Stuart Shapiro, MITRE PANOPTIC™ Privacy Threat Model

As privacy moves from a predominantly compliance-oriented approach to one that is risk-based, privacy risk modeling has taken on increased importance. While a variety of innovative pre-existing options are available for privacy consequences and a few for vulnerabilities, privacy threat models, particularly ones focused on attacks (as opposed to threat actors) remain relatively scarce. To address this gap and facilitate more sophisticated privacy risk management of increasingly complex systems, MITRE has developed the Pattern and Action Nomenclature Of Privacy Threats In Context (PANOPTIC™). By providing an empirically-driven taxonomy of privacy threat activities and actions – as well as contextual elements – to support environmental and system-specific threat modeling, PANOPTIC is intended to do for privacy practitioners what MITRE ATT&CK® has done for security practitioners. This presentation discusses the underpinnings and provides an overview of PANOPTIC and its use. About the speaker: Stuart S. Shapiro is a Principal Cyber Security and Privacy Engineer and a co-leader of the Privacy Capability in the MITRE Labs Cyber Solutions Innovation Center at the MITRE Corporation. At MITRE he has led multiple research and operational efforts in the areas of privacy engineering, privacy risk management, and privacy enhancing technologies (PETs), including projects focused on connected vehicles and on de-identification. He has also held academic positions and has taught courses on the history, politics, and ethics of information and communication technologies. His professional affiliations include the International Association of Privacy Professionals (IAPP) and the Association for Computing Machinery (ACM).

As privacy moves from a predominantly compliance-oriented approach to one that is risk-based, privacy risk modeling has taken on increased importance. While a variety of innovative pre-existing options are available for privacy consequences and a few for vulnerabilities, privacy threat models, particularly ones focused on attacks (as opposed to threat actors) remain relatively scarce. To address this gap and facilitate more sophisticated privacy risk management of increasingly complex systems, MITRE has developed the Pattern and Action Nomenclature Of Privacy Threats In Context (PANOPTIC™). By providing an empirically-driven taxonomy of privacy threat activities and actions – as well as contextual elements – to support environmental and system-specific threat modeling, PANOPTIC is intended to do for privacy practitioners what MITRE ATT&CK® has done for security practitioners. This presentation discusses the underpinnings and provides an overview of PANOPTIC and its use. About the speaker: Stuart S. Shapiro is a Principal Cyber Security and Privacy Engineer and a co-leader of the Privacy Capability in the MITRE Labs Cyber Solutions Innovation Center at the MITRE Corporation. At MITRE he has led multiple research and operational efforts in the areas of privacy engineering, privacy risk management, and privacy enhancing technologies (PETs), including projects focused on connected vehicles and on de-identification. He has also held academic positions and has taught courses on the history, politics, and ethics of information and communication technologies. His professional affiliations include the International Association of Privacy Professionals (IAPP) and the Association for Computing Machinery (ACM).