Powered by
Conference Publishing Consulting

8th International Workshop on Requirements Engineering and Law (RELAW 2015), August 25, 2015, Ottawa, ON, Canada

RELAW 2015 – Proceedings

Contents - Abstracts - Authors


Title Page

Over the past several decades, we have experienced tremendous growth in new infrastructure, business practices, products and services that use information to achieve stakeholder goals. Laws and regulations from governments impose compliance challenges for the requirements engineers that build and maintain these information systems, including: balancing privacy and security, patient medical records, corporate governance, and ambiguity stemming from evolving regulations, technologies, and societies. Regulators, lawyers, engineers, and academics must address these challenges through a shared pursuit to understand the historical and social impact of laws and regulations on emerging technology. Importantly, these challenges are both expensive and continuing. Regulatory compliance must be maintained and monitored throughout the life of regulated information systems. The eighth RELAW workshop is a multi-disciplinary, one-day workshop that brings together practitioners and researchers from two domains: Requirements Engineering and Law. Participants from government, industry, and academic sectors investigate challenges to ensure that information systems comply with policies and laws. This year, we also explicitly focus on mechanisms for improving communication between the requirements engineering and legal communities. Thus, the theme of the workshop this year is “Requirements For Lawyers”. This theme highlights ways to improve communication and feedback from these critical communities. What can lawyers and policy makers do to ease the burdens of establishing and demonstrating compliance? What can requirements engineers do to assist lawyers and policy makers seeking to craft implementable, easily understood laws and regulations?

Logical Modeling and Knowledge Representation

Semantic Web Representations for Reasoning about Applicability and Satisfiability of Federal Regulations for Information Security
Sayonnha Mandal, Robin Gandhi, and Harvey Siy
(University of Nebraska, USA)
In this paper, the Nòmos 2 framework for modeling law-compliant solutions in software system design is applied in the context of the Federal Information Security Modernization Act (FISMA) of 2014. Information security regulatory statements with a high variability space are examined to explore the utility and limits of the Nòmos 2 framework for information security regulations. Additionally, Nòmos 2 concepts are modeled in a semantic web representation for reasoning about the applicability and satisfiablity of FISMA regulations for information systems. The use of freely available semantic web toolsets for knowledge modeling and reasoning are demonstrated in an example scenario requiring the determination of FISMA related authorities and functions.

Article Search
Terminology Matching of Requirements Specification Documents and Regulations for Compliance Checking
Ryotaro Nakamura, Yu Negishi, Shinpei Hayashi, and Motoshi Saeki
(Tokyo Institute of Technology, Japan)
To check the consistency between requirements specification documents and regulations by using a model checking technique, requirements analysts generate inputs to the model checker, i.e., state transition machines from the documents and logical formulas from the regulatory statements to be verified as properties. During these generation processes, to make the logical formulas semantically correspond to the state transition machine, analysts should take terminology matching where they look for the words in the requirements document having the same meaning as the words in the regulatory statements and unify the semantically same words. In this paper, by using case grammar approach, we propose an automated technique to reason the meaning of words in requirements specification documents by means of co-occurrence constraints on words in case frames, and to generate from regulatory statements the logical formulas where the words are unified to the words of the requirements documents. We have a feasibility study of our proposal with two case studies.

Article Search
Towards an Information Type Lexicon for Privacy Policies
Jaspreet Bhatia and Travis D. Breaux
(Carnegie Mellon University, USA)
Privacy policies serve to inform consumers about a company’s data practices, and to protect the company from legal risk due to undisclosed uses of consumer data. In addition, US and EU regulators require companies to accurately describe their practices in these policies, and some laws prescribe how companies should write these policies. Despite these aims, privacy policies are frequently criticized for being vague and uninformative. To support and improve the analysis of privacy policies, we report results from constructing an information type lexicon from manual, human annotations and an entity extractor based on part-of-speech tagging. The lexicon was constructed from 3,850 annotations obtained from crowd workers analyzing 15 privacy policies. An entity extractor was designed to extract entities from these annotations. The extractor succeeds at finding entities in 92% of annotations and the lexicon consists of 725 unique entities. Finally, we measured the terminological reuse across all 15 policies and observed the lexicon has a 31-78% chance of containing a word from any previously seen policy.

