-aided tools is depicted in Figure 5. ...

PDP-ReqLite: A Lightweight Approach for the Elicitation of Privacy and Data Protection Requirements

Lecture Notes in Computer Science

... When adapted to a transportation application, these techniques aspire to motivate users to acquire knowledge and exercise more responsible resource utilization within the fleet. However, the ethical considerations of influencing individuals' behaviors must always be conscientiously contemplated when implementing persuasion strategies [26]. ...

Persuasion Meets AI: Ethical Considerations for the Design of Social Engineering Countermeasures

... Therefore, this analysis aims to shed light on privacy assessment concerning personal data sharing and GDPR compliance of apps with access to very sensitive data. Previous research has shown that privacy nudges have the potential to support privacy-aware decision-making of users [40], [7], [36], [41], [42], [37]. Thus, the GDPR compliance analysis is used to design privacy nudges to support the decision-making process of users. ...

Preventative Nudges: Introducing Risk Cues for Supporting Online Self-Disclosure Decisions

Information