Workshop RELAW 2012 – Author Index |
Contents -
Abstracts -
Authors
|
Aldea, Arantza |
![]() Krishna Sapkota, Arantza Aldea, Muhammad Younas, David A. Duce, and René Bañares-Alcántara (Oxford Brookes University, UK; University of Oxford, UK) Extracting essential meaning from the regulatory text helps in the automation of the Compliance Management (CM) process. CM is a process where organizations assure that the processes are run according to requirements and expectations. However, extraction of meaningful text from regulatory guidelines comes with many research challenges such as dealing with different document-format, implicit document-structure, textual ambiguity and complexity. In this paper, the extended version of the Semantic-ART framework is described, which focuses on tackling the challenges of document-structure identification and regulatory-entity extraction. An initial result has shown an inspirational result as compared to the previous version of the framework. ![]() |
|
Alhaj, Mohammad |
![]() Edna Braun, Nick Cartwright, Azalia Shamsaei, Saeed Ahmadi Behnam, Greg Richards, Gunter Mussbacher, Mohammad Alhaj, and Rasha Tawhid (Transport Canada, Canada; University of Ottawa, Canada; Carleton University, Canada) The performance modeling of regulations is a relatively recent innovation. However, as regulators in many domains increasingly look to move from prescriptive regulations towards more outcome-based regulations, the use of performance modeling will become more common place. The major difference of outcome-based regulations over prescriptive regulations is that the main interest lies in specifying clear objectives of the regulations and measuring whether regulated parties achieve these objectives, while leaving much freedom to the regulated party on how to meet these objectives. Recently, we have found that the use of performance modeling provides benefits such as revealing inconsistencies and lack of clarity in existing regulatory language. In this paper, we report on these experiences, summarize guidelines for the modeling of regulations, and examine whether the current drafting processes for regulations are optimized to take advantage of these additional benefits. We explore the advantages and disadvantages of various ways of augmenting the current approach with goal-oriented modeling of regulations. Based on our experience with Aviation Security regulations, we believe it is time for modeling to play a new role in helping to guide the drafting of regulations. ![]() |
|
Alspaugh, Thomas A. |
![]() Thomas A. Alspaugh, Walt Scacchi, and Rihoko Kawai (UC Irvine, USA; Saitama Institute of Technology, Japan; National Institute of Informatics, Japan) Software licensing issues for a system design, instantiation, or configuration are often complex and difficult to evaluate, and mistakes can be costly. Automated assistance requires a formal representation of the significant features of the software licenses involved. We present results from an analysis directed toward a formal representation capable of covering an entire license. The key to such a representation is to identify the license's actions, and relate them to the actions for exclusive rights defined in law and to the actions defined in other licenses. Parameterizing each action by the object(s) acted on, the instrumental entities through which the action is performed, and similar contextual variables enables a subsumption relation among the actions. The resulting formalism is lightweight, flexible enough to support the scope of legal interpretations, and extensible to a wide range of software licenses. We discuss the application of our approach to the Lesser General Public License (LGPL) version 2.1. ![]() ![]() Thomas A. Alspaugh and Walt Scacchi (UC Irvine, USA) There exist legal structures defining the exclusive rights of authors, and means for licensing portions of them to others in exchange for appropriate obligations. We propose an analogous approach for security, in which portions of exclusive security rights owned by system stakeholders may be licensed as needed to others, in exchange for appropriate security obligations. Copyright defines exclusive rights to reproduce, distribute, and produce derivative works, among others. We envision exclusive security rights that might include the right to access a system, the right to run specific programs, and the right to update specific programs or data, among others. Such an approach uses the existing legal structures of licenses and contracts to manage security, as copyright licenses are used to manage copyrights. At present there is no law of ``security right'' as there is a law of copyright, but with the increasing prevalence and prominence of security attacks and abuses, of which Stuxnet and Flame are merely the best known recent examples, such legislation is not implausible. We discuss kinds of security rights and obligations that might produce fruitful results, and how a license structure and approach might prove more effective than security policies. ![]() |