Article Search

Goal Models and Measurement

Modeling Legal and Regulative Requirements for Ranking Alternatives of Cloud-based Services
Radhika Garg, Bram Naudts, Sofie Verbrugge, and Burkhard Stiller
(University of Zurich, Switzerland; Ghent University, Belgium; iMinds, Belgium)
The decision to adopt a new technology in an organization is a complex task because of several Non-Functional Requirements (NFR) e.g., availability, interoperability, and presence of several alternatives, e.g., service providers can offer multiple packages. To support such a decision and to select the best alternative a Trade-off based Adoption Methodology for Cloud-based Infrastructure and Services (TrAdeCIS), based on NFR for cloud-based services, was proposed. This methodology makes the decision based on multi-criteria decision algorithms, namely the Technique for Order of Preference by Similarity to Ideal Solution (TOPSIS) and the Analytic Network Process (ANP). However, in addition, the decision for adopting cloud-based services is also influenced by the presence of various legal and regulative con-straints. Therefore, it is crucial to understand, identify, and model the effect of such constraints on the evaluation of NFR and available alternatives. This paper, therefore, uses the Goal-oriented Requirement Language (GRL) to model the effect of legal and regulative constraints on ranking available alternatives with respect to NFR. The paper also discusses the extensibility and applicability of this methodology to other domains that re-quire evaluating the effect of legal and regulative constraints on the adoption decision. To illustrate this, decisions within the domain providing better voice and data quality on-board train is also discussed in this paper.

Article Search
Towards Systems for Increased Access to Justice using Goal Modeling
Sanaa A. Alwidian and Daniel Amyot
(University of Ottawa, Canada)
Emerging cyberjustice systems are in need of relevant requirements engineering approaches, for example, to provide citizens with better access to the judicial system. In this context, this paper proposes the use of goal modeling for developing Online Dispute Resolution (ODR) systems in Canada. With ODR, the use of technology has the potential of increasing access to justice at low cost. We argue that a goal-oriented view is needed to capture early requirements about who are the stakeholders, what goals and quality criteria they have and how the various enabling technologies can be combined to meet these goals. A particular case is made for the use of the Goal-oriented Requirement Language (GRL), which covers the above and enables trade-off analysis as well as the introduction of indicators for measurement activities. GRL also has the potential of being used to guide some run-time decisions in ODR systems.

Article Search
Measuring and Managing the Design Restriction of Enterprise Architecture (EA) Principles on EA Models
Diana Marosin and Sepideh Ghanavati
(Luxembourg Institute of Science and Technology, Luxembourg; Radboud University Nijmegen, Netherlands; Carnegie Mellon University, USA)
Implementation and formalisation, alongside with creation, adoption and usage of Enterprise Architecture (EA) principles are hot topics of the current years of EA research. However, the EA community, both academic and professional, misses a consensus on the definitions and use of principles. Furthermore, not much research is done in the direction of measuring the impact (e.g. design restriction) of EA principles. We aim to create a formal framework for measuring and managing this impact manifested by the EA principles on the EA models. Studying the current literature, we noticed there are similarities and differences between EA principles and regulations. The two concepts resemble each other given first, the purpose (both providing a normative guidance on the evolution of the enterprise) and second, the natural language representation and the structural definition (even if most of the time the principles are company specific, they all seem to have common fields in their definition). Principles behave mostly like soft-laws and being non-compliant with them results in fewer penalties and consequences compared to non-compliance with regulations. To that end, we investigate and adapt methods similar to the ones that can be found in requirements engineering for checking and managing regulatory compliance.

Article Search

Compliance in Multiple Jurisdictions

Comparing and Analyzing Definitions in Multi-jurisdictions
Sepideh Ghanavati and Travis D. Breaux
(Carnegie Mellon University, USA; Luxembourg Institute of Science and Technology, Luxembourg)
Regulatory definitions establish the scope and boundary for legal statements and provide software designers with means to assess the coverage of their designs under the law. However, the number of phrases that serve to define this boundary in a legal statement are usually large and often a simple legal statement contains or is affected by up to 10 definition-related phrases. In addition, software designers may need to design their software to operate under multiple jurisdictions, which may not use the same terminology to express conditions. Thus, it is necessary for designers to keep track of definitions in one or more regulations and to compare these definitions across jurisdictions. In this paper we report a study to develop a method to analyze and compare natural language definitions across legal texts and how to analyze the legal statements with respect to definitions. Our method helps reduce the number of comparison between definitions across multiple jurisdictions as well as allows software designers keep track of several inter-related definitions in a systematic way.

Article Search
Structuring Diverse Regulatory Requirements for Global Product Development
Maria Spichkova, Heinz W. Schmidt, Md. Rashed I. Nekvi, and Nazim H. Madhavji
(RMIT University, Australia; University of Western Ontario, Canada)
Developing a system for different contexts (e.g., countries, organisations and situations) means that the requirements for the system can differ in diverse cases. The challenge is to deal with this diversity in a systematic way, taking account of variance in compliance, and avoiding contradictions. In this paper, we describe a framework for analysing the diversity of requirements that emanates from differences in the regulations across the contexts.

Article Search

proc time: 0.08