confidentiality management in collaborative design · proceedings of the asme 2016 international...

Proceedings of the ASME 2016 International Design Engineering Technical Conferences &Computers and Information in Engineering Conference (IDETC/CIE 2016)

August 21-24, 2016, Charlotte, USA

DETC2016/DTM-59222

CONFIDENTIALITY MANAGEMENT IN COLLABORATIVE DESIGN

Adam DachowiczSchool of Mechanical Engineering

Purdue UniversityWest Lafayette, IN 47907

Email: [email protected]

Siva Chaitanya ChaduvulaSchool of Mechanical Engineering



Jitesh H. PanchalSchool of Mechanical Engineering



Mikhail AtallahDepartment of Computer Science



ABSTRACTThe globalization of collaboration in engineering design

has raised several new concerns regarding information sharing.In particular, data shared during collaboration has the potentialto leak private information through inferences that may be madeby another collaborator. Enterprises that must keep certain in-formation confidential, fearing loss of intellectual property, mayturn down potential collaborations that would otherwise be mu-tually beneficial. Thus, there is need for a method to study thistradeoff between confidentiality and value in engineering collab-oration. In this paper, a framework for analyzing this tradeoffis proposed, along with an illustrative example of a possible im-plementation and its effects on the collaborative design process.This framework estimates and quantifies the confidentiality lossand value gain associated with information revelation during de-sign iterations. We believe that such analysis would aid designersin making better decisions about sharing information with theircollaborators. Studying this tradeoff may incentivize designersto engage in more frequent, and more secure, collaboration.

1 INTRODUCTIONInformation age technologies have provided enormous op-

portunity to transform designs into digital data, and have alsoenabled various ways of sharing that data with other designers,especially within a single enterprise. The transparency about the

data shared allow every participant to provide their best pos-sible solutions towards achieving mutually agreed-upon objec-tives. Such approaches provide the best possible utility of everyparticipant’s information. This traditional method of open shar-ing has been very effective among collaborators within a singleenterprise.

Modern products, such as cars and aircrafts, have becomecomplex in nature. Designing such products requires domainknowledge experts to collaborate with each other. It is unlikelythat all the required experts will be within a single organiza-tion. Hence, original equipment manufacturers (OEMs) design-ing these products must rely on design collaborations crossingnational and enterprise boundaries.

With globalization, companies face increasingly stiff com-petition, and many companies have adopted outsourcing in or-der to reduce the time taken to develop a product. These out-sourcing collaborations demand information flow across nationaland/or enterprise boundaries. In such collaborations, designer(s)typically face barriers to sharing information due to several rea-sons, such as government regulations and the need for intellec-tual property protection. There is a growing concern among en-terprises: how secure is my confidential data in a collaboration?Companies are hesitant to utilize open sharing of informationwith collaborators for various reasons. A few of them are listedbelow:

1. Confidential information can reach competitor(s) through a

1 Copyright c© 2016 by ASME

common collaborator. For example, Bosch is a commonsupplier to both Audi and BMW, and may pass informationfrom one OEM to another.

2. Collaborators can become competitors. For example, Sam-sung became a competitor to Apple in many markets.In the early stages of forming a collaborative design team,

collaborators need to share critical and confidential informationwith each other even though they are not sure about whether theywill be part of the collaboration. Sometimes, this informationsharing is necessary in order to determine the abilities/expecta-tions of a prospective participant or lead collaborator. This is acatch-22 situation for a collaborator; any information revealed atthis stage may be leaked to competitors (say by a rejected partici-pant), but may be necessary to determine if the collaboration willbe successful. Thus, confidentiality plays a major role in collab-oration. This has created a need to address such barriers, so thatdesigners can still engage in meaningful collaboration and makebetter designs.

One approach to secure information is to use masking tech-niques, such as generalization and suppression, on confidentialinformation before sharing. These techniques help collabora-tors to protect their confidential information while sharing by in-creasing the uncertainty associated with the information shared.This helps in maintaining confidentiality, but this uncertaintycan lead to inferior design solutions as compared to open shar-ing. Other techniques involve legal agreements, such as non-disclosure agreements (NDA’s), but these methods do not pre-vent collaborators from attaining the information, and providevery limited purpose control to the original data owner once theagreement is signed.

Sharing of information may have both positive and nega-tive impacts1. While these impacts have been studied in supply-chains [1–6], there is a lack of understanding of this trade-off inthe context of collaborative engineering design. The objectivesof this paper are two-fold. First, we discuss the implication of in-formation security in collaborative design. Second, we proposea framework to help designers in determining value gained ver-sus confidentiality lost given potential information to be sharedin a collaborative design process, and demonstrate its use with anexample.

The rest of the paper is structured as follows. Section 2 pro-vides an overview of state-of-the-art information sharing tech-niques and highlights the need to help designers in making de-cisions about revealing information during the design process.Section 3 introduces the proposed framework for studying thevalue/confidentiality trade-off in collaborative design. We de-scribe the application of this framework in Section 4 and demon-strate its use with an example in Section 5. Section 6 discussesthe potential future extensions of this work.

1There can be applications where confidentiality is not valued in design. Forexample, collaborations exist in open source environments. We acknowledge thisand we agree that our paper is addressed to applications where confidentiality isvalued.

2 LITERATURE REVIEWIn this section, current approaches to addressing the confi-

dentiality/value trade-off in design are presented, with their mo-tivations, virtues, and drawbacks. The goal of this section is topresent a targeted survey of work relevant to confidentiality andvalue in engineering design, which motivates the work presentedin following sections. In particular, methods including cryptog-raphy, access and inference control, and generalization are dis-cussed, as well as the concept of entropy as an information se-curity measure in collaboration. This measure will be exploredthroughout the paper.

2.1 Computer Science and Information SecurityThe concept of information security is well understood in

the field of computer science [7–11]. The domain of securityin computer science encompasses topics such as confidentiality,integrity, availability and accountability. Confidentiality impliesthat information is accessible to authorized participant(s) amongthe participants in a collaboration. Integrity guarantees that de-sign information is immune to intentional or accidental modifi-cations by a non-data owner. Availability implies uninterruptedaccess to information for an authorized participant. Account-ability enables keeping track of the modifications done on a par-ticular parameter. In this paper, we consider only the exchangeof information between collaborating designers, and do not con-sider attacks on a collaborator’s information or loss of availabil-ity. Thus, we focus on confidentiality of information only, andhow this may be related to the value of revealing information.

Multi-party computations are very common in collabora-tions. In the field of cryptography, this form of computation iswell studied [8, 10, 12–14]. Techniques such as fully homomor-phic evaluation, and circuit evaluation protocols maintain com-plete confidentiality, but are complex and time-intensive. Thus,further study into such computations, especially in early designstages which are inherently iterative in nature and involve uncer-tainty in the selection of design parameters, is needed. In thispaper, we focus on the trade-off between value of information toa design process and the loss of confidentiality through revela-tion, and not these existing protocols.

