Center Project Reports

An Assessment of Blockchain Identity Solutions: Minimizing Risk and Liability of Authentication

Author(s): Rima Rana, Razieh Nokhbeh Zaeem, K. Suzanne Barber
Published on Aug 14, 2019
Download Report as PDF

Personally Identifiable Information (PII) is often used to perform authentication and acts as a gateway to personal and organizational information. One weak link in the architecture of identity management services is sufficient to cause exposure and risk identity. Recently, we have witnessed a shift in identity management solutions with the growth of blockchain. Blockchain—the decentralized ledger system— provides a unique answer addressing security and privacy with its embedded immutability. In a blockchain-based identity solution, the user is given the control of his/her identity by storing personal information on his/her device and having the choice of identity verification document used later to create blockchain attestations. Yet, the blockchain technology alone is not enough to produce a better identity solution. The user cannot make informed decisions as to which identity verification document to choose if he/she is not presented with tangible guidelines. In the absence of scientifically created practical guidelines, these solutions and the choices they offer may become overwhelming and even defeat the purpose of providing a more secure identity solution.

Evaluation Framework for Future Privacy Protection System: A Dynamic Identity Ecosystem Approach

Author(s): David Liau, Razieh Nokhbeh Zaeem, K. Suzanne Barber
Published on Aug 14, 2019
Download Report as PDF

Today, more than ever, everyday authentication processes involve combinations of Personally Identifiable Information (PII) to verify a person’s identity. Meanwhile the number of identity thefts is increasing dramatically compared to the past decades. As a response to the phenomenon, numerous of privacy protection regulations, management frameworks and companies thrives luxuriantly in the industry as well. In this paper, we leverage previous work in the Identity Ecosystem, a Bayesian network mathematical representation of a person’s identity, to create a framework to evaluate identity protection systems. After reviewing the Identity Ecosystem, we populate a dynamic version of it and propose a protection game for a person’s PII given that the owner and the attacker both gain some level of control over the status of other PIIs within the dynamic Identity Ecosystem. We first present the game concept as a single round game with complete information. Then we formulate a stochastic shortest path game between the owner and the attacker on the dynamic Identity Ecosystem. The attacker is trying to expose the target PII as soon as possible while the owner is trying to protect the target PII from being exposed. We present a policy iteration algorithm to solve the optimal policy for the game and discuss its convergence. Finally, an evaluation and comparison of identity protection strategies is provided given that an optimal policy is used against different protection policies. This study is aimed to understand the evolutionary process of identity theft and provide a framework for evaluating different identity protection strategies.

Statistical Analysis of Identity Risk of Exposure and Cost Using the Ecosystem of Identity Attributes

Author(s): Chia-Ju Chen, Razieh Nokhbeh Zaeem, K. Suzanne Barber
Published on Aug 14, 2019
Download Report as PDF

Personally Identifiable Information (PII) is often called the “currency of Internet” as identity assets are collected, shared, sold, and used for almost every transaction on the Internet. PII is used for all types of applications from access control to credit score calculations to targeted advertising. Every market sector relies on PII to know and authenticate their customers and their employees. With so many businesses and government agencies relying on PII to make important decisions and so many people being asked to share personal data, it is critical to better understand the fundamentals of identity to protect it and responsibly use it. Previously developed comprehensive Identity Ecosystem utilizes graphs to model PII assets and their relationships and is powered by empirical data from almost 6,000 real-world identity theft and fraud news reports to populate the UT CID Identity Ecosystem. We obtained UT CID Identity Ecosystem from its authors to analyze using graph theory. We report numerous novel statistics using identity asset content, structure, value, accessibility, and impact. Our work sheds light on how identity is used and paves the way for improving identity

2019 ITAP Report

Published on Jul 30, 2019
Download Report as PDF

The Identity Threat Assessment and Prediction (ITAP) model and analytics provide unique, research-based insights into the habits and methods associated with identity threats, and into the various factors that contribute to higher levels of risk for the compromise and abuse of personally identifiable information (PII).  ITAP uncovers the identity attributes most vulnerable to compromise, assesses their importance, and identifies the types of PII most frequently targeted by thieves and fraudsters.

