@inproceedings{,
    author = {Mundt, Michael; Baier, Harald},
    title = {Cyber Crime undermines Data Privacy efforts - On the Balance between Data Privacy and Security},
    editor = {Goel, Sanjay; Gladyshev, Pavel; Nikolay, Akatyev; Markowsky, George; Johnson, Daryl},
    booktitle = {Digital Forensics and Cyber Crime : 13th EAI International Conference, ICDF2C 2022, Boston, MA, November 16-18, 2022, Proceedings},
    series = {Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering},
    journal = {},
    address = {Cham},
    publisher = {Springer},
    edition = {},
    year = {2023},
    isbn = {978-3-031-36573-7 ; 978-3-031-36574-4},
    volume = {508},
    number =  {},
    pages = {417–434},
    url = {https://doi.org/10.1007/978-3-031-36574-4_25},
    doi = {10.1007/978-3-031-36574-4_25},
    keywords = {Cyber Threat Intelligence ; Data Breach ; Regulatory Compliance ; Insider Threat Management ; Data Security and Privacy},
    abstract = {The General Data Protection Regulation (GDPR) was put into effect in the European Union on 25th May 2018. GDPR aims to ensure the protection of personal data from individuals and the free movement of this personal data. Data privacy regulations are also currently being discussed nationwide in the United States of America and other countries. Regular guidelines of the European data protection board (edpb) support the technical GDPR implementation. However, cyber aggressors are increasingly succeeding in penetrating IT systems, e.g., by combining traditional ransomware techniques with data exfiltration. In this paper we address the trade-off between data protection as presumably regulated by the GDPR and the security implications of a hard and fast privacy enforcement.  We argue that a too strict interpretation of the rules of data protection in the wrong place can even provoke the very reverse of data protection. The origin of our examination is to classify data in two GDPR relevant categories personal data (e.g., personal files of customers and company personal) and IT operational data (e.g. log files, IP addresses, NetFlow data), respectively.  We then give a plea to strictly protect data of the first category and to handle the GDPR pragmatically with respect to the second one.  To support our position we consider sample popular network protocols and show that it is low-threshold to exploit these protocols for data exfiltration, while the defender is only able to detect the attack on base of IT operational data. We hence emphasize the need for a new paradigm of risk assessment.},
    note = {},
    institution = {Universität der Bundeswehr München, Fakultät für Informatik, INF 6 - Institut für Systemsicherheit, Professur: Baier, Harald},
    
    
}