2.2 Security in Collaborative DesignRecent work on collaborative engineering design focuses on

two key areas: (i) enabling collaboration between geographicallydistant designers, often through the ‘cloud’ or on some otherproblem-specific platform [15], and (ii) securing the informationpassed between collaborators. For the second area in particular,research in computer science, information theory and cybersecu-rity has made tremendous progress in protecting collaborators’information from outside attackers [15, 16].

When sharing data or other information, designers oftenwish to protect some data from their collaborators. When shar-ing/protecting information on, say, parameters in a model, twocommon approaches are used: (i) access control and (ii) infer-ence control. In access control, one designer simply denies ac-


cess to certain information for one or more collaborators. Typ-ically, this option is built into collaboration platforms, such asCAD platforms allowing sharing in neutral file formats such as.IGES [6]. Designers can also refuse to share certain information,requiring collaborators to rely on prior information and experi-ence to form estimations, unless their role in the design processrequires that information [17]. In inference control, designersactively seek ‘safe’ information to reveal to collaborators; suchinformation limits what can be learned about his or her sensitiveinformation when made public. In engineering design, modelsare typically physics-based and often provide clear mathematicaldependencies that may be exploited to gain more information ona hidden parameter [2,6]. When one parameter is revealed, thesedependencies may be used to learn more about another parame-ter; these inferences are actively sought out and prevented usinginference controlling security measures. These issues have beenstudied in an engineering context primarily with supply chains.

2.3 Information Sharing in Supply ChainsThe issue of confidentiality preservation has been a recent

topic of investigation in supply chain management. As examples,recent focus areas include protection of intellectual property insupply chains [18] and research into secure supply chain collab-oration and risks inherent in sharing product information [19,20].Zhang and coauthors quantify the risk of leaking design param-eters during supply chain collaboration using Bayesian statis-tics [6], providing a conceptual framework for modeling the se-curity risk associated with sharing design parameters. In Zhang’swork, it is assumed that the manufacturer has control over all pa-rameters in the design, and that the design is already finalized orclose to being finalized. The manufacturer must consider the ef-fects of revealing information on one parameter to a supplier onthe supplier’s knowledge of other parameters. Wang and coau-thors have developed protocols allowing for convergence to anoptimal solution when there are relatively few design parametersand mathematical system models are of high fidelity and com-monly known [13].

In design, and especially in early collaborative design, con-fidentiality preservation is also crucial. In particular, design in-formation leakage [6, 13, 18] during design iterations, where in-formation may be exchanged frequently with varying confiden-tiality risk and value gain, is of interest. When information isexchanged, some confidentiality may be preserved using meth-ods such as suppression and generalization.

2.4 Suppression and GeneralizationSuppression and generalization primarily relate to database

publishing, rather than releases of individual parameter values.Suppression involves removing some elements of the databasecompletely, while generalization involves replacing values in thedatabase with corresponding ranges (x = 20 becomes x ∈ [0,30],for example) [11]. The goal is to prevent a user from identify-ing particular entries in a database (such as a particular personwith some disease in a medical database) while still being able

to perform meaningful statistical calculations.As an example, suppression and generalization are common

practice when releasing sensitive census or medical data. Con-sider for instance that regulations require individual entries ina health database to be obscured [11, 21]. Thus, the publishermust ensure that any user accessing the database cannot iden-tify a particular member of the dataset by studying the relation-ships between data values. In engineering, a designer sharing aparameter-free .STEP file, and not the fully parametrized versioncontaining fine dimension data, is an example of suppression,while sharing datasets with common ranges instead of the exactvalues being used is an example of generalization.

Suppression and generalization have widespread applica-tions in database sharing, and has motivated a large body of re-search. In particular, k-anonymity forms the basis of most prac-tical database sharing methods [11]. The k-anonymity approachinvolves using suppression and/or generalization to statisticallyensure that the modified database may, at most, allow a user toidentify a group of size k by studying the data. Thus, any mem-ber of the database is assured that there are at least (k−1) othermembers that would look identical to an attacker.

This method quickly becomes less useful, and eventuallyuseless, as datasets increase in dimension (this is described asthe ‘curse of dimensionality’ in literature [21]), or as the at-tacker’s prior information over members of the dataset increases.L-diversity, which involves ensuring anonymity between groupsin the dataset, addresses some of this concern but also fails withhigh-dimensional datasets or well-informed attackers [21]. In thecontext of collaborative design, such an attacker may be a collab-orator interested in learning more about a competitor’s design orbusiness model by studying such a dataset. Still, generalizationand suppression are valuable to designers trying to communicatebroad information for low-dimensional problems.

2.5 Research GapsWe wish to analyze confidentiality and value of private infor-

mation during a collaboration, especially in early design. Hence,the work discussed in this section is relevant but cannot be di-rectly deployed.

Existing work in computer science does not focus on thestudy of inference during collaboration, and current methodsmay be difficult to implement and may be too time-intensive tobe used during design iterations. Existing literature in supplychain management does not address the quantification of confi-dentiality lost in iterative collaborative design as information isshared during the early design process, nor does it address thequantification of value gained by sharing certain information asa balance to security lost. This trade-off, especially applied toearly design where parameters may change rapidly, has not beenstudied, nor has the effect of sequential revelations throughoutmultiple design stages.

This trade-off may also be considered from the perspectiveof a non-cooperative game between collaborators involved in de-centralized design scenarios. There is an established interest in


investigating the applications of game theory and related fieldsin collaborative design, going back to Vincent [22]. Interactionsbetween such collaborators have been investigated from the per-spective of game theory [23], as well as the evolution of collabo-rative decisions [24, 25]. Evaluation from the perspective of thevalue/confidentiality trade-off, however, has not been addressed.

In this paper, the primary interest is in protecting informa-tion held by one collaborator from the other collaborators, whileat the same time studying the value some information revelationmay have in the collaboration effort. In many design scenarios,and especially in early design, collaborators may wish to protectsome of their information or knowledge from each other, know-ing that today’s collaborator is tomorrow’s competitor. In somecases, one party may not even be confident in the feasibility ofa collaboration, and wishes to protect sensitive information untilthat feasibility is established. The challenge addressed here is re-vealing just enough information to ensure usefulness without toolarge a compromise in confidentiality.

If uncertainty regarding parameters or other design informa-tion is modeled using random variables with probability densityfunctions representing the current state of knowledge possessedby a collaborator, the risk of sharing some information due to in-ferencing may be quantified using methods like Kullback-LeiblerDivergence or differential entropy, discussed later. This form ofanalysis has been the focus of some study [6,19] and is exploredlater in the following sections.In Section 3, we establish the gen-eral framework followed for the remainder of this paper.