The analytical repository of ITAP offers valuable understanding of the actors, organizations, and devices involved in identity threats -- across multiple domains, including financial services, consumer services, healthcare, education, law enforcement, communications, and government.  ITAP characterizes the current identity threat landscape and aims to predict future identity threats.  Using a wealth of data and analytics, ITAP delivers concrete guidance for consumers, businesses, and government agencies on how to avoid or lessen the impact of identity theft, fraud, and abuse. In sum, ITAP delivers actionable knowledge grounded in analyses of past threats and countermeasures, current threats and solutions, and evidence-driven forecasts.

During 2018 and into 2019, the ITAP team focused primarily on adding international (i.e. non-US) incidents to the model.  There are now about 900 international incidents captured in ITAP, making up 16% of the total number.  Of the international cases, 95% were localized to a given country, while the remaining 5% were multi-national (or even worldwide) in scope.  This recent focus has expanded the breadth of the project, and enabled us to implement new analytics based on international incidents, including some that compare the effects of PII-compromise across different countries.  Unlike in previous annual ITAP reports, all of the charts in this 2019 ITAP Report are based purely on the international cases.  

The Identity Ecosystem

Author(s): Razieh Nokhbeh Zaeem, David Liau, Suratna Budalakoti, K. Suzanne Barber
Published on Jul 3, 2019
Download Report as PDF

As identity theft, fraud, and abuse continue to grow in terms of both scope and impact, individuals and organizations alike demand a deeper understanding of their vulnerabilities, risks, and resulting consequences. To address this demand, we present the Identity Ecosystem, a novel Bayesian model of Personal, Organizational, and Device Identifiable Information (PII/OII/DII) attributes and their relationships. We populate the Identity Ecosystem model with real-world data from approximately 6,000 reported identity theft and fraud cases. We leverage this populated model to provide unique, research-based insights into the variety of PII/OII/DII, their properties, and how they interact. Informed by the real-world data, we investigate the ecosystem of identifiable information in which criminals compromise PII/OII/DII and misuse them.
We built the Identity Ecosystem into an online tool that answers sophisticated queries. As an example query, it predicts future risk and losses of losing a given set of PII and the liability associated with its fraudulent use. In the Bayesian model, each PII (e.g., Social Security Number) or OII (e.g., Employer Identification Number) or DII (e.g., IP Address) is modeled as a graph node. Probabilistic relationships between these attributes are modeled as graph edges. We leverage this Bayesian Belief Network to approximate the posterior probabilities of the model, assuming the given set of PII attributes is compromised, to answer the query.
Hence, the Identity Ecosystem uncovers the identity attributes most vulnerable to theft, assesses their importance, and determines not only the PII but also the OII and DII most frequently targeted by thieves and fraudsters. The insights the Identity Ecosystem provides are significant, valuable, and sometimes very nonintuitive.

Enhancing and Evaluating Identity Privacy and Authentication Strength by Utilizing the Identity Ecosystem

Author(s): Razieh Nokhbeh Zaeem, K. Suzanne Barber, Kai Chih Chang
Published on Apr 15, 2019
Download Report as PDF

This paper presents a novel research model of identity and the use of this model to answer some interesting research questions. Information travels in the cyber world, not only bringing us convenience and prosperity but also jeopardy. Protecting this information has been a commonly discussed issue in recent years. One type of this information is Personally Identifiable Information (PII), often used to perform personal authentication. People often give PIIs to organizations, e.g., when applying for a new job or filling out a new application on a website. While the use of such PII might be necessary for authentication, giving PII increases the risk of its exposure to criminals. We introduce two innovative approaches based on our model of identity to help evaluate and find an optimal set of PIIs that satisfy authentication purposes but minimize risk of exposure. Our model paves the way for more informed selection of PIIs by organizations that collect them as well as by users who offer PIIs to these organizations.