|
Antón, Annie I. |
![]() Jessica Young Schmidt, Annie I. Antón, and Julia B. Earp (North Carolina State University, USA) In the United States, organizations can be held liable by the Federal Trade Commission for the statements they make in their privacy policies. Thus, organizations must include their privacy policies as a source of requirements in order to build systems that are policy-compliant. In this paper, we describe an empirical user study in which we measure the ability of requirements engineers to effectively extract compliance requirements from a privacy policy using one of three analysis approaches—CPR (commitment, privilege, and right) analysis, goal-based analysis, and non-method-assisted (control) analysis. The results of these three approaches were then compared to an expert-produced set of expected compliance requirements. The requirements extracted by the CPR subjects reflected a higher percentage of requirements that were expected compliance requirements as well as a higher percentage of the total expected compliance requirements. In contrast, the goal-based and control subjects produced a higher number of synthesized requirements, or requirements not directly derived from the policy than the CPR subjects. This larger number of synthesized requirements may be attributed to the fact that these two subject groups employed more inquiry-driven approaches than the CPR subjects who relied primarily on focused and direct extraction of compliance requirements. ![]() |
|
Bañares-Alcántara, René |
![]() Krishna Sapkota, Arantza Aldea, Muhammad Younas, David A. Duce, and René Bañares-Alcántara (Oxford Brookes University, UK; University of Oxford, UK) Extracting essential meaning from the regulatory text helps in the automation of the Compliance Management (CM) process. CM is a process where organizations assure that the processes are run according to requirements and expectations. However, extraction of meaningful text from regulatory guidelines comes with many research challenges such as dealing with different document-format, implicit document-structure, textual ambiguity and complexity. In this paper, the extended version of the Semantic-ART framework is described, which focuses on tackling the challenges of document-structure identification and regulatory-entity extraction. An initial result has shown an inspirational result as compared to the previous version of the framework. ![]() |
|
Baudry, Benoit |
![]() Nicolas Sannier and Benoit Baudry (EDF, France; INRIA, France) Safety systems in nuclear industry must conform to an increasing set of regulatory requirements. These requirements are scattered throughout multiple documents expressing different levels of requirements or different kinds of requirements. Consequently, when licensees want to extract the set of regulations related to a specific concern, they lack explicit traces between all regulation documents and mostly get lost while attempting to compare two different regulatory corpora. This paper presents the regulatory landscape in the context of digital Instrumentation and Command systems in nuclear power plants. To cope with this complexity, we define and discuss challenges toward an approach based on information retrieval techniques to first narrow the regulatory research space into themes and then assist the recovery of these traceability links. ![]() |
|
Behnam, Saeed Ahmadi |
![]() Edna Braun, Nick Cartwright, Azalia Shamsaei, Saeed Ahmadi Behnam, Greg Richards, Gunter Mussbacher, Mohammad Alhaj, and Rasha Tawhid (Transport Canada, Canada; University of Ottawa, Canada; Carleton University, Canada) The performance modeling of regulations is a relatively recent innovation. However, as regulators in many domains increasingly look to move from prescriptive regulations towards more outcome-based regulations, the use of performance modeling will become more common place. The major difference of outcome-based regulations over prescriptive regulations is that the main interest lies in specifying clear objectives of the regulations and measuring whether regulated parties achieve these objectives, while leaving much freedom to the regulated party on how to meet these objectives. Recently, we have found that the use of performance modeling provides benefits such as revealing inconsistencies and lack of clarity in existing regulatory language. In this paper, we report on these experiences, summarize guidelines for the modeling of regulations, and examine whether the current drafting processes for regulations are optimized to take advantage of these additional benefits. We explore the advantages and disadvantages of various ways of augmenting the current approach with goal-oriented modeling of regulations. Based on our experience with Aviation Security regulations, we believe it is time for modeling to play a new role in helping to guide the drafting of regulations. ![]() |