3 FRAMEWORK FOR ANALYZING THE IMPACT OFINFORMATION SHARING IN COLLABORATIVE DE-SIGN

Collaborative design processes may have more than one ob-jective to be met. A common approach is to partition the de-sign process into stages. Stages can be targeted towards different”Design for X” (DFX) activities, where X may be manufactur-ing, feasibility, environment, etc. Each stage involves designersworking towards a design goal. At each stage, the responsibledesigners are assigned a specific task towards meeting the objec-tive in that stage.

These design processes involve exchanges of information,and most of the existing processes encourage open sharingamong collaborators to get the best possible solutions from thecollaboration. However, some of these information exchangesmay involve confidential information. Moreover, these informa-tion exchanges may be iterative in nature, with compounding ef-fects. Thus, there is a need to analyze information leakage asso-ciated with these exchanges. In this section, we establish a gen-eralized framework for examining such information exchangesduring a design process.

Participant’s initial

state of knowledge

Information exchanges

Participant’s maximum

state of knowledge

K(p,i)

FIGURE 1. Participant’s state of knowledge (Kp,i) vs information ex-changes

3.1 A Model for Collaborative DesignCollaborative design involves participants2 working with pa-

rameters and the relationships between parameters. While de-signing, parameters/relationships may vary or remain constantthroughout the design process. Parameters are numerical in na-ture, whereas relationships can be numerical, logical, relational,or arithmetic. Every participant in a collaboration works witha certain set of parameters and relationships. These sets can bemutually exclusive, mutually inclusive, or both. For performinga certain task assigned at a given design stage, participants maychoose to exchange information on these parameters and rela-tionships.

Through these information exchanges, every participant de-velops knowledge on the parameters and relationships involved.We define this as the participant’s state of knowledge after thoseinformation exchanges. As the design evolves, this state ofknowledge might increase or stay constant. One such possiblescenario is illustrated conceptually in Figure 1. This figure de-notes the state of knowledge of a particular participant across in-formation exchanges that occur during an entire design process.Before the start of information exchanges, it is possible that aparticipant has some initial knowledge. This state is referred asthe participant’s initial stage of knowledge. Within a collabora-tion, usually, this state of knowledge has an upper bound definedby the owner of that parameter/relationship. Consider the fol-lowing example: OEM and supplier are collaborating with eachother. Assume that supplier is supplying tires to OEM. In ourframework we assume that Supplier has better knowledge (suchas performance characteristics) about its tire than OEM.

3.1.1 Product model Let n denote the number of par-ticipants in a collaboration. Let Pi denote an ith participant and

2The entities (e.g., designers or teams) involved in a collaboration will bereferred to as participants.


FIGURE 2. Product Model

P−i denote all the participants except Pi. Also, let Kp,i denote thestate of knowledge of ith participant on parameter or relationshipp. As the collaboration proceeds, participants exchange infor-mation about the parameters and relationships involved. In otherwords, other participants (P−i) learn and their state of knowl-edge, say on parameter p, increases. Let Kp,−i denote the statesof knowledge achieved by all except Pi on parameter p. Pleasenote that Kp,−i and P−i are sets of length (n−1) whereas, Kp,i andPi are singleton sets. Further, these parameters and relationshipscan be classified into the following categories:

Private Parameter/Relationship: A parameter/relation-ship owned by a single participant Pi. For example, only theOEM will be aware of the emission strategy while designinga car.Shared Parameter/Relationship: A parameter/relationshipowned by a single participant Pi whose value is known to aset of participants, S. Please note the size of set S: |S| ≤ n.For example, some (but perhaps not all) collaborating man-ufacturers will know the number of cylinders in an engine.

A scenario of the product model is illustrated in Figure 2.The boxes in gray represent participants, and the circles withinthe box denote the ownership of parameters/relationships by thatparticipant. The white circles (and dotted lines) represent sharedparameters (and shared relationships) and the black circles (andsolid lines) represent private parameters (and private relation-ships). This model attempts to describe the relationships, theparameters, and their interactions in a way relevant to all par-ticipants, similar to the concept of Logical Dependency Graphintroduced by Zhang [6] but with emphasis on knowledge own-ership and evolution of knowledge throughout a collaboration.

3.1.2 Process model Design processes involve vari-ous stages. At a design stage k, there is a goal (gk) to be met.Please note that gk is a function of parameters and relationshipsinvolved in the design. For example, while designing a car, aninitial goal may be to pass emission standards. At later stages,performance could be considered. In this process, the car de-sign will be updated if the expected improvement at a given stagemeets the stage goal. The process model illustrated in Figure 3

describes two design stages, k and k+1. In these design stages,we use the product model along with a decision gate. This deci-sion gate is used to decide whether to iterate the design by shar-ing more information and recalculating, or to commit the designand move to the next stage.

With these definitions in place, we shall now state the as-sumptions upon which this framework is built.

3.2 Key Assumptions in this FrameworkThere are several general assumptions implicit in this frame-

work. These include:

1. Every participant works towards mutually agreed objec-tive(s) subject to his/her internal constraint(s).

2. Every participant is honest but curious; i.e., he/she will notdeliberately try to deceive other participants and will worktowards the goals of the collaboration, but is also interestedin gaining knowledge of his/her participants’ private infor-mation.

3. Every participant tries to minimize sensitive informationleakage while sharing and maximize the benefits of the col-laboration.

3.3 Need for Quantifying the State of KnowledgeEvery participant is curious, and wants to learn about private

information belonging to other participants. So, participants de-velop a fear of P−i making inferences about their private informa-tion during collaboration. Hence, participants adopt techniquesdiscussed in Section 2, such as suppression and generalization,to overcome this fear. However, these techniques may not in-hibit P−i from making reasonably good estimates on the privateinformation of Pi. Although these estimates may draw on severalfactors, such as market information or reverse engineering, in ourframework we restrict these inferences such that they are entirelydue to the information shared by Pi during design iterations.

Given that these inferences are possible, Pi desires an ap-proach to predict increases in the state of knowledge Kp,−i whilesharing information on parameter j. In other words, Pi wishesto estimate P−i’s understanding of parameter j, parameter p, andthe relationships between them in order to estimate Kp,−i giventhe potential information on j. Based on this estimation, Pi maydevelop a strategy for parameter j that best controls the states ofknowledge of the other participants on parameter p. Without lossof generality, we consider that an increase in Kp,−i would resultin information leakage on parameter p from Pi’s point of view.

