Annie I. Antón scite author profile

In the United States, federal and state regulations prescribe stakeholder rights and obligations that must be satisfied by the requirements for software systems. These regulations are typically wrought with ambiguities, making the process of deriving system requirements ad hoc and error prone. In highly regulated domains such as healthcare, there is a need for more comprehensive standards that can be used to assure that system requirements conform to regulations. To address this need, we expound upon a process called Semantic Parameterization previously used to derive rights and obligations from privacy goals. In this work, we apply the process to the Privacy Rule from the U.S. Health Insurance Portability and Accountability Act (HIPAA).We present our methodology for extracting and prioritizing rights and obligations from regulations and show how semantic models can be used to clarify ambiguities through focused elicitation and to balance rights with obligations. The results of our analysis can aid requirements engineers, standards organizations, compliance officers, and stakeholders in assuring systems conform to policy and satisfy requirements.

show abstract

Goal-based requirements analysis

Antón

313

221

View full text Add to dashboard Cite

Goals are a logical mechanism for identifying, organizing and justifying software requirements. Strategies 0re needed for the initial identification and construction of goals. In this paper we discuss goals from the perspective of two themes: goal analysis and goal evolution. W e begin with an overview of the goal-based method we have developed and summarize our experiences in applying our method to a relatively large example. W e illustrate some of the issues that practitioners face when using a goal-based approach to speci f y the requirements for a system and close the paper with a discussion of needed future research on goalbased requirements analysis and evolution.

show abstract

Analyzing Regulatory Rules for Privacy and Security Requirements

Breaux

Antón

2008

IIEEE Trans. Software Eng.

269

198

View full text Add to dashboard Cite

Information practices that use personal, financial and health-related information are governed by U.S. laws and regulations to prevent unauthorized use and disclosure. To ensure compliance under the law, the security and privacy requirements of relevant software systems must be properly aligned with these regulations. However, these regulations describe stakeholder rules, called rights and obligations, in complex and sometimes ambiguous legal language. These "rules" are often precursors to software requirements that must undergo considerable refinement and analysis before they are implementable. To support the software engineering effort to derive security requirements from regulations, we present a methodology to extract access rights and obligations directly from regulation texts. The methodology provides statement-level coverage for an entire regulatory document to consistently identify and infer six types of data access constraints, handle complex cross-references, resolve ambiguities, and assign required priorities between access rights and obligations to avoid unlawful information disclosures. We present results from applying this methodology to the entire regulation text of the U.S. Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.

show abstract

Inquiry-based requirements analysis

1994

View full text Add to dashboard Cite

Addressing Legal Requirements in Requirements Engineering

2007

View full text Add to dashboard Cite

Legal texts, such as regulations and legislation, are playing an increasingly important role in requirements engineering and system development. Monitoring systems for requirements and policy compliance has been recognized in the requirements engineering community as a key area for research. Similarly, regulatory compliance is critical in systems that are governed by regulations and law, especially given that non-compliance can result in both financial and criminal penalties. Working with legal texts can be very challenging, however, because they contain numerous ambiguities, cross-references, domainspecific definitions, and acronyms, and are frequently amended via new regulations and case law. Requirements engineers and compliance auditors must be able to identify relevant regulations, extract requirements and other key concepts, and monitor compliance throughout the software lifecycle. This paper surveys research efforts over the past 50 years in handling legal texts for systems development. These efforts include the use of symbolic logic, logic programming, first-order temporal logic, deontic logic, defeasible logic, goal modeling, and semi-structured representations. This survey can aid requirements engineers and auditors to better specify, monitor, and test software systems for compliance.

show abstract

Financial privacy policies and the need for standardization

Antón

Earp

et al. 2004

IEEE Secur. Privacy Mag.

134

107

View full text Add to dashboard Cite

Examining Internet Privacy Policies Within the Context of User Privacy Values

Earp

Antón

Aiman-Smith

et al. 2005

IEEE Trans. Eng. Manage.

172

View full text Add to dashboard Cite

Abstract-Internet privacy policies describe an organization's practices on data collection, use, and disclosure. These privacy policies both protect the organization and signal integrity commitment to site visitors. Consumers use the stated website policies to guide browsing and transaction decisions. This paper compares the classes of privacy protection goals (which express desired protection of consumer privacy rights) and vulnerabilities (which potentially threaten consumer privacy) with consumer privacy values. For this study, we looked at privacy policies from nearly 50 websites and surveyed over 1000 Internet users. We examined Internet users' major expectations about website privacy and revealed a notable discrepancy between what privacy policies are currently stating and what users deem most significant. Our findings suggest several implications to privacy managers and software project managers. Results from this study can help managers determine the kinds of policies needed to both satisfy user values and ensure privacy-aware website development efforts.

show abstract

Analyzing goal semantics for rights, permissions, and obligations

Breaux

Antón

2005

View full text Add to dashboard Cite

Software requirements, rights, permissions, obligations, and the operational functionality of policy enforcing systems are often misaligned. Our goal is to develop tools and techniques that help requirements engineers and policy makers bring policies and system requirements into better alignment. Goals from requirements engineering are useful for distilling natural language policy statements into structured descriptions of these interactions; however, they are limited in that they are not easy to compare with one another despite sharing common semantic features. In this paper, we describe a process called semantic parameterization that we use to derive semantic models from goals mined from privacy policy documents. We present example semantic models that enable comparing policy statements and present a template method for generating natural language policy statements (and ultimately requirements) from unique semantic models. The semantic models are described by a context-free grammar (CFG) that has been validated within the context of the most frequently expressed goals in over 100 Internet privacy policy documents. The CFG is supported by a policy analysis tool that supports queries and policy statement generation.

show abstract

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

hi@scite.ai

10624 S. Eastern Ave., Ste. A-614

Henderson, NV 89052, USA

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.

Annie I. Antón

Towards Regulatory Compliance: Extracting Rights and Obligations to Align Requirements with Regulations

Goal-based requirements analysis

Analyzing Regulatory Rules for Privacy and Security Requirements

Inquiry-based requirements analysis

Addressing Legal Requirements in Requirements Engineering

Financial privacy policies and the need for standardization

Examining Internet Privacy Policies Within the Context of User Privacy Values

Analyzing goal semantics for rights, permissions, and obligations

Contact Info

Product

Resources

About