|
Braun, Edna |
![]() Edna Braun, Nick Cartwright, Azalia Shamsaei, Saeed Ahmadi Behnam, Greg Richards, Gunter Mussbacher, Mohammad Alhaj, and Rasha Tawhid (Transport Canada, Canada; University of Ottawa, Canada; Carleton University, Canada) The performance modeling of regulations is a relatively recent innovation. However, as regulators in many domains increasingly look to move from prescriptive regulations towards more outcome-based regulations, the use of performance modeling will become more common place. The major difference of outcome-based regulations over prescriptive regulations is that the main interest lies in specifying clear objectives of the regulations and measuring whether regulated parties achieve these objectives, while leaving much freedom to the regulated party on how to meet these objectives. Recently, we have found that the use of performance modeling provides benefits such as revealing inconsistencies and lack of clarity in existing regulatory language. In this paper, we report on these experiences, summarize guidelines for the modeling of regulations, and examine whether the current drafting processes for regulations are optimized to take advantage of these additional benefits. We explore the advantages and disadvantages of various ways of augmenting the current approach with goal-oriented modeling of regulations. Based on our experience with Aviation Security regulations, we believe it is time for modeling to play a new role in helping to guide the drafting of regulations. ![]() |
|
Cartwright, Nick |
![]() Edna Braun, Nick Cartwright, Azalia Shamsaei, Saeed Ahmadi Behnam, Greg Richards, Gunter Mussbacher, Mohammad Alhaj, and Rasha Tawhid (Transport Canada, Canada; University of Ottawa, Canada; Carleton University, Canada) The performance modeling of regulations is a relatively recent innovation. However, as regulators in many domains increasingly look to move from prescriptive regulations towards more outcome-based regulations, the use of performance modeling will become more common place. The major difference of outcome-based regulations over prescriptive regulations is that the main interest lies in specifying clear objectives of the regulations and measuring whether regulated parties achieve these objectives, while leaving much freedom to the regulated party on how to meet these objectives. Recently, we have found that the use of performance modeling provides benefits such as revealing inconsistencies and lack of clarity in existing regulatory language. In this paper, we report on these experiences, summarize guidelines for the modeling of regulations, and examine whether the current drafting processes for regulations are optimized to take advantage of these additional benefits. We explore the advantages and disadvantages of various ways of augmenting the current approach with goal-oriented modeling of regulations. Based on our experience with Aviation Security regulations, we believe it is time for modeling to play a new role in helping to guide the drafting of regulations. ![]() |
|
Dietsch, Daniel |
![]() Bernd Westphal, Daniel Dietsch, Sergio Feo-Arenis, Andreas Podelski, Louis Pahlow, Jochen Morsbach, Barbara Sommer, Anke Fuchs, and Christine Meierhöfer (University of Freiburg, Germany; Saarland University, Germany; University of Mannheim, Germany) Many small to medium sized enterprises (SMEs) that specialise in electrical or communications engineering are challenged by the increasing importance of software in their products. Although they have a strong interest in subcontracting competent partners for software development tasks, they tend to refrain from doing so. In this paper we identify three main reasons for this situation, propose an approach to overcome some of them and state remaining challenges. Those reasons are situated in the intersection of software engineering and jurisprudence and therefore need to be addressed in an integrated and multidisciplinary fashion. ![]() |
|
Duce, David A. |
![]() Krishna Sapkota, Arantza Aldea, Muhammad Younas, David A. Duce, and René Bañares-Alcántara (Oxford Brookes University, UK; University of Oxford, UK) Extracting essential meaning from the regulatory text helps in the automation of the Compliance Management (CM) process. CM is a process where organizations assure that the processes are run according to requirements and expectations. However, extraction of meaningful text from regulatory guidelines comes with many research challenges such as dealing with different document-format, implicit document-structure, textual ambiguity and complexity. In this paper, the extended version of the Semantic-ART framework is described, which focuses on tackling the challenges of document-structure identification and regulatory-entity extraction. An initial result has shown an inspirational result as compared to the previous version of the framework. ![]() |