3.4 Confidentiality and Value in Collaborative DesignIn collaboration, typically, information exchanged is used

in certain forms of computations, or (in the case of relationshipinformation) to define computations. In Section 2, we saw dif-ferent information exchange methods that enable us to performmulti-party computations (SMCs). These methods provide dif-ferent levels of protection against information leakages. We con-sider such information leakages leading to loss of confidentiality.


FIGURE 3. Process Model

Now, we shall briefly discuss the different ways of maintainingconfidentiality within a collaboration.

In Zero Confidentiality, all parameters and relationships in-volved are made available to all the participants throughout thecollaboration. In other words, there is no confidentiality associ-ated with the parameters. In Semi-Confidentiality, confidential-ity is compromised strategically to improve the solution obtainedthrough the collaboration. In this scenario, one or more partici-pants would share his/her private information with a set of col-laborators as the collaboration proceeds, or share a generalized orsuppressed version of the information to preserve some confiden-tiality [11,21], as discussed in Section 2. In Full Confidentiality,the extreme case of Semi-Confidentiality, neither the parametersnor their relationships are revealed throughout the collaboration.So, a particular participant is only aware of the exact values ofhis own model parameters and the associated relationships.

In these information exchanges, however, it is apparent thattransparency helps in achieving the best possible solutions froma collaboration. As discussed Sections 1 and 3.3, informationsharing in a collaboration can have adverse effects as well. Thus,all participants must consider the value and confidentiality asso-ciated with every parameter and relationship involved in a col-laboration,both during collaboration and before agreeing to a po-tentially collaborative project. We define these two indicators asfollows:

Value: At a given design stage k, information is exchangedin order to meet the goal gk. Each participant has their ownunderstanding of design goals; in this paper we considergoals gk to be common knowledge. Here, the value Vi isdefined as the confidence of Pi towards achieving the goal gkgiven the information shared by Pi.Confidentiality: In Section 1, we stated that confidentialityinvolves a set of rules through which authorized personnelcan access sensitive information. In the collaborative designcontext, this translates to the access of parameters or rela-tionships of Pi by P−i. The rule we adhere to is as follows:Pi is willing to share information if max(Kp,−i) below his/heracceptable threshold. That is, any member of P−i should not

learn more than what is acceptable to Pi about the parametersand relationships owned by Pi.

In Section 4, we explain the techniques to determine the con-fidence of Pi and max(Kp,−i). Please note the thresholds men-tioned here are subjective in nature; these can be determined bypsychometric models or derived from economic or other models.Since the scope of this paper is only to build the framework anddemonstrate its use, such models are not discussed here.

In the following section, we develop a specific collaborativedesign scenario, which will be explored for the remainder of thispaper as an example of how this framework can be applied.

4 APPLICATION OF THE PROPOSED FRAMEWORKIn this section, the state of knowledge on parameters and

relationships is modeled using probability distributions from aBayesian point of view. At the start of collaboration, each partic-ipant Pi has priors on other participants’ private parameters andrelationships. A random variable, say X , with probability den-sity function P(X = x) = p(x), may be used to model the currentstate of knowledge (Kp,i) the participant has on a given parame-ter p. For instance, a parameter generalized to some range couldbe modeled as a uniformly distributed random variable with thecorresponding upper and lower bounds. As design iterations oc-cur, the state of knowledge (Kp,i) changes and these distributionswill be adjusted through direct (shared) or inferred information.

We use the framework presented in Section 3 to quantifyboth value and confidentiality based on these priors. This quan-tification is based upon the notions of divergence and differentialentropy, which are described later in this section. For this sec-tion, we consider the following specific design scenario:

The participants’ Pi goal is to minimize an objective function,with feasible solutions being those that drive the objectivefunction below some goal gk,i.


4.1 Value AnalysisWhen information is revealed during an exchange at design

stage k, the participant(s) owning the information wish to addsome value to the design, with respect to achieving the designgoal (gk). To gain a better understanding of the information’simpact in the collaboration, the participant Pi is interested inquantifying the value of his/her information. The value of theinformation revelation is quantified using probability theory.

As an example, consider an aircraft design problem wherethere is a constraint on the maximum weight of the engine. Atthe current design stage, meeting this constraint is the goal gk.The value of some revelation by participant Pi corresponds to theprobability of achieving a design below the maximum weight,given the information being revealed and the current state ofknowledge of participant Pi.

The design goals may be formulated in terms of relevant pa-rameters and their relationships (gk = f (p)), and can be deter-mined by every participant. Here, p denotes the parameters andf denotes the relationships involved. However, the values dif-fer since Kp,i are different among the participants. Assume thatfor a particular participant Pi, a probability distribution function(pdf) fPi(p) can be constructed based on Kp,i for the design goal3,perhaps through some uncertainty propagation analysis such asa Monte Carlo simulation (as done for the example presented inSection 5). For this participant and his/her objective function(s),given some goal gk,i denoting the maximum feasible value of thatobjective, the value index V Iest is given by a ratio of cumulativedistribution function (cdf) evaluations:

V Iest =∫ gk,i

−∞

fPi(p)d p (1)

which quantifies the probability of achieving a feasible solutiongiven gk,i. As an example, consider an early stage design goalof keeping an artifact under some target weight, gk,i : Weight <Target. A visualization of this index for a given distribution fora parameter p is given in Figure 4. This index has a minimum of0 (no probability of feasible solution) and tends to 1 as the prob-ability of feasibility increases. Note that if the participant hasa minimum value target, then the numerator integral has ranges[gk,i,+∞] instead.

Next, we discuss our approach to confidentiality analysis,and introduce the concepts of divergence and differential entropy.

4.2 Confidentiality AnalysisLet Q(X = x) represent the knowledge prior to an informa-

tion exchange, and M(X = x) represent the knowledge followingan information exchange. We use the following two quantifica-tion methods to analyze these priors: (i) Kullback-Leibler (KL)divergence [6], [26] and (ii) differential entropy and the corre-sponding privacy measure [26], which may be used to constructa confidentiality index (CI).

3 p denotes the parameter/relationships involved and hence, fPi (p) is a vector.

