This Article 
 Bibliographic References 
 Add to: 
M-Score: A Misuseability Weight Measure
May/June 2012 (vol. 9 no. 3)
pp. 414-428
Amir Harel, Ben Gurion University of the Negev, Beer-Sheva
Asaf Shabtai, Ben Gurion University of the Negev, Beer-Sheva
Lior Rokach, Ben Gurion University of the Negev, Beer-Sheva
Yuval Elovici, Ben Gurion University of the Negev, Beer-Sheva
Detecting and preventing data leakage and data misuse poses a serious challenge for organizations, especially when dealing with insiders with legitimate permissions to access the organization's systems and its critical data. In this paper, we present a new concept, Misuseability Weight, for estimating the risk emanating from data exposed to insiders. This concept focuses on assigning a score that represents the sensitivity level of the data exposed to the user and by that predicts the ability of the user to maliciously exploit this data. Then, we propose a new measure, the M-score, which assigns a misuseability weight to tabular data, discuss some of its properties, and demonstrate its usefulness in several leakage scenarios. One of the main challenges in applying the M-score measure is in acquiring the required knowledge from a domain expert. Therefore, we present and evaluate two approaches toward eliciting misuseability conceptions from the domain expert.

[1] 2010 CyberSecurity Watch Survey, archive/pdfecrimesummary10.pdf , 2012.
[2] A. Kamra, E. Terzi, and E. Bertino, "Detecting Anomalous Access Patterns in Relational Databases," Int'l J. Very Large Databases, vol. 17, no. 5, pp. 1063-1077, 2008.
[3] S. Mathew, M. Petropoulos, H.Q. Ngo, and S. Upadhyaya, "Data-Centric Approach to Insider Attack Detection in Database Systems," Proc. 13th Conf. Recent Advances in Intrusion Detection, 2010.
[4] L. Sweeney, "k-Anonymity: A Model for Protecting Privacy," Int'l J. Uncertainty, Fuzziness and Knowledge Based Systems, vol. 10, no. 5, pp. 571-588, 2002.
[5] A. Machanavajjhala et al., "L-Diversity: Privacy Beyond K-Anonymity," ACM Trans. Knowledge Discovery from Data, vol. 1, no.1,article 1, 2007.
[6] R.C. Wong, L. Jiuyong, A.W. Fu, and W. Ke, "(α,k)-Anonymity: An Enhanced k-Anonymity Model for Privacy-Preserving Data Publishing," Proc. 12th ACM SIGKDD Int'l Conf. Knowledge Discovery and Data Mining, 2006.
[7] E. Celikel et al., "A Risk Management Approach to RBAC," Risk and Decision Analysis, vol. 1, no. 2, pp. 21-33, 2009.
[8] B. Carminati, E. Ferrari, J. Cao, and K. Lee Tan, "A Framework to Enforce Access Control over Data Streams," ACM Trans. Information Systems Security, vol. 13, no. 3, pp. 1-31, 2010.
[9] Q. Yaseen and B. Panda, "Knowledge Acquisition and Insider Threat Prediction in Relational Database Systems," Proc. Int'l Conf. Computational Science and Eng., pp. 450-455, 2009.
[10] G.B. Magklaras and S.M. Furnell, "Insider Threat Prediction Tool: Evaluating the Probability of IT Misuse," Computers and Security, vol. 21, no. 1, pp. 62-73, 2002.
[11] M. Bishop and C. Gates, "Defining the Insider Threat," Proc. Ann. Workshop Cyber Security and Information Intelligence Research, pp. 1-3, 2008.
[12] C.M. Fung, K. Wang, R. Chen, and P.S. Yu, "Privacy-Preserving Data Publishing: A Survey on Recent Developments," ACM Computing Surveys, vol. 42, no. 4, pp. 1-53, 2010.
[13] A. Friedman and A. Schuster, "Data Mining with Differential Privacy," Proc. 16th ACM SIGKDD Int'l Conf. Knowledge Discovery and Data Mining, pp. 493-502, 2010.
[14] C. Dwork, "Differential Privacy: A Survey of Results," Proc. Fifth Int'l Conf. Theory and Applications of Models of Computation, pp. 1-19, 2008.
[15] T. Dalenius, "Finding a Needle in a Haystack or Identifying Anonymous Census Records," J. Official Statistics, vol. 2, no. 3, pp. 329-336, 1986.
[16] B. Berendt, O. Günther, and S. Spiekermann, "Privacy in e-Commerce: Stated Preferences vs. Actual Behavior," Comm. ACM, vol. 48, no. 4, pp. 101-106, 2005.
[17] A. Barth, A. Datta, J.C. Mitchell, and H. Nissenbaum, "Privacy and Contextual Integrity: Framework and Applications," Proc. IEEE Symp. Security and Privacy, pp. 184-198, 2006.
[18] M.E. Nergiz et al., "Multirelational k-Anonymity," IEEE Trans. Knowledge and Data Eng., vol. 21, no. 8, pp. 1104-1117, Aug. 2009.
[19] E. Bertino and R. Sandhu, "Database Security-Concepts, Approaches, and Challenges," IEEE Trans. Dependable and Secure Computing, vol. 2, no. 1, pp. 2-19, Jan.-Mar. 2005.
[20] X. Xiao and Y. Tao, "Personalized Privacy Preservation," Proc. ACM SIGMOD Int'l Conf. Management of Data, pp. 229-240, 2006.
[21] L. Sweeney, "Achieving $k$ -Anonymity Privacy Protection Using Generalization and Suppression," Int'l J. Uncertainty, Fuzziness and Knowledge-Based Systems, vol. 10, no. 5, pp. 571-588, 2002.
[22] Y. Yuan et al., "Evolution of Privacy-Preserving Data Publishing," Proc. IEEE Int'l Anti Counterfeiting Security and Identification, pp. 34-37, 2011.
[23] K. LeFevre, D. DeWitt, and R. Ramakrishnan, "Workload-Aware Anonymity," Proc. 12th ACM SIGKDD Int'l Conf. Knowledge Discovery and Data Mining, pp. 277-286, 2006.
[24] A.S. Hedayat, N.J.A. Sloane, and J. Stufken, Orthogonal Arrays—Theory and Applications. Springer-Verlag, 1999.
[25] L. Breiman et al., Classification and Regression Trees. Wadsworth and Brooks, 1984.
[26] R: http:/, 2010.
[27] T. Satty, Multicriteria Decision Making. McGraw-Hill, 1980.
[28] M. Lapata, "Automatic Evaluation of Information Ordering: Kendall's Tau," Computational Linguistics, vol. 32, no. 4, pp. 471-484, 2006.
[29] S. Rosset, E. Neumann, U. Eick, N. Vatnik, and Y. Idan, "Customer Lifetime Value Modeling and Its Use for Customer Retention Planning," Proc. Eighth ACM SIGKDD Int'l Knowledge Discovery and Data Mining, 2002.

Index Terms:
Data leakage, data misuse, security measures, misuseability weight.
Amir Harel, Asaf Shabtai, Lior Rokach, Yuval Elovici, "M-Score: A Misuseability Weight Measure," IEEE Transactions on Dependable and Secure Computing, vol. 9, no. 3, pp. 414-428, May-June 2012, doi:10.1109/TDSC.2012.17
Usage of this product signifies your acceptance of the Terms of Use.