RE 2012 Workshops
RE 2012 Workshops
Powered by
Conference Publishing Consulting

2012 Fifth IEEE International Workshop on Requirements Engineering and Law (RELAW), September 25, 2012, Chicago, Illinois, USA

RELAW 2012 – Proceedings

Contents - Abstracts - Authors

Fifth IEEE International Workshop on Requirements Engineering and Law (RELAW)

Title Page


Foreword
The objective of the Fifth International Workshop on Requirements Engineering and Law (RELAW) is to foster the discussion related to requirements engineering triggered by any legal regulation or law. The theme this year is Compliance under Uncertainty.
Over the past several decades, we have experienced tremendous growth in new infrastructure, business practices, products and services that use information to achieve stakeholder goals. Recent compliance challenges include balancing privacy and security, patient medical records, corporate governance, and different sources of uncertainty such as evolving regulations, technologies, and societies. To address similar challenges, this growth has drawn the attention of regulators, lawyers, engineers and academics in a shared pursuit to understand the historical and social impact of existing laws and regulations on emerging technology. The costs to brand, to infrastructure and to the public of violating the law are often prohibitive and the challenges to ensure that (software) systems comply with the law are viewed differently by those involved.
The fifth RELAW workshop is a multi-disciplinary, one-day workshop that will bring together practitioners and researchers from two domains: Requirements Engineering and Law. Participants from government, industry and academic sectors investigate challenges to ensure that information systems comply with policies and laws. The workshop will probe important issues, including the processes for identifying relevant policies, laws and jurisdictions, aligning laws with system requirements, managing requirements and changes in the law and demonstrating how systems comply with relevant laws through evidence-based mechanisms such as documentation, testing and certification, even in the presence of uncertainty.
The program this year is constituted of an invited talk from Steven W. Teppler (Counsel at Edelson McGuire LLC and CEO of TimeCertain), an exciting selection of nine papers, each peer-reviewed by three members of the Program Committee, and a workshop period for discussions and for planning future work items of the RELAW community.

Drafting and Modeling of Regulations: Is It Being Done Backwards?
Edna Braun, Nick Cartwright, Azalia Shamsaei, Saeed Ahmadi Behnam, Greg Richards, Gunter Mussbacher, Mohammad Alhaj, and Rasha Tawhid
(Transport Canada, Canada; University of Ottawa, Canada; Carleton University, Canada)
The performance modeling of regulations is a relatively recent innovation. However, as regulators in many domains increasingly look to move from prescriptive regulations towards more outcome-based regulations, the use of performance modeling will become more common place. The major difference of outcome-based regulations over prescriptive regulations is that the main interest lies in specifying clear objectives of the regulations and measuring whether regulated parties achieve these objectives, while leaving much freedom to the regulated party on how to meet these objectives. Recently, we have found that the use of performance modeling provides benefits such as revealing inconsistencies and lack of clarity in existing regulatory language. In this paper, we report on these experiences, summarize guidelines for the modeling of regulations, and examine whether the current drafting processes for regulations are optimized to take advantage of these additional benefits. We explore the advantages and disadvantages of various ways of augmenting the current approach with goal-oriented modeling of regulations. Based on our experience with Aviation Security regulations, we believe it is time for modeling to play a new role in helping to guide the drafting of regulations.

Measurement-Oriented Comparison of Multiple Regulations with GRL
André Rifaut and Sepideh Ghanavati
(CRP Henri Tudor, Luxembourg; University of Ottawa, Canada)
In recent years, intentional models have been adapted to capture and analyze compliance needs and requirements. Furthermore, intentional models have been used to identify the impact of regulations on organizational goals by helping to elicit different alternatives about the business operations supported by compliant business processes and services. In other works, intentional models based on measurement-frameworks have provided well-structured models of regulations and compliance alternatives. This paper integrates Goal-Oriented Requirements Language (GRL)-based methodologies with measurement-based methodologies to improve support for comparing regulations sharing the same concerns via the (measurement) objectivity.

Software Licenses, Coverage, and Subsumption
Thomas A. Alspaugh, Walt Scacchi, and Rihoko Kawai
(UC Irvine, USA; Saitama Institute of Technology, Japan; National Institute of Informatics, Japan)
Software licensing issues for a system design, instantiation, or configuration are often complex and difficult to evaluate, and mistakes can be costly. Automated assistance requires a formal representation of the significant features of the software licenses involved. We present results from an analysis directed toward a formal representation capable of covering an entire license. The key to such a representation is to identify the license's actions, and relate them to the actions for exclusive rights defined in law and to the actions defined in other licenses. Parameterizing each action by the object(s) acted on, the instrumental entities through which the action is performed, and similar contextual variables enables a subsumption relation among the actions. The resulting formalism is lightweight, flexible enough to support the scope of legal interpretations, and extensible to a wide range of software licenses. We discuss the application of our approach to the Lesser General Public License (LGPL) version 2.1.