𝑝 = 𝑔𝑘

න−∞

𝒈𝒌

𝒇𝑷𝒊 𝒑 𝒅𝒑

න−∞

∞

𝒇𝑷𝒊 𝒑 𝒅𝒑

𝑃(𝑋 = 𝑥)P(𝑝)

𝑝

FIGURE 4. Calculating V I based on design parameter pdf

KL divergence quantifies the difference in two pdf’s. Thehigher the KL divergence, the greater the change from priorto posterior knowledge. It should be noted that this does notnecessarily correspond to a “more correct” view of the param-eter, but only that knowledge has changed. The KL divergenceDKL(M||Q) of any distribution Q(X = x) = q(x) from M(X =x) = m(x) is given by [6]:

DKL(M||Q) =∫ +∞

−∞

m(x)log(

m(x)q(x)

)dx (2)

Differential entropy may be derived from KL divergence,and is a measure of the ‘randomness’ of a pdf. When the pdfmodels uncertainty in a parameter, it is also commonly extendedto quantify that uncertainty. In the case of a confidential param-eter that is intentionally obscured, it may be used to quantifyconfidentiality as well [26]. For a random variable X with pdfm(x), the differential entropy H(X) is defined as [26]:

H(X) =−∫ +∞

−∞

m(x)log(m(x))dx (3)

If parameter p modeled using random variable X , where M(X =x) = m(x), is intentionally being hidden, the corresponding pri-vacy measure Π(p) may be defined as [26]:

Π(p) = eH(X) (4)

As information exchanges take place, the plausible ranges of pa-rameter p may decrease. This corresponds to narrower distri-butions of X , and thus a smaller Π(p). This is of interest toparticipants who do not own data on parameter p.

Entropy’s advantage to KL divergence as a security measurein collaboration is that decreasing entropy directly correspondsto increased confidence in a parameter value, which relates di-rectly to loss of security on that parameter given feasible prior


knowledge. Note that this measure is not suited for unboundeddistributions. However, such distributions are unlikely to occurin an engineering context.

The Confidentiality Index (CI), corresponding to a given pa-rameter and a given participant, is given by,

CIest =Πest

Π0(5)

where, CIest is the current estimated confidentiality index of thegiven parameter with respect to the current state of shared infor-mation, Π0 is the security measure corresponding to the initialstate of knowledge, and Πest is the estimated security measurebased on max(Kp,−i) (defined in Equations 3 and 4), given thepotentially revealed information. Note that our focus in this pa-per is quantifying the confidence of the participant in a givenconfidential parameter estimation. Our metric for confidentialityfocuses solely on the entropy of the posterior distribution, anddiffers from other metrics, such as the conditional probabilityproposed by Zhang [6], which consider confidentiality lost whena participant-defined working range of a parameter is achievedby another participant.

4.3 Further Assumptions in this ScenarioBased on the quantification methods described in Sec-

tions 4.1 and 4.2, we assume the following:

1. The Confidentiality Index (CI) is a monotonically decreas-ing function with respect to the number of design iterations.That is, as information is revealed, confidentiality decreasesor remain constant.

2. Participants distinguish between private parameters, whichthey are interested in protecting, and design parameters,which they alter when provided updated information to im-prove the design. Participants will only alter their designparameters to better meet the design requirements. Only insituations where feasible designs are very unlikely will par-ticipants opt to alter their private parameters.

In the following section, we apply this analysis to an exam-ple design scenario.

5 ILLUSTRATION WITH AN EXAMPLEWe assume a collaborative design scenario involving two

participants. A structural designer (Alice) approaches a mate-rial designer (Bob) to co-design a truss (adapted from [27]).Inthis collaboration, Alice’s expertise (or private information) islimited to the data related to geometry and the forces likely to beexperienced at the nodes of this truss. She is not an expert in ma-terial selection. Previous experience allows her to form generalpriors regarding both parameters that she is confident contain thetrue values. In this scenario, Alice is the leader of the collabo-ration, i.e., Alice drives the design process and decides when adesign iteration proceeds.

dt

Section A-A

2P

H

AA

B

FIGURE 5. Symmetric Truss Configuration

Bob, being a material designer, determines the value for thediameter for the trusses. However, he is reluctant to share hischoices for material parameters with Alice. Alice’s objectivefrom this collaboration is to minimize the weight W of the truss.

The configuration of the truss is illustrated in Figure 5. Twotubular bars of thickness t are pinned to the surface on one endand welded with each other on the other end. These membersare subjected to a vertical load of 2P. The outer diameter of thetubes is d, and the welded joint is at a height H.

Alice can have private parameters associated with her objec-tive function, Fdes. For example,

Fdes = k1W + k2WV

(6)

where, W,V denote weight and volume, respectively, of the trussconfiguration, and k1,k2 are weightages in the objective function.Alice can have such weightages as private parameters. However,in the current example, we assume Fdes to be just the weight (W )of the truss. The weight is given by [27]:

Fdes =W = 2πdtγ√(B2 +H2) (7)

where, W0 is the maximum allowable weight of the truss fromAlice’s point of view. So, W0 would be a private parameter ofAlice and W ≤W0 is a private relationship. Bob would like toknow the possible diameter of the rod for a combination of loadand geometry. The constraint on diameter (d) is given by [27]:

P√

(B2 +H2)

πts f Hσ0≤ d (8)

where, s f is the factor of safety.Both Alice and Bob are ignorant of the exact values of their

collaborator’s parameters. The ownership of these parameters is


listed in Table 1. However, Bob has prior knowledge on Alice’sprivate parameters (P, t). These priors may be informed by priorexperience, initial contact with Alice, or a combination of theseand other factors, and serve as a model of Bob’s initial state ofknowledge. With these priors, Bob determines his first proposalfor the diameter, d. Based on acceptance/rejection of Bob’s de-sign proposals, Alice would offer more information on her pa-rameters, and Bob would refine his own priors and his solutionfor d. The information exchanges that occur between Alice andBob are briefly described as follows:

1. Bob shares a value of diameter d with Alice based on thecurrent understanding of P, t.

2. Alice determines the weight W using the diameter d pro-posed by Bob and her priors on Bob’s values for γ and σ0,and informs Bob if the proposed diameter is acceptable (seenext section).

3. If the proposed diameter is rejected, Bob needs more clarityon Alice’s private information to re-design. So, he performsa value analysis on one of the Alice’s private parameters andarrives at a value of V I. He shares this with Alice and asksher to reveal private information.

4. Alice concurrently performs confidentiality analysis and de-termines the confidentiality index, and estimates the valueindex stemming from revealing the requested information. Ifboth value and confidentiality indexes are above her thresh-old, she reveals further information. Else, Alice stops infor-mation sharing and the design is accepted as-is or the col-laboration is terminated.

These information exchanges are summarized in Figure 6.Now, we illustrate our approach with this example. The follow-ing are assumptions made for this analysis:

1. Alice’s revealing strategy is as follows: information onlyabout a particular private information (parameter or rela-tionship) is revealed in all the design iterations involved.If Alice’s confidentiality index is above her threshold, shechooses to reveal information either on P or t, but not both.

2. The limits for Alice’s and Bob’s confidentiality index are 0and 1. Hence, design iterations continue until V I approaches1 or CI approaches 0.

3. Relationships are universally shared throughout the collab-oration. Alice is concerned only with the confidentiality ofher parameters.

