Practical and Ready-to-Use Methodology to Assess the re-identification Risk in Anonymized Datasets

TL;DR

This paper introduces a practical methodology for assessing re-identification risks in anonymized datasets, combining cybersecurity risk analysis techniques with attribute exposure qualification to improve privacy risk evaluation.

Contribution

It presents the first methodology integrating well-known cybersecurity risk analysis methods with attribute exposure assessment for re-identification risk evaluation.

Findings

First to adapt cybersecurity risk analysis methods for data privacy.

Incorporates attribute exposure levels into re-identification risk assessment.

Provides a practical, ready-to-use framework for industry application.

Abstract

To prove that a dataset is sufficiently anonymized, many privacy policies suggest that a re-identification risk assessment be performed, but do not provide a precise methodology for doing so, leaving the industry alone with the problem. This paper proposes a practical and ready-to-use methodology for re-identification risk assessment, the originality of which is manifold: (1) it is the first to follow well-known risk analysis methods (e.g. EBIOS) that have been used in the cybersecurity field for years, which consider not only the ability to perform an attack, but also the impact such an attack can have on an individual; (2) it is the first to qualify attributes and values of attributes with e.g. degree of exposure, as known real-world attacks mainly target certain types of attributes and not others.