Licensing Security
Thomas A. Alspaugh and Walt Scacchi
(UC Irvine, USA)
There exist legal structures defining the exclusive rights of authors, and means for licensing portions of them to others in exchange for appropriate obligations. We propose an analogous approach for security, in which portions of exclusive security rights owned by system stakeholders may be licensed as needed to others, in exchange for appropriate security obligations. Copyright defines exclusive rights to reproduce, distribute, and produce derivative works, among others. We envision exclusive security rights that might include the right to access a system, the right to run specific programs, and the right to update specific programs or data, among others. Such an approach uses the existing legal structures of licenses and contracts to manage security, as copyright licenses are used to manage copyrights. At present there is no law of ``security right'' as there is a law of copyright, but with the increasing prevalence and prominence of security attacks and abuses, of which Stuxnet and Flame are merely the best known recent examples, such legislation is not implausible. We discuss kinds of security rights and obligations that might produce fruitful results, and how a license structure and approach might prove more effective than security policies.

Extracting Meaningful Entities from Regulatory Text: Towards Automating Regulatory Compliance
Krishna Sapkota, Arantza Aldea, Muhammad Younas, David A. Duce, and René Bañares-Alcántara
(Oxford Brookes University, UK; University of Oxford, UK)
Extracting essential meaning from the regulatory text helps in the automation of the Compliance Management (CM) process. CM is a process where organizations assure that the processes are run according to requirements and expectations. However, extraction of meaningful text from regulatory guidelines comes with many research challenges such as dealing with different document-format, implicit document-structure, textual ambiguity and complexity. In this paper, the extended version of the Semantic-ART framework is described, which focuses on tackling the challenges of document-structure identification and regulatory-entity extraction. An initial result has shown an inspirational result as compared to the previous version of the framework.

Defining and Retrieving Themes in Nuclear Regulations
Nicolas Sannier and Benoit Baudry
(EDF, France; INRIA, France)
Safety systems in nuclear industry must conform to an increasing set of regulatory requirements. These requirements are scattered throughout multiple documents expressing different levels of requirements or different kinds of requirements. Consequently, when licensees want to extract the set of regulations related to a specific concern, they lack explicit traces between all regulation documents and mostly get lost while attempting to compare two different regulatory corpora. This paper presents the regulatory landscape in the context of digital Instrumentation and Command systems in nuclear power plants. To cope with this complexity, we define and discuss challenges toward an approach based on information retrieval techniques to first narrow the regulatory research space into themes and then assist the recovery of these traceability links.

Towards Successful Subcontracting for Software in Small to Medium-Sized Enterprises
Bernd Westphal, Daniel Dietsch, Sergio Feo-Arenis, Andreas Podelski, Louis Pahlow, Jochen Morsbach, Barbara Sommer, Anke Fuchs, and Christine Meierhöfer
(University of Freiburg, Germany; Saarland University, Germany; University of Mannheim, Germany)
Many small to medium sized enterprises (SMEs) that specialise in electrical or communications engineering are challenged by the increasing importance of software in their products. Although they have a strong interest in subcontracting competent partners for software development tasks, they tend to refrain from doing so. In this paper we identify three main reasons for this situation, propose an approach to overcome some of them and state remaining challenges. Those reasons are situated in the intersection of software engineering and jurisprudence and therefore need to be addressed in an integrated and multidisciplinary fashion.

Assessing Identification of Compliance Requirements from Privacy Policies
Jessica Young Schmidt, Annie I. Antón, and Julia B. Earp
(North Carolina State University, USA)
In the United States, organizations can be held liable by the Federal Trade Commission for the statements they make in their privacy policies. Thus, organizations must include their privacy policies as a source of requirements in order to build systems that are policy-compliant. In this paper, we describe an empirical user study in which we measure the ability of requirements engineers to effectively extract compliance requirements from a privacy policy using one of three analysis approaches—CPR (commitment, privilege, and right) analysis, goal-based analysis, and non-method-assisted (control) analysis. The results of these three approaches were then compared to an expert-produced set of expected compliance requirements. The requirements extracted by the CPR subjects reflected a higher percentage of requirements that were expected compliance requirements as well as a higher percentage of the total expected compliance requirements. In contrast, the goal-based and control subjects produced a higher number of synthesized requirements, or requirements not directly derived from the policy than the CPR subjects. This larger number of synthesized requirements may be attributed to the fact that these two subject groups employed more inquiry-driven approaches than the CPR subjects who relied primarily on focused and direct extraction of compliance requirements.

proc time: 0.48