Using this example, we determine which parameter revela-tions might be beneficial for Alice, given some subjective criteriafor value and confidentiality. The following sections are meantas an illustration of Alice’s and Bob’s communication through-out several design iterations of this initial design stage. As Aliceis the leader of this collaboration, we work from her perspective,focusing on her concepts of value and confidentiality.

5.1 Revealing information on load, PWe first assume that Alice and Bob meet and establish an

initial knowledge state. That is, they agree on the mathematicalmodels governing the co-designed system, the shared parame-ters, and the private parameters. In this example, we assume thatAlice and Bob decide to reveal their values of H and s f , respec-tively (note that in this scenario H = B). We also assume theactual values of the private parameters and the priors held by theopposite collaborator are as stated in Table 2. Bob’s priors on(P, t) are derived from Alice’s description of the design problem,while Alice’s priors on (σ0,γ) stem from Alice’s implicit knowl-edge on Bob’s likely material (steel).

Thus, Alice may reveal information on P or on t in order todrive Bob to provide more satisfying values of d (that is, d val-ues that drive the weight down while still being safe under theload). In this example, we assume this revelation comes fromAlice narrowing Bob’s priors on these parameters (telling Bobthat P ∈ [100,300]kN instead of P ∈ [100,500]kN, for instance).Alice first considers revealing information on P to Bob by nar-rowing the revealed range of possible P values until the value iscompletely revealed.

In this section, we restrict ourselves to analysis of Alice pro-viding information to Bob. The converse analysis may be car-ried out in a similar fashion. The initial state of knowledge onthe private and design parameters was generated through MonteCarlo simulation in Python with respect to the initial priors givenabove and in Table 2 and are plotted as sampled distributions inFigure 7.

5.1.1 Value Analysis Alice (and Bob) first considerthe value of such a revelation. Both Alice and Bob perform thisanalysis by assigning a Value Index (V I) describing the desiredoutcome. In this analysis, Alice wishes to minimize the weightW of the truss. Thus, Alice decides on an estimated Value Index,defined as follows:

V Iest =P(W <W0)est

P(W <W0)des=

∫W0−∞

p(w)dw∫ +∞

−∞p(w)dw

(9)

where P(W < W0)des is the desired probability that the finaltruss weight will satisfy the requirements; in this case, P(W <W0)des = 1. P(W < W0)est is the estimated probability of thesame event given the considered information on P is revealed.V Iest = 1 corresponds to an estimated 1.0 probability of a suc-cessful value of W , given the information. These probabilitiesare arrived at by constructing a probability distribution for the fi-nal value of W considering Alice’s priors on the material densityγ , and Alice’s expectation on the change in d given the consid-ered revelation and her comprehension of Bob’s prior on t, usingEquations 7 and 8. The probabilities in Equation 9 are given bythe CDF of the distribution of W in the range [0,W0]. These andsubsequent calculations were carried out using Alice’s and Bob’scurrent knowledge states.


Alice asks Bob to submit his design

proposal

Bob estimates priors on Alice’s private

information

Bob submits design proposal to Alice

End of design iterations

Alice computes VI for a particular information

Alice will share

information with Bob

Yes

No

VIcurr <VInext

Alice computes CI for the same

particular information

Yes

No

Alice�s objective

is met?

CIthres < CInext

Yes

No

FIGURE 6. Exchange information protocol during design iterations, Alice providing information to Bob

(a) (b)

(c) (d)

FIGURE 7. Initial information represented by samples of probability distributions of parameters P (a), t (b), W (c), and d (d)


TABLE 1. Symmetric truss design: Problem Formulation

Parameter Alice Bob

Internal Constraints W = 2πdtγ√(B2 +H2)≤W0

P√

(B2+H2)πs f tHσ0

≤ d

Design Variable W d

Private Parameters P, t, W0, B γ,σ0,s f

TABLE 2. Bob’s state of knowledge when Alice is making revelations on P

Parameter units Iteration 1 Iteration 2 Iteration 3 Iteration 4 Iteration 5

Private

kNm3 γ = 81.4

Mpa σ0 = 400

Parameters s f = 1

Sharedm B = 0.762

Parameters

PriorskN P ∈ [100,500] P ∈ [100,500] P ∈ [100,370] P ∈ [100,330] P ∈ [100,300]

mm t ∈ [1,6] t ∈ [1,6]

Alice (and Bob) arrive at values for V Iest conditional on therevealed range of P. These are then compared against each otherand the confidentiality indexes calculated as described in the fol-lowing section to arrive at a revelation strategy.

5.1.2 Confidentiality Analysis Alice now considersthe confidentiality compromised on her other private parameter,t. As Alice reveals information on P, Bob gains insight into thedesign problem and may update his prior on t as he also worksto refine his value of d. Alice attempts to estimate and quantifythis effect by constructing an estimated Confidentiality Index foreach potential revelation, as follows:

CIest =Π(t|reveal)Π(t|initial)

(10)

where CIest is the estimated Confidentiality Index on t givenBob’s initial state of knowledge and the new state after the poten-tial revelation. Π(t|initial) is the confidentiality (see Section 4.2)on t given the initial information, while Π(t|reveal) is the con-fidentiality given the potential revelation. CIest = 1 correspondsto no loss of confidentiality on t, while CIest = 0 correspondsto complete confidence in Bob’s value of t given the current d.Note that Bob could still deviate from the true value of t, due tohis lack of knowledge on the optimal value of d. These confi-dentialities are found by constructing the expected distributionsof t given Bob’s assumed information on P, d, and his private in-formation at the given iteration and state of knowledge, and thenfollowing the entropy calculation outlined in Section 4.2. Again,this is achieved using Equation 4.

After the value and confidentiality analysis is carried out,Alice may compare the Value and Confidentiality Indexes pro-

vided for various possible revelations of the parameter P. If someof the possible revelations are expected to fall within acceptableranges for the indexes (subjectively defined by Alice), she maychoose to make that revelation to Bob. For example, Alice mayinsist that V Iest > 0.5 and CIest > 0.6 must hold for any revelationduring the given iteration. Bob may have similar expectationsbefore sharing any information on σ0 or γ .

5.2 Revealing information on thickness, t

A similar analysis may be carried out by Alice as she con-siders revealing information on t. In this case, the relevant dis-tributions are constructed using the relationships between t,P,W,and d given in Equations 7 and 8.

During this analysis, Alice considers instead narrowingBob’s information on t, and studying how that may affect hisproposed value of d and therefore the expected result for W . TheValue Index and the method is identical to that in Section 5.1.1,but instead the range of P is held constant while t is explored.Similarly, the confidentiality analysis and index are the same asthose described in Section 5.1.2. As Alice estimates the effectsof revealing various posteriors for t, the values for CIest may becompared with the previous V Iest to arrive at worthwhile revela-tions for t, if they exist.