|
Earp, Julia B. |
![]() Jessica Young Schmidt, Annie I. Antón, and Julia B. Earp (North Carolina State University, USA) In the United States, organizations can be held liable by the Federal Trade Commission for the statements they make in their privacy policies. Thus, organizations must include their privacy policies as a source of requirements in order to build systems that are policy-compliant. In this paper, we describe an empirical user study in which we measure the ability of requirements engineers to effectively extract compliance requirements from a privacy policy using one of three analysis approaches—CPR (commitment, privilege, and right) analysis, goal-based analysis, and non-method-assisted (control) analysis. The results of these three approaches were then compared to an expert-produced set of expected compliance requirements. The requirements extracted by the CPR subjects reflected a higher percentage of requirements that were expected compliance requirements as well as a higher percentage of the total expected compliance requirements. In contrast, the goal-based and control subjects produced a higher number of synthesized requirements, or requirements not directly derived from the policy than the CPR subjects. This larger number of synthesized requirements may be attributed to the fact that these two subject groups employed more inquiry-driven approaches than the CPR subjects who relied primarily on focused and direct extraction of compliance requirements. ![]() |
|
Feo-Arenis, Sergio |
![]() Bernd Westphal, Daniel Dietsch, Sergio Feo-Arenis, Andreas Podelski, Louis Pahlow, Jochen Morsbach, Barbara Sommer, Anke Fuchs, and Christine Meierhöfer (University of Freiburg, Germany; Saarland University, Germany; University of Mannheim, Germany) Many small to medium sized enterprises (SMEs) that specialise in electrical or communications engineering are challenged by the increasing importance of software in their products. Although they have a strong interest in subcontracting competent partners for software development tasks, they tend to refrain from doing so. In this paper we identify three main reasons for this situation, propose an approach to overcome some of them and state remaining challenges. Those reasons are situated in the intersection of software engineering and jurisprudence and therefore need to be addressed in an integrated and multidisciplinary fashion. ![]() |
|
Fuchs, Anke |
![]() Bernd Westphal, Daniel Dietsch, Sergio Feo-Arenis, Andreas Podelski, Louis Pahlow, Jochen Morsbach, Barbara Sommer, Anke Fuchs, and Christine Meierhöfer (University of Freiburg, Germany; Saarland University, Germany; University of Mannheim, Germany) Many small to medium sized enterprises (SMEs) that specialise in electrical or communications engineering are challenged by the increasing importance of software in their products. Although they have a strong interest in subcontracting competent partners for software development tasks, they tend to refrain from doing so. In this paper we identify three main reasons for this situation, propose an approach to overcome some of them and state remaining challenges. Those reasons are situated in the intersection of software engineering and jurisprudence and therefore need to be addressed in an integrated and multidisciplinary fashion. ![]() |
|
Ghanavati, Sepideh |
![]() André Rifaut and Sepideh Ghanavati (CRP Henri Tudor, Luxembourg; University of Ottawa, Canada) In recent years, intentional models have been adapted to capture and analyze compliance needs and requirements. Furthermore, intentional models have been used to identify the impact of regulations on organizational goals by helping to elicit different alternatives about the business operations supported by compliant business processes and services. In other works, intentional models based on measurement-frameworks have provided well-structured models of regulations and compliance alternatives. This paper integrates Goal-Oriented Requirements Language (GRL)-based methodologies with measurement-based methodologies to improve support for comparing regulations sharing the same concerns via the (measurement) objectivity. ![]() |
|
Kawai, Rihoko |
![]() Thomas A. Alspaugh, Walt Scacchi, and Rihoko Kawai (UC Irvine, USA; Saitama Institute of Technology, Japan; National Institute of Informatics, Japan) Software licensing issues for a system design, instantiation, or configuration are often complex and difficult to evaluate, and mistakes can be costly. Automated assistance requires a formal representation of the significant features of the software licenses involved. We present results from an analysis directed toward a formal representation capable of covering an entire license. The key to such a representation is to identify the license's actions, and relate them to the actions for exclusive rights defined in law and to the actions defined in other licenses. Parameterizing each action by the object(s) acted on, the instrumental entities through which the action is performed, and similar contextual variables enables a subsumption relation among the actions. The resulting formalism is lightweight, flexible enough to support the scope of legal interpretations, and extensible to a wide range of software licenses. We discuss the application of our approach to the Lesser General Public License (LGPL) version 2.1. ![]() |