Internet of Things: Securing the Identity by Analyzing Ecosystem Models of Devices and Organizations

Author(s): Razieh Nokhbeh Zaeem, K. Suzanne Barber, Kai Chih Chang
Published on Apr 15, 2019
Download Report as PDF

The Internet of Things has become an integral part of our daily life. Its combination of network and emerging technology interlaced with each other results in a complicated environment that is left to us to understand and interact with. Information travels in the cyber world, not only bringing us convenience and prosperity but also jeopardy. Protecting this information has been an issue and commonly discussed in recent years. One type of this information is Personally Identifiable Information (PII), often used to perform personal authentication. With total cost of more than $40 billion since 2006, several reports of theft and fraudulent use of PII have been released. An all-embracing technique and system is needed in order to protect users from identity theft. In this paper, we present the Identity Ecosystem, a comprehensive identity framework that contains a mathematical representation of a model of Personally Identifiable Information attributes for people, and two novel models, devices and organizations, that have strong connections with the PII model of people. This research aims to combine the above three models and leads to better prevention against identity theft and fraudsters.

US-Centric vs. International Personally Identifiable Information: A Comparison Using the UT CID Identity Ecosystem

Author(s): K. Suzanne Barber, Razieh Nokhbeh Zaeem, Rima Rana
Published on Apr 15, 2019
Download Report as PDF

In this paper, we extend the mathematical representation and implementation model of the UT CID Identity Ecosystem representing PII attributes and relationships to incorporate international PII. Previously, the UT CID Identity Ecosystem model has been primarily populated using data about US theft and fraud cases to include PII attributes used to transact crime as well as accidental exposure of PII attributes. Statistics are also calculated and associated with respective PII attributes such as the frequency of exposure occurrences for respective PII attributes, monetization value of PII (i.e. financial consequences of the crime), and strength of relationships between PII attributes. This research describes how the content of the UT CID Identity Ecosystem and resulting analysis change when PII attributes from international identity theft and fraud cases are incorporated. Not only are the PII attributes different in an international UT CID Identity Ecosystem, the relationships between PII attributes change, the monetization value of PII attributes change, and the risk of exposure change when worldwide identity theft and fraud cases are considered.

Predicting Disease Outbreaks Using Social Media: Finding Trustworthy Users

Author(s): David Liau, Razieh Nokhbeh Zaeem, K. Suzanne Barber
Published on Nov 30, 2018
Download Report as PDF

The use of Internet data sources, in particular social media, for biosurveillance has gained attention and credibility in recent years. Finding related and reliable posts on social media is key to performing successful biosurveillance utilizing social media data. While researchers have implemented various approaches to filter and rank social media posts, the fact that these posts are inherently related by the credibility of the poster (i.e., social media user) remains overlooked. We propose six trust filters to filter and rank trustworthy social media users, as opposed to concentrating on isolated posts. We present a novel biosurveillance ap-plication that gathers social media data related to a bio-event, processes the data to find the most trustworthy users and hence their trustworthy posts, and feeds these posts to other biosurveillance applications, includ-ing our own. We further present preliminary experiments to evaluate the effectiveness of the proposed filters and discuss future improvements. Our work paves the way for collecting more reliable social media data to improve biosurveillance applications.

2018 ITAP Report

Published on Aug 8, 2018
Download Report as PDF

The Identity Threat Assessment and Prediction (ITAP) model provides unique, research-based insights into the habits and methods of identity threats, and to the various factors associated with higher levels of risk for PII compromise and abuse. ITAP uncovers the identity attributes most vulnerable to theft, assesses their importance, and determines the personally identifiable information (PII) most frequently targeted by thieves and fraudsters.

Next Page

Sign Up for CID News