In the following section, we present results for a study car-ried out as described above, from Alice’s perspective, as wellas a possible revelation strategy Alice may follow based on theresults and her (personal) requirements for V Iest and CIest for agiven design iteration. Eleven possible revelation strategies areanalyzed for both revealing P and revealing t; these strategiesand corresponding indexes used in Section 5.3 are reported inTable 3.


5.3 Alice’s Potential Revelation StrategyAlice first considers revealing information according to the

posterior ranges for P and t by providing Bob with successivelysmaller ranges of possible values for each parameter. As this in-formation is revealed, Alice wishes to anticipate the change inthe acceptability of the weight objective (Value Index) as wellas the loss of confidentiality on the parameter she is not sharing(Confidentiality Index). Following the analysis procedure out-lined earlier, Alice performs value and confidentiality analyseson various revelation scenarios for both parameters and studiesthe resulting values for V Iest and CIest . Bob performs value anal-ysis to prioritize requests for information from Alice. The resultsfor these analyses are described in reference to the plots in Fig-ures 8 and 9.

Consider first revealing information on P. The given initialrange of P, with interval size 400kN, initially yields a V Iest valueof 0 (that is, Alice predicts no feasible solution for W given Bob’sprior knowledge)(Figure 8a, Table 3). According to this analysis,the index is expected to rise dramatically for revelations narrow-ing this range to [200,300]kN, where a feasible (not necessarilyoptimal) design solution is expected to be inevitable. Comparethis to the expected V Iest values for revealing t alone (Figure 9a),which suggest that a feasible design will not be produced for anyrevelation of t by Alice. This analysis reveals that, if informationon t is not accompanied by information on P, the values of V Iestare not expected to increase. In both possible revelation paths,values of CIest (Figures 8b, 9b) decrease steadily as informationis revealed, as is expected for this relatively simple formulation.If Alice is to choose between revealing P and revealing t, theseestimates suggest revealing information on P would yield morevalue for a given compromise on security. Bob’s expected val-ues for P and t, given the proposed knowledge of the other, areplotted in Figure 10.

It is worth mentioning not only the effects of revealing in-formation, but also the direction of revelation. For Bob’s P andt priors (Table 2), the true value of t is much closer to the ex-pected value of t Bob would calculate via his prior, compared tothe true value of P. Therefore, revelation of t from one directiononly (such as lowering the upper bound on the revealed rangeand leaving the lower bound alone, as was considered in thesetrials) may skew Bob’s understanding of the problem in a moreundesirable direction than similar revelations for P. Thus, in thisscenario and for these revelations, P appears to be the more use-ful parameter to share.

Note that any participant’s revelation strategy may rely onthe indexes calculated in this method, but will ultimately be de-cided by subjective criteria determined by the participants in agiven scenario. Alice, based on the previous analysis, choosesonly to reveal information about the value of P, successively nar-rowing the range provided to Bob. In this scenario, we assumeAlice would first prioritize obtaining feasible solutions (drivingV Iest above, say, 0.5) while also preserving reasonable security(ensuring CIest does not drop by more than, say, 0.25 per reve-lation). Based on these assumptions, Alice may follow a four-iteration revelation strategy outlined in Table 4, arriving at a

100% expected probability of obtaining a feasible solution afterthe final revelation, with a final CIest greater than 0.5.

In this scenario, as P is gradually revealed, Bob’s submis-sions for d become progressively less conservative, as expected.This results from Bob’s better understanding of P, and the de-crease in the expected value of P as the range is narrowed fromthe upper bound. Note that, if the range was instead narrowedfrom the lower bound, the solution may actually suffer if not alsosupplemented with information on t. This lower-bound incre-mentation causes the slight dip in the V I plot in Figure 8a. Thishighlights the fact that participants must be cognizant of the im-plications of their revelations, and in particular whether they aredriving a prior’s expected value in a helpful direction.

6 CLOSING COMMENTSAs globalization has encouraged unprecedented cooperation

and collaboration in engineering design, it has also brought newconcerns to light. One of them is the confidentiality of designer’sprivate information. Designers must be aware that the informa-tion they share could be used against their interests through leak-age of sensitive information as much as it could help them reacha better solution. In this paper, we proposed one possible ap-proach for quantifying such trade-offs. We also demonstrate ourapproach using a simple collaborative design problem where thetradeoff between confidentiality and value must be considered.However, our method of application to this framework has thefollowing limitations:

1. Our method uses metrics that are suited for bounded pdf’s.2. This method only addresses scenarios where all participants

know the relations between parameters involved in the de-sign problem.

Here, our focus is to introduce the notion of tradeoff betweenconfidentiality and value in collaborative design. The proposedmethod using the same framework can be further extended to thefollowing scenarios:

1. Addressing design scenarios with more than two collabora-tors, with more complex information sharing and confiden-tiality scenarios including those with ambiguous relation-ships between various parameters in the model.

2. Addressing the recursive properties of inferring various pa-rameters during information exchange, which were not ad-dressed in this paper. In particular, as more parameters areintroduced, the nature of inferences become more complex,and the tradeoff between computational time spent on infer-ence and the value of the inferences may need further anal-ysis.

3. Addressing objective functions with more than one term. Inparticular, the weights associated with each term may dif-fer between collaborators, and may be modeled as privateparameters.

4. Addressing competitive scenarios, where (in early design)Alice may consider several material designers and use this


FIGURE 8. V I results (a) and CI results (b) for sharing P

FIGURE 9. V I results (a) and CI results (b) for sharing t (no V I benefit if information on P is not shared)

FIGURE 10. Bob’s expected values for t (a) and P (b) due to revelations of the opposite parameter


TABLE 3. Revelation strategies considered by Alice for parameters P and t

Strategy indexes 1,2 3,4 5,6 7,8 9,10 11

P(kN)[100,470] [100,400] [100,330] [100,270] [120,200] [148,152]

[low,high] [100,430] [100,370] [100,300] [120,250] [120,170]

t(mm)[1.0,5.5] [1.0,4.5] [1.0,3.5] [1.0,3.0] [1.5,2.7] [2.52,2.56]

[low,high] [1.0,5.0] 1.0,4.0] [1.0,3.2] [1.5,3.0] [2.0,2.7]

TABLE 4. Results for Alice’s Revelation Strategy (Revealing P only, comparison to initial infomation)

P Revealed V Iexpected CIexpected on t dsubmitted V Irealized Bob’s t estimate (deviation)

[100,500]kN 0.00 1.00 81.0mm 0.00 3.43mm (+35.4%)

[100,370]kN 0.21 0.76 72.8mm 0.23 2.69mm (+5.7%)

[100,330]kN 0.54 0.67 69.5mm 0.72 2.48mm (−2.6%)

[100,300]kN 0.79 0.53 67.2mm 1.00 2.29mm(−9.7%)

approach to determine the most suitable collaborator whilerevealing minimal information.

