Alternative Approaches to Privacy Risk Assessment: Summary of the PETweb II VERDIKT project sponsored by the Research Council of Norway (2009-2013)

The PETweb II project has turned out to be a truly multidisciplinary project. Although the project participants have had most of their training in either law or computer science, some of the most significant results from the project is a consequence of combining ideas from economics, psychology, decision science, journalism and computer science. We believe that this project is an excellent example of how a multidisciplinary perspective can benefit research.
From economics, we have imported ideas regarding utility theory. Psychology has contributed with theories of incentives and motivation. Decision science has contributed with multi- attribute utility theory. The concept of framing, belonging to the field of journalism/rhetoric has provided inspiration to explore a new way of framing risk. Computer science has offered inspiration on how the risk management and analysis concepts can be modelled and how the ideas can be implemented as a software tool. Classical risk frame focuses on incident expected impact, i.e. a combination (product) of consequence and likelihood, possibly conditioned on knowledge.
PETweb II developed two alternative approaches to risk analysis – the EM-BRAM and the CIRA method. EM-BRAM starts with a model of technical risk sources in identity management technology. From there, it aims at a modelling approach of a given system into an executable model that is used to detect the presence of the risk factors in a concrete system.
The risk framing proposed in the CIRA method frames risk as the underlying cause of the incident. In this frame, risk corresponds to misaligned incentives. A preliminary – bleeding edge- alpha version of a CIRA tool was developed right at the end of the project. We intend to explore the possibility of deploying CIRA and associated software tools into the data cloud. It should be kept in mind that CIRA is still in its early days, and much more research need to be completed to enhance and validate the method. However, we have already established a new project to further develop CIRA. In addition, we are planning several new projects to further explore research into a multidisciplinary perspective on risk analysis.