About this tool

Simplified Model

This privacy risk calculator considers the privacy risks imposed on a single group of individuals from a single group of threat actors. In a robust analysis, one should consider the risks imposed by multiple threat actors on all the affected individuals.

Risk Model

This risk model is based on a modified version of FAIR (Factors Analysis in Information Risk) [See below]. The calculator analyses risks to individuals, not organizational risk. The risk level is determined by the frequency that a privacy violation is committed against an individual and the magnitude of that violation across the population of affected individuals.

Magnitude

This tool uses the Solove Taxonomy of Privacy to identify the magnitude of consequences of certain activities. The goal of this is to identify and reduce the incidence of activities which social norms dictate are invasive of individuals privacy. For more information on why harms are considered secondary consequences under this model, see this article. .

Calculator Roadmap

  • multiple threat actors
  • saving results
  • secondary consequences
  • organizational consequences
  • vulnerable populations
  • risk tolerance

Describe the System

At Risk Population

Identify the group of individuals at risk. Some labels that might be applied to individuals are customers, consumers, users, employees, by-standers, clients, citizens, or constituents.

Estimate the size of the population. In other words, the number of unique _____ that will be interacted with or whose data will be processed. Because this quantitative privacy risk model works using probability, we ask for the population as a range of minimum, most likely and maximum number of unique _____ identified above who will interact with or have information processed by the product, service or process.

Risk Tolerance

What is an acceptable threshold of privacy violations for your organization? While you may desire no privacy violations, that's an unrealistic goal for any activity at scale, especially without any controls in place. The goal of using this risk calculator will be to show where your risk exceeds your tolerance so you know where you need to add additional controls to brink residual risk below your acceptable threshold.

Threat Actor

Time estimates are used to calculate the opportunity profile of the threat actor against an average individual, not the system or all individuals. For example, if people visit your website on their birthday, you would answer annually because an individual only comes once per year, even though daily you're entertaining visitors.

  • Minimum: Centenially (Some customers may only visit your site once in a lifetime)
  • Most Likely: Annually
  • Maximum: Semi-Annually (Maybe a few people come more often than just on their birthday).

For external threat actors (government agencies, cyber-criminals, etc.), you should consider the source and methodologies used: a government agency may execute a search warrant against someone less than once in a lifetime (millenium) but may collect information from a pen register on a daily basis.

These descriptions are used to create a capability profile for the threat actor. This represents the capability of the threat actor in terms of time and resources at their disposal.

Threats

Would _____________________ drive _________________________...

Motivation to engage in certain activities are used to set the probability of a threat actor commiting a certian activity initially to likely or unlikely. You can fine tune their probability of action in the consequences chart below. Be advised, though, that you shouldn't account for any controls (such as laws or contractual obligations limiting their actions). These would be residual risks, once controls are identified and their effectiveness measured.

Primary Consequences

How to use this risk calculator

Each graph below will show three probability curves: a randomized population distribution, a risk profile for this threat actor committing this threat and your acceptable risk tolerance, as described above.
Your profile most likely looks like the graph at right. If your risk profile (in red) extends to the right of the population (in blue), this means that most individuals will expect more than one privacy violation per year. This means, you'll need to institute controls to mitigate these risks, after which your residual risk should be within your acceptable risk tolerance levels. [This tool currently does not provide a mechanism for assessing the effects of controls on your risk level]
If your risk profile is between the population and your risk tolerance (in yellow), then you have unacceptable privacy risks according to your risk tolerance level.
If your risk profile falls to the left of or within the risk tolerance profile, congratulations, your privacy risks are within acceptable limits.
Information Processing
Aggregation

combining of various pieces of personal information

Identification

linking of information to a particular individual

Insecurity

carelessness in protecting information from leaks or improper access

Secondary Use

using personal information for a purpose other than the purpose for which is was collected

Exclusion

failing to let an individual know about the data that others have about them and participate in its handling or use

Information Dissemination
Breach of Confidentiality

breaking a promise to keep a person's information confidential

Disclosure

revealing truthful personal information about a person that impacts the ways others judge their character or impacts their security

Exposure

revealing an individual’s nudity, grief, or bodily functions

Increased Accessibility

amplifying the accessibility of personal information

Blackmail

threatening to disclose personal information

Appropriation

using an individual’s identity to serve the aims and interests of another

Distortion

disseminating false or misleading information about an individuals

Collection
Surveillance

watching, listening to, or recording of an individual's activities

Interrogation

questioning or probing for personal information

Invasions
Intrusion

disturbing an individual’s tranquility or solitude

Decisional Interference

intruding into an individual’s decision regarding their private affairs