|
Meierhöfer, Christine |
![]() Bernd Westphal, Daniel Dietsch, Sergio Feo-Arenis, Andreas Podelski, Louis Pahlow, Jochen Morsbach, Barbara Sommer, Anke Fuchs, and Christine Meierhöfer (University of Freiburg, Germany; Saarland University, Germany; University of Mannheim, Germany) Many small to medium sized enterprises (SMEs) that specialise in electrical or communications engineering are challenged by the increasing importance of software in their products. Although they have a strong interest in subcontracting competent partners for software development tasks, they tend to refrain from doing so. In this paper we identify three main reasons for this situation, propose an approach to overcome some of them and state remaining challenges. Those reasons are situated in the intersection of software engineering and jurisprudence and therefore need to be addressed in an integrated and multidisciplinary fashion. ![]() |
|
Morsbach, Jochen |
![]() Bernd Westphal, Daniel Dietsch, Sergio Feo-Arenis, Andreas Podelski, Louis Pahlow, Jochen Morsbach, Barbara Sommer, Anke Fuchs, and Christine Meierhöfer (University of Freiburg, Germany; Saarland University, Germany; University of Mannheim, Germany) Many small to medium sized enterprises (SMEs) that specialise in electrical or communications engineering are challenged by the increasing importance of software in their products. Although they have a strong interest in subcontracting competent partners for software development tasks, they tend to refrain from doing so. In this paper we identify three main reasons for this situation, propose an approach to overcome some of them and state remaining challenges. Those reasons are situated in the intersection of software engineering and jurisprudence and therefore need to be addressed in an integrated and multidisciplinary fashion. ![]() |
|
Mussbacher, Gunter |
![]() Edna Braun, Nick Cartwright, Azalia Shamsaei, Saeed Ahmadi Behnam, Greg Richards, Gunter Mussbacher, Mohammad Alhaj, and Rasha Tawhid (Transport Canada, Canada; University of Ottawa, Canada; Carleton University, Canada) The performance modeling of regulations is a relatively recent innovation. However, as regulators in many domains increasingly look to move from prescriptive regulations towards more outcome-based regulations, the use of performance modeling will become more common place. The major difference of outcome-based regulations over prescriptive regulations is that the main interest lies in specifying clear objectives of the regulations and measuring whether regulated parties achieve these objectives, while leaving much freedom to the regulated party on how to meet these objectives. Recently, we have found that the use of performance modeling provides benefits such as revealing inconsistencies and lack of clarity in existing regulatory language. In this paper, we report on these experiences, summarize guidelines for the modeling of regulations, and examine whether the current drafting processes for regulations are optimized to take advantage of these additional benefits. We explore the advantages and disadvantages of various ways of augmenting the current approach with goal-oriented modeling of regulations. Based on our experience with Aviation Security regulations, we believe it is time for modeling to play a new role in helping to guide the drafting of regulations. ![]() |
|
Pahlow, Louis |
![]() Bernd Westphal, Daniel Dietsch, Sergio Feo-Arenis, Andreas Podelski, Louis Pahlow, Jochen Morsbach, Barbara Sommer, Anke Fuchs, and Christine Meierhöfer (University of Freiburg, Germany; Saarland University, Germany; University of Mannheim, Germany) Many small to medium sized enterprises (SMEs) that specialise in electrical or communications engineering are challenged by the increasing importance of software in their products. Although they have a strong interest in subcontracting competent partners for software development tasks, they tend to refrain from doing so. In this paper we identify three main reasons for this situation, propose an approach to overcome some of them and state remaining challenges. Those reasons are situated in the intersection of software engineering and jurisprudence and therefore need to be addressed in an integrated and multidisciplinary fashion. ![]() |
|
Podelski, Andreas |
