Process mining techniques enable organizations to analyze business process execution traces in order to identify opportunities for improving their operational performance. Oftentimes, such execution traces contain private information. For example, the execution traces of a healthcare process are likely to be privacy-sensitive. In such cases, organizations need to deploy Privacy-Enhancing Technologies (PETs) to strike a balance between the benefits they get from analyzing these data and the requirements imposed onto them by privacy regulations, particularly that of minimizing re-identification risks when data are disclosed to a process analyst. Among many available PETs, differential privacy stands out for its ability to prevent predicate singling out attacks and its composable privacy guarantees. A drawback of differential privacy is the lack of interpretability of the main privacy parameter it relies upon, namely epsilon. This leads to the recurrent question of how much epsilon is enough? This article proposes a method to determine the epsilon value to be used when disclosing the output of a process mining technique in terms of two business-relevant metrics, namely absolute percentage error metrics capturing the loss of accuracy (a.k.a. utility loss) resulting from adding noise to the disclosed data, and guessing advantage, which captures the increase in the probability that an adversary may guess information about an individual as a result of a disclosure. The article specifically studies the problem of protecting the disclosure of the so-called Directly-Follows Graph (DFGs), which is a process mining artifact produced by most process mining tools. The article reports on an empirical evaluation of the utility-risk trade-offs that the proposed approach achieves on a collection of 13 real-life event logs.
翻译:采矿工艺使各组织能够分析业务流程执行过程的痕迹,以便确定改善业务业绩的机会。通常,这种执行过程的痕迹包含私人信息。例如,保健过程的执行痕迹可能具有隐私敏感性。在这种情况下,各组织需要部署隐私增强技术(PETs),以便在分析这些数据获得的好处与隐私条例对其提出的要求之间取得平衡,特别是在向进程分析员披露数据时尽量减少再识别风险方面。在许多现有的PETs中,不同的隐私表现在它防止上游挑剔攻击及其可变的隐私保障的能力上。不同隐私的缺点是缺乏对它所依赖的主要隐私参数(即epslon)的可解释性。在这种情况下,各组织需要使用隐私增强技术(PETs)来平衡它们从分析这些数据中获得的效益和隐私条例对其提出的要求,特别是在向进程分析员披露数据时,特别是在向进程披露一个进程披露一个绝对百分率错误的衡量方法,即绝对百分数方法能够衡量准确度(a.k.a. 效用损失) 。 不同隐私的隐私的减损是增加一个真实性数据的概率,从而可以具体地测测测测测测测测测测测采矿成本。