Published online by Cambridge University Press: 23 January 2020
INTRODUCTION
The aim of this chapter is to analyse ‘Security by Design’ (SbD) as an emerging concept in EU Law, especially in the fields of information security and data protection. This is especially relevant in light of the growing amount of data breaches and ever-increasing pervasiveness of Internet of Things (IoT) devices. This is even more so if we take into account the worrying trend, especially from important market players, to tolerate risks of data breaches and therefore keep IT security investments relatively low. The first part of this chapter will substantiate the notion of SbD by deciphering the exact meaning of the concepts of ‘design’ and ‘security’, with a strong focus on the IT sector. The second part will then explore the emergence of SbD as a principle in the EU legislative framework. In that context, a comparison will be made with the ‘Data Protection by Design’ (DPbD) paradigm, which has been one of the cornerstones of the data protection reform. The last part will then highlight some of the challenges inherent to the ‘by design’ approach.
DECODING ‘SECURITY BY DESIGN’: A TALE OF ‘SECURITY’ AND ‘DESIGN’
Before delving into the substance and challenges of the SbD paradigm, it is crucial to clarify the exact scope of the notions that lie at the heart of that approach, namely: ‘security’ and ‘design’. In the ICT context, ‘security’ has been defined by the European Union Agency for Network and Information Security (ENISA) as the protection against the threat of theft, deletion or alteration of data stored or transmitted within a system. Such a definition echoes the so-called ‘CIA triad’ – namely confidentiality, integrity and availability – which has been recognised as the basis of information security over the last decade. While the notion of security traditionally encompasses the protection of both physical (e.g. a data centre) and non-physical (e.g. the data processed on the said servers) assets, the present contribution will – for the sake of conciseness – be limited to the analysis of the second component.
‘Design’, on the other hand, refers to “the process by which an agent creates a specification of a soft ware artefact intended to accomplish goals, using a set of primitive components and subject to constraints”. Alternatively, the notion of ‘soft ware design’ has been referred to as “all the activities involved in conceptualising, framing, implementing, commissioning, and ultimately modifying complex systems”.
To save this book to your Kindle, first ensure [email protected] is added to your Approved Personal Document E-mail List under your Personal Document Settings on the Manage Your Content and Devices page of your Amazon account. Then enter the ‘name’ part of your Kindle email address below. Find out more about saving to your Kindle.
Note you can select to save to either the @free.kindle.com or @kindle.com variations. ‘@free.kindle.com’ emails are free but can only be saved to your device when it is connected to wi-fi. ‘@kindle.com’ emails can be delivered even when you are not connected to wi-fi, but note that service fees apply.
Find out more about the Kindle Personal Document Service.
To save content items to your account, please confirm that you agree to abide by our usage policies. If this is the first time you use this feature, you will be asked to authorise Cambridge Core to connect with your account. Find out more about saving content to Dropbox.
To save content items to your account, please confirm that you agree to abide by our usage policies. If this is the first time you use this feature, you will be asked to authorise Cambridge Core to connect with your account. Find out more about saving content to Google Drive.