![]() Bernd Westphal, Daniel Dietsch, Sergio Feo-Arenis, Andreas Podelski, Louis Pahlow, Jochen Morsbach, Barbara Sommer, Anke Fuchs, and Christine Meierhöfer (University of Freiburg, Germany; Saarland University, Germany; University of Mannheim, Germany) Many small to medium sized enterprises (SMEs) that specialise in electrical or communications engineering are challenged by the increasing importance of software in their products. Although they have a strong interest in subcontracting competent partners for software development tasks, they tend to refrain from doing so. In this paper we identify three main reasons for this situation, propose an approach to overcome some of them and state remaining challenges. Those reasons are situated in the intersection of software engineering and jurisprudence and therefore need to be addressed in an integrated and multidisciplinary fashion. ![]() |
|
Richards, Greg |
![]() Edna Braun, Nick Cartwright, Azalia Shamsaei, Saeed Ahmadi Behnam, Greg Richards, Gunter Mussbacher, Mohammad Alhaj, and Rasha Tawhid (Transport Canada, Canada; University of Ottawa, Canada; Carleton University, Canada) The performance modeling of regulations is a relatively recent innovation. However, as regulators in many domains increasingly look to move from prescriptive regulations towards more outcome-based regulations, the use of performance modeling will become more common place. The major difference of outcome-based regulations over prescriptive regulations is that the main interest lies in specifying clear objectives of the regulations and measuring whether regulated parties achieve these objectives, while leaving much freedom to the regulated party on how to meet these objectives. Recently, we have found that the use of performance modeling provides benefits such as revealing inconsistencies and lack of clarity in existing regulatory language. In this paper, we report on these experiences, summarize guidelines for the modeling of regulations, and examine whether the current drafting processes for regulations are optimized to take advantage of these additional benefits. We explore the advantages and disadvantages of various ways of augmenting the current approach with goal-oriented modeling of regulations. Based on our experience with Aviation Security regulations, we believe it is time for modeling to play a new role in helping to guide the drafting of regulations. ![]() |
|
Rifaut, André |
![]() André Rifaut and Sepideh Ghanavati (CRP Henri Tudor, Luxembourg; University of Ottawa, Canada) In recent years, intentional models have been adapted to capture and analyze compliance needs and requirements. Furthermore, intentional models have been used to identify the impact of regulations on organizational goals by helping to elicit different alternatives about the business operations supported by compliant business processes and services. In other works, intentional models based on measurement-frameworks have provided well-structured models of regulations and compliance alternatives. This paper integrates Goal-Oriented Requirements Language (GRL)-based methodologies with measurement-based methodologies to improve support for comparing regulations sharing the same concerns via the (measurement) objectivity. ![]() |
|
Sannier, Nicolas |
![]() Nicolas Sannier and Benoit Baudry (EDF, France; INRIA, France) Safety systems in nuclear industry must conform to an increasing set of regulatory requirements. These requirements are scattered throughout multiple documents expressing different levels of requirements or different kinds of requirements. Consequently, when licensees want to extract the set of regulations related to a specific concern, they lack explicit traces between all regulation documents and mostly get lost while attempting to compare two different regulatory corpora. This paper presents the regulatory landscape in the context of digital Instrumentation and Command systems in nuclear power plants. To cope with this complexity, we define and discuss challenges toward an approach based on information retrieval techniques to first narrow the regulatory research space into themes and then assist the recovery of these traceability links. ![]() |
|
Sapkota, Krishna |
![]() Krishna Sapkota, Arantza Aldea, Muhammad Younas, David A. Duce, and René Bañares-Alcántara (Oxford Brookes University, UK; University of Oxford, UK) Extracting essential meaning from the regulatory text helps in the automation of the Compliance Management (CM) process. CM is a process where organizations assure that the processes are run according to requirements and expectations. However, extraction of meaningful text from regulatory guidelines comes with many research challenges such as dealing with different document-format, implicit document-structure, textual ambiguity and complexity. In this paper, the extended version of the Semantic-ART framework is described, which focuses on tackling the challenges of document-structure identification and regulatory-entity extraction. An initial result has shown an inspirational result as compared to the previous version of the framework. ![]() |