We believe that this trade-off analysis is important to enablecollaborations across enterprise and national boundaries. As thisline of study develops, results will empower designers to bettercontrol the flow of information during collaborative design andensure shared information does quantitatively more good thanharm.

ACKNOWLEDGMENTPortions of this work were supported by National Sci-

ence Foundation Grants CPS-1329979, CNS-0915436, CMMI-1265622, Science and Technology Center CCF-0939370; and bysponsors of the Center for Education and Research in Informa-tion Assurance and Security. The statements made herein aresolely the responsibility of the authors.

REFERENCES[1] Lee, H. L., So, K. C., and Tang, C. S., 2000. “The value of

information sharing in a two-level supply chain”. Manage-ment science, 46(5), pp. 626–643.

[2] Huang, G. Q., Lau, J. S., and Mak, K., 2003. “The impactsof sharing production information on supply chain dynam-ics: a review of the literature”. International Journal ofProduction Research, 41(7), pp. 1483–1517.

[3] Fiala, P., 2005. “Information sharing in supply chains”.Omega, 33(5), pp. 419–423.

[4] Hoecht, A., and Trott, P., 2006. “Outsourcing, informationleakage and the risk of losing technology-based competen-cies”. European business review, 18(5), pp. 395–412.

[5] Anand, K. S., and Goyal, M., 2009. “Strategic informationmanagement under leakage in a supply chain”. Manage-ment Science, 55(3), pp. 438–452.

[6] Zhang, D. Y., Zeng, Y., Wang, L., Li, H., and Geng,Y., 2011. “Modeling and evaluating information leakage

caused by inferences in supply chains”. Computers in In-dustry, 62(3), pp. 351–363.

[7] Chow, R., Golle, P., Jakobsson, M., Shi, E., Staddon, J.,Masuoka, R., and Molina, J., 2009. “Controlling data inthe cloud: Outsourcing computation without outsourcingcontrol”. In Proceedings of the 2009 ACM Workshop onCloud Computing Security, CCSW ’09, ACM, pp. 85–90.

[8] Du, W., and Atallah, M. J., 2001. “Secure multi-party com-putation problems and their applications: a review and openproblems”. In Proceedings of the 2001 workshop on Newsecurity paradigms, ACM, pp. 13–22.

[9] Gentry, C., 2009. “A fully homomorphic encryptionscheme”. PhD thesis, Stanford University.

[10] Huang, Y., Evans, D., Katz, J., and Malka, L., 2011. “Fastersecure two-party computation using garbled circuits.”. InUSENIX Security Symposium, Vol. 201.

[11] Sweeney, L., 2002. “Achieving k-anonymity privacy pro-tection using generalization and suppression”. Interna-tional Journal of Uncertainty, Fuzziness and Knowledge-Based Systems, 10(05), pp. 571–588.

[12] Atallah, M. J., Elmongui, H. G., Deshpande, V., andSchwarz, L. B., 2003. “Secure supply-chain protocols”. InE-Commerce, 2003. CEC 2003. IEEE International Con-ference on, IEEE, pp. 293–302.

[13] Wang, S., Bhandari, S., Atallah, M., Panchal, J. H., andRamani, K., 2014. “Secure collaboration in engineeringsystems design”. In Volume 1B: 34th Computers and Infor-mation in Engineering Conference, ASME International.

[14] Wang, Y., Ajoku, P. N., Brustoloni, J. C., and Nnaji, B. O.,2006. “Intellectual property protection in collaborative de-sign through lean information modeling and sharing”. Jour-nal of computing and information science in engineering,6(2), pp. 149–159.

[15] Bertram, S., Boniface, M., Surridge, M., Briscombe, N.,and Hall-May, M., 2010. “On-demand dynamic security forrisk-based secure collaboration in clouds”. In Cloud Com-puting (CLOUD), 2010 IEEE 3rd International Conference


on, IEEE, pp. 518–525.[16] Rouibah, K., and Ould-Ali, S., 2007. “Dynamic data shar-

ing and security in a collaborative product definition man-agement system”. Robotics and Computer-Integrated Man-ufacturing, 23(2), pp. 217–233.

[17] Li, S., and Mirhosseini, M., 2012. “A matrix-based mod-ularization approach for supporting secure collaboration inparametric design”. Computers in Industry, 63(6), pp. 619–631.

[18] Zeng, Y., Wang, L., Deng, X., Cao, X., and Khundker,N., 2012. “Secure collaboration in global design and sup-ply chain environment: Problem analysis and literature re-view”. Computers in Industry, 63(6), pp. 545–556.

[19] Zhang, D. Y., Cao, X., Wang, L., and Zeng, Y., 2012. “Mit-igating the risk of information leakage in a two-level supplychain through optimal supplier selection”. Journal of Intel-ligent Manufacturing, 23(4), pp. 1351–1364.

[20] Cao, X., and Zeng, Y., 2011. “Detecting risk of intellectualproperty (ip) leakage due to reverse design in collaborativeproduct development environments”. In ASME 2011 In-ternational Design Engineering Technical Conferences andComputers and Information in Engineering Conference,American Society of Mechanical Engineers, pp. 1389–1399.

[21] Rastogi, V., Suciu, D., and Hong, S., 2007. “The boundarybetween privacy and utility in data publishing”. In Proceed-ings of the 33rd international conference on Very large databases, VLDB Endowment, pp. 531–542.

[22] Vincent, T. L., 1983. “Game theory as a design tool”. Jour-nal of Mechanisms, Transmissions, and Automation in De-sign, 105(2), pp. 165–170.

[23] Lewis, K., and Mistree, F., 1998. “Collaborative, sequen-tial, and isolated decisions in design”. Journal of Mechan-ical Design, 120(4), pp. 643–652.

[24] Xiao, A., Zeng, S., Allen, J. K., Rosen, D. W., and Mistree,F., 2005. “Collaborative multidisciplinary decision makingusing game theory and design capability indices”. Researchin Engineering Design, 16(1-2), pp. 57–72.

[25] Chanron, V., and Lewis, K., 2005. “A study of convergencein decentralized design processes”. Research in Engineer-ing Design, 16(3), pp. 133–145.

[26] Agrawal, D., and Aggarwal, C. C., 2001. “On the designand quantification of privacy preserving data mining algo-rithms”. In Proceedings of the twentieth ACM SIGMOD-SIGACT-SIGART symposium on Principles of databasesystems, ACM, pp. 247–255.

[27] Save, M., and Prager, W., 1990. Structural Optimization:Volume 2: Mathematical Programming, Vol. 40. SpringerScience & Business Media.


confidentiality management in collaborative design · proceedings of the asme 2016 international...

Documents