Authors: Ebtehal Aljedaani, Maha Aljohani

Abstract:

Privacy and security patterns are both important for developing software that protects users' data and privacy. Privacy patterns are designed to address common privacy problems, such as unauthorized data collection and disclosure. Security patterns are designed to protect software from attack and ensure reliability and trustworthiness. Using privacy and security patterns, software engineers can implement security and privacy by design principles, which means that security and privacy are considered throughout the software development process. These patterns are available to translate "security and privacy-by-design" into practical advice for software engineering. Previous research on privacy and security patterns has typically focused on one category of patterns at a time. This paper aims to bridge this gap by merging the two categories and identifying their similarities and differences. To do this, we conducted a systematic literature review of 40 research papers on privacy and security patterns. The papers were analyzed based on the category of the pattern, the classification of the pattern, and the security requirements that the pattern addresses. This paper presents the results of a comprehensive review of privacy and security design patterns. The review is intended to help future IT designers understand the relationship between the two types of patterns and how to use them to design secure and privacy-preserving software. The paper provides a clear classification of privacy and security design patterns, along with examples of each type. We found that there is only one widely accepted classification of privacy design patterns, while there are several competing classifications of security design patterns. Three types of security design patterns were found to be the most used.

Keywords: Design patterns, security, privacy, classification of patterns, security patterns, privacy patterns.

Procedia APA BibTeX Chicago EndNote Harvard JSON MLA RIS XML ISO 690 PDF Downloads 2

References:

[1] E. B. Fernández, “Two Patterns for Web Services Security,” 2004. (Online). Available: https://www.researchgate.net/publication/220968149
[2] M. Hafiz, P. Adamczyk, and R. E. Johnson, “Organizing security patterns,” IEEE Softw, vol. 24, no. 4, pp. 52–60, Jul. 2007, doi: 10.1109/MS.2007.114.
[3] J. H. Hoepman, “Privacy design strategies,” IFIP Adv Inf Commun Technol, vol. 428, pp. 446–459, 2014, doi: 10.1007/978-3-642-55415-5_38.
[4] M. Colesky, J.-H. Hoepman, and C. Hillen, “A Critical Analysis of Privacy Design Strategies,” 2017.
[5] C. Alexander, A Pattern Language: Towns, Buildings, Construction. Oxford university press, 1977.
[6] E. B. Fernandez, H. Washizaki, N. Yoshioka, A. Kubo, and Y. Fukazawa, “Classifying security patterns,” Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 4976 LNCS, no. January 2016, pp. 342–347, 2008, doi: 10.1007/978-3-540-78849-2_35.
[7] W. Hussain, D. Mougouei, and J. Whittle, “Integrating social values into software design patterns,” Proceedings - International Conference on Software Engineering, pp. 8–14, 2018, doi: 10.1145/3194770.3194777.
[8] M. Z. Asghar, K. A. Alam, and S. Javed, “Software design patterns recommendation: A systematic literature review,” Proceedings - 2019 International Conference on Frontiers of Information Technology, FIT 2019, pp. 167–172, 2019, doi: 10.1109/FIT47737.2019.00040.
[9] A. F. Westin, “Privacy and Freedom.” (Online). Available: https://scholarlycommons.law.wlu.edu/wlulr/vol25/iss1/20
[10] M. J. Culnan, Protecting Privacy Online: Is Self-Regulation Working? on JSTOR, vol. 19, no.1. Journal of Public Policy & Marketing, 2000. Accessed: Dec. 23, 2023. (Online). Available: https://www.jstor.org/stable/30000484
[11] S. Patil, N. Romero, and J. Karat, “Privacy and HCI: Methodologies for studying privacy issues,” in Conference on Human Factors in Computing Systems - Proceedings, 2006, pp. 1719–1722. doi: 10.1145/1125451.1125771.
[12] S. Gürses, C. Troncoso, and C. Diaz, “Engineering Privacy by Design.”
[13] P. Schaar, “Privacy by Design,” Identity in the Information Society, vol. 3, no. 2, pp. 267–274, Aug. 2010, doi: 10.1007/s12394-010-0055-x.
[14] N. Doty and M. Gupta, “Privacy Design Patterns and Anti-Patterns: Patterns Misapplied and Unintended Consequences,” A Turn for the Worse: Trustbusters for User Interfaces Workshop, pp. 1–5, 2013, (Online). Available: http://cups.cs.cmu.edu/soups/2013/trustbusters.html
[15] D. Mulligan and J. King, “Bridging the gap between privacy and design,” U. Pa. J. Const. L., pp. 989–1034, 2011, (Online). Available: http://heinonlinebackup.com/hol-cgi-bin/get_pdf.cgi?handle=hein.journals/upjcl14§ion=32
[16] R. Ortiz, S. Moral-García, S. Moral-Rubio, B. Vela, J. Garzás, and E. Fernández-Medina, “Applicability of security patterns,” Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 6426 LNCS, no. PART 1, pp. 672–684, 2010, doi: 10.1007/978-3-642-16934-2_49.
[17] K. Alemerien, “User-friendly security patterns for designing social network websites,” International Journal of Technology and Human Interaction, vol. 13, no. 1, pp. 39–60, 2017, doi: 10.4018/IJTHI.2017010103.
[18] K. Yskout, R. Scandariato, and W. Joosen, “Do security patterns really help designers?,” Proceedings - International Conference on Software Engineering, vol. 1, pp. 292–302, 2015, doi: 10.1109/ICSE.2015.49.
[19] D. G. Rosado, C. Gutiérrez, E. Fernández-Medina, and M. Piattini, “Security patterns related to security requirements,” Proceedings of the 4th International Workshop on Security in Information Systems, WOSIS 2006, in Conjunction with ICEIS 2006, no. January, pp. 163–173, 2006.
[20] S. Romanosky, “Security Design Patterns Part 1,” Proceedings of PLoP, pp. 1–19, 2001, (Online). Available: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.13.7808&rep=rep1&type=pdf
[21] S. Y. Chia, X. Xu, H. Y. Paik, and L. Zhu, “Analysing and extending privacy patterns with architectural context,” Proceedings of the ACM Symposium on Applied Computing, pp. 1390–1398, 2021, doi: 10.1145/3412841.3442014.
[22] M. Colesky and J. C. Caiza, “A system of privacy patterns for informing users: Creating a pattern system,” ACM International Conference Proceeding Series, 2018, doi: 10.1145/3282308.3282325.
[23] J. C. Caiza, J. M. D. Alamo, and D. S. Guamán, “A framework and roadmap for enhancing the application of privacy design patterns,” Proceedings of the ACM Symposium on Applied Computing, pp. 1297–1304, 2020, doi: 10.1145/3341105.3375768.
[24] J. Siljee, “Privacy transparency patterns,” ACM International Conference Proceeding Series, vol. 08-12-July, 2015, doi: 10.1145/2855321.2855374.
[25] (25) M. Hafiz, “A collection of privacy design patterns,” PLoP 2006 - PLoP Pattern Languages of Programs 2006 Conference Proceedings, pp. 1–26, 2006, doi: 10.1145/1415472.1415481.
[26] M. Colesky, J. C. Caiza, J. M. Del Lamo, J. H. Hoepman, and Y. S. Martín, “A system of privacy patterns for user control,” Proceedings of the ACM Symposium on Applied Computing, pp. 1150–1156, 2018, doi: 10.1145/3167132.3167257.
[27] X. Xuan, Y. Wang, and S. Li, “Privacy requirements patterns for mobile operating systems,” 2014 IEEE 4th International Workshop on Requirements Patterns, RePa 2014 - Proceedings, pp. 39–42, 2014, doi: 10.1109/RePa.2014.6894842.
[28] P. Brereton, B. A. Kitchenham, D. Budgen, M. Turner, and M. Khalil, “Lessons from applying the systematic literature review process within the software engineering domain,” vol. 80, no. 4, pp. 571–583, 2007, doi: 10.1016/j.jss.2006.07.009.
[29] E. and H. R. and J. R. and V. J. Gamma, Design Patterns: Elements of Reusable Object-Oriented Software. Addison-Wesley Professional, 1994.
[30] C. Dougherty and R. C. Seacord, “Secure Design Patterns,” Structure, no. October, 2009.
[31] H. Zhang, “Software Design and Patterns (Object Oriented Design)— Catalog of 23 GOF Design Patterns | by Hanwen Zhang | Medium.” Accessed: Jan. 07, 2024. (Online). Available: https://hanwenzhang123.medium.com/software-design-and-patterns-catalog-of-23-gof-design-patterns-f336989f7d99
[32] R. Grimm, “Classification of Design Patterns.” Accessed: Jan. 08, 2024. (Online). Available: https://www.linkedin.com/pulse/classification-design-patterns-rainer-grimm/
[33] A. K. Edinat, A. Hudaib, and A. E. Bara’a Alhammad, “A Survey on Security Patterns and their Classification Schemes,” 2016. (Online). Available: https://www.researchgate.net/publication/330473622
[34] M.-A. Laverdì, A. Mourad, A. Hanna, and M. Debbabi, “Security Design Patterns: Survey and Evaluation,” 2003.
[35] O. Drozd and S. Kirrane, “Towards an Interactive Privacy Pattern Catalog,” 2016. (Online). Available: https://www.researchgate.net/publication/305811615
[36] J. W. J. W. Yoder and J. Barcalow, “Architectural patterns for enabling application security,” Proceedings of PLoP 1997, vol. 51, p. 31, 1998, (Online). Available: http://scholar.google.com/scholar?hl=en&btnG=Search&q=intitle:Architectural+patterns+for+enabling+application+security#0
[37] S. Romanosky, A. Acquisti, J. Hong, L. F. Cranor, and B. Friedman, “Privacy patterns for online interactions,” PLoP 2006 - PLoP Pattern Languages of Programs 2006 Conference Proceedings, no. October, 2006, doi: 10.1145/1415472.1415486.
[38] M. Weiss and H. Mouratidis, “Selecting security patterns that fulfill security requirements,” in Proceedings of the 16th IEEE International Requirements Engineering Conference, RE’08, 2008, pp. 169–172. doi: 10.1109/RE.2008.32.
[39] M. Papoutsakis, K. Fysarakis, G. Spanoudakis, S. Ioannidis, and K. Koloutsou, “Towards a collection of security and privacy patterns,” Applied Sciences (Switzerland), vol. 11, no. 4, pp. 1–42, 2021, doi: 10.3390/app11041396.
[40] Jeremiah Y. Dangler, “Categorization of Security Design Patterns,” Categorization of Security Design Patterns, p. 144, 2013.
[41] “Privacy Patterns.” Accessed: Aug. 05, 2024. Online. Available: https://privacypatterns.org/
[42] UC Berkeley School of Information, “Privacy Patterns.” Accessed: Aug. 05, 2024. Online. Available: https://privacypatterns.org/