|
Scacchi, Walt |
![]() Thomas A. Alspaugh, Walt Scacchi, and Rihoko Kawai (UC Irvine, USA; Saitama Institute of Technology, Japan; National Institute of Informatics, Japan) Software licensing issues for a system design, instantiation, or configuration are often complex and difficult to evaluate, and mistakes can be costly. Automated assistance requires a formal representation of the significant features of the software licenses involved. We present results from an analysis directed toward a formal representation capable of covering an entire license. The key to such a representation is to identify the license's actions, and relate them to the actions for exclusive rights defined in law and to the actions defined in other licenses. Parameterizing each action by the object(s) acted on, the instrumental entities through which the action is performed, and similar contextual variables enables a subsumption relation among the actions. The resulting formalism is lightweight, flexible enough to support the scope of legal interpretations, and extensible to a wide range of software licenses. We discuss the application of our approach to the Lesser General Public License (LGPL) version 2.1. ![]() ![]() Thomas A. Alspaugh and Walt Scacchi (UC Irvine, USA) There exist legal structures defining the exclusive rights of authors, and means for licensing portions of them to others in exchange for appropriate obligations. We propose an analogous approach for security, in which portions of exclusive security rights owned by system stakeholders may be licensed as needed to others, in exchange for appropriate security obligations. Copyright defines exclusive rights to reproduce, distribute, and produce derivative works, among others. We envision exclusive security rights that might include the right to access a system, the right to run specific programs, and the right to update specific programs or data, among others. Such an approach uses the existing legal structures of licenses and contracts to manage security, as copyright licenses are used to manage copyrights. At present there is no law of ``security right'' as there is a law of copyright, but with the increasing prevalence and prominence of security attacks and abuses, of which Stuxnet and Flame are merely the best known recent examples, such legislation is not implausible. We discuss kinds of security rights and obligations that might produce fruitful results, and how a license structure and approach might prove more effective than security policies. ![]() |
|
Schmidt, Jessica Young |
![]() Jessica Young Schmidt, Annie I. Antón, and Julia B. Earp (North Carolina State University, USA) In the United States, organizations can be held liable by the Federal Trade Commission for the statements they make in their privacy policies. Thus, organizations must include their privacy policies as a source of requirements in order to build systems that are policy-compliant. In this paper, we describe an empirical user study in which we measure the ability of requirements engineers to effectively extract compliance requirements from a privacy policy using one of three analysis approaches—CPR (commitment, privilege, and right) analysis, goal-based analysis, and non-method-assisted (control) analysis. The results of these three approaches were then compared to an expert-produced set of expected compliance requirements. The requirements extracted by the CPR subjects reflected a higher percentage of requirements that were expected compliance requirements as well as a higher percentage of the total expected compliance requirements. In contrast, the goal-based and control subjects produced a higher number of synthesized requirements, or requirements not directly derived from the policy than the CPR subjects. This larger number of synthesized requirements may be attributed to the fact that these two subject groups employed more inquiry-driven approaches than the CPR subjects who relied primarily on focused and direct extraction of compliance requirements. ![]() |
|
Shamsaei, Azalia |
![]() Edna Braun, Nick Cartwright, Azalia Shamsaei, Saeed Ahmadi Behnam, Greg Richards, Gunter Mussbacher, Mohammad Alhaj, and Rasha Tawhid (Transport Canada, Canada; University of Ottawa, Canada; Carleton University, Canada) The performance modeling of regulations is a relatively recent innovation. However, as regulators in many domains increasingly look to move from prescriptive regulations towards more outcome-based regulations, the use of performance modeling will become more common place. The major difference of outcome-based regulations over prescriptive regulations is that the main interest lies in specifying clear objectives of the regulations and measuring whether regulated parties achieve these objectives, while leaving much freedom to the regulated party on how to meet these objectives. Recently, we have found that the use of performance modeling provides benefits such as revealing inconsistencies and lack of clarity in existing regulatory language. In this paper, we report on these experiences, summarize guidelines for the modeling of regulations, and examine whether the current drafting processes for regulations are optimized to take advantage of these additional benefits. We explore the advantages and disadvantages of various ways of augmenting the current approach with goal-oriented modeling of regulations. Based on our experience with Aviation Security regulations, we believe it is time for modeling to play a new role in helping to guide the drafting of regulations. ![]() |
|
Sommer, Barbara |
![]() Bernd Westphal, Daniel Dietsch, Sergio Feo-Arenis, Andreas Podelski, Louis Pahlow, Jochen Morsbach, Barbara Sommer, Anke Fuchs, and Christine Meierhöfer (University of Freiburg, Germany; Saarland University, Germany; University of Mannheim, Germany) Many small to medium sized enterprises (SMEs) that specialise in electrical or communications engineering are challenged by the increasing importance of software in their products. Although they have a strong interest in subcontracting competent partners for software development tasks, they tend to refrain from doing so. In this paper we identify three main reasons for this situation, propose an approach to overcome some of them and state remaining challenges. Those reasons are situated in the intersection of software engineering and jurisprudence and therefore need to be addressed in an integrated and multidisciplinary fashion. ![]() |
|
Tawhid, Rasha |
![]() Edna Braun, Nick Cartwright, Azalia Shamsaei, Saeed Ahmadi Behnam, Greg Richards, Gunter Mussbacher, Mohammad Alhaj, and Rasha Tawhid (Transport Canada, Canada; University of Ottawa, Canada; Carleton University, Canada) The performance modeling of regulations is a relatively recent innovation. However, as regulators in many domains increasingly look to move from prescriptive regulations towards more outcome-based regulations, the use of performance modeling will become more common place. The major difference of outcome-based regulations over prescriptive regulations is that the main interest lies in specifying clear objectives of the regulations and measuring whether regulated parties achieve these objectives, while leaving much freedom to the regulated party on how to meet these objectives. Recently, we have found that the use of performance modeling provides benefits such as revealing inconsistencies and lack of clarity in existing regulatory language. In this paper, we report on these experiences, summarize guidelines for the modeling of regulations, and examine whether the current drafting processes for regulations are optimized to take advantage of these additional benefits. We explore the advantages and disadvantages of various ways of augmenting the current approach with goal-oriented modeling of regulations. Based on our experience with Aviation Security regulations, we believe it is time for modeling to play a new role in helping to guide the drafting of regulations. ![]() |
|
Westphal, Bernd |
![]() Bernd Westphal, Daniel Dietsch, Sergio Feo-Arenis, Andreas Podelski, Louis Pahlow, Jochen Morsbach, Barbara Sommer, Anke Fuchs, and Christine Meierhöfer (University of Freiburg, Germany; Saarland University, Germany; University of Mannheim, Germany) Many small to medium sized enterprises (SMEs) that specialise in electrical or communications engineering are challenged by the increasing importance of software in their products. Although they have a strong interest in subcontracting competent partners for software development tasks, they tend to refrain from doing so. In this paper we identify three main reasons for this situation, propose an approach to overcome some of them and state remaining challenges. Those reasons are situated in the intersection of software engineering and jurisprudence and therefore need to be addressed in an integrated and multidisciplinary fashion. ![]() |
|
Younas, Muhammad |
![]() Krishna Sapkota, Arantza Aldea, Muhammad Younas, David A. Duce, and René Bañares-Alcántara (Oxford Brookes University, UK; University of Oxford, UK) Extracting essential meaning from the regulatory text helps in the automation of the Compliance Management (CM) process. CM is a process where organizations assure that the processes are run according to requirements and expectations. However, extraction of meaningful text from regulatory guidelines comes with many research challenges such as dealing with different document-format, implicit document-structure, textual ambiguity and complexity. In this paper, the extended version of the Semantic-ART framework is described, which focuses on tackling the challenges of document-structure identification and regulatory-entity extraction. An initial result has shown an inspirational result as compared to the previous version of the framework. ![]() |
34 authors
proc time: 0.05