Legal requirements acquisition for the specification of legally compliant information systems

U.S. federal and state regulations impose mandatory and discretionary requirements on industry-wide business practices to achieve non-functional, societal goals such as improved accessibility, privacy and safety. The structure and syntax of regulations affects how well software engineers identify and interpret legal requirements. Inconsistent interpretations can lead to noncompliance and violations of the law. To support software engineers who must comply with these regulations, I propose a Frame-Based Requirements Analysis Method (FBRAM) to acquire and specify legal requirements from U.S. federal regulatory documents. The legal requirements are systematically specified using a reusable, domain-independent upper ontology, natural language phrase heuristics, a regulatory document model and a frame-based markup language. The methodology maintains traceability from regulatory statements and phrases to formal properties in a frame-based model and supports the resolution of multiple types of legal ambiguity. The methodology is supported by a software prototype to assist engineers with applying the model and with analyzing legal requirements. This work is validated in three domains, information privacy, information accessibility and aviation safety, which are governed by the Health Insurance Portability and Accountability Act of 1996, the Rehabilitation Act Amendments of 1998, and the Federal Aviation Act of 1958, respectively.

[1]  Trevor J. M. Bench-Capon Deep models, normative reasoning and legal expert systems , 1989, ICAIL '89.

[2]  Sean Bechhofer,et al.  OWL: Web Ontology Language , 2009, Encyclopedia of Database Systems.

[3]  Jon Doyle,et al.  Semantic parameterization: A process for modeling domain descriptions , 2008, TSEM.

[4]  Olly Gotel,et al.  Extended requirements traceability: results of an industrial case study , 1997, Proceedings of ISRE '97: 3rd IEEE International Symposium on Requirements Engineering.

[5]  Michael Jackson,et al.  Domain descriptions , 1993, [1993] Proceedings of the IEEE International Symposium on Requirements Engineering.

[6]  J. Fleiss Measuring nominal scale agreement among many raters. , 1971 .

[7]  John Mylopoulos,et al.  Representing and Using Nonfunctional Requirements: A Process-Oriented Approach , 1992, IEEE Trans. Software Eng..

[8]  John C. Knight,et al.  Tools Supporting the Communication of Critical Domain Knowledge in High-Consequence Systems Development , 2003, SAFECOMP.

[9]  Marvin Minsky,et al.  A framework for representing knowledge , 1974 .

[10]  Michael Jackson,et al.  Four dark corners of requirements engineering , 1997, TSEM.

[11]  Robin A. Gandhi,et al.  Building problem domain ontology from security requirements in regulatory documents , 2006, SESS '06.

[12]  George S. Avrunin,et al.  User guidance for creating precise and accessible property specifications , 2006, SIGSOFT '06/FSE-14.

[13]  Kimberly S. Wasson,et al.  A Case Study in Systematic Improvement of Language for Requirements , 2006, 14th IEEE International Requirements Engineering Conference (RE'06).

[14]  Insup Lee,et al.  Privacy APIs: access control techniques to analyze and verify legal privacy policies , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[15]  Erik Kamsties,et al.  Understanding Ambiguity in Requirements Engineering , 2005 .

[16]  Rebecca T. Mercuri The HIPAA-potamus in health care data security , 2004, CACM.

[17]  David L. Baumer,et al.  Legal Environment of Business in the Information Age , 2003 .

[18]  Annie I. Antón,et al.  A requirements taxonomy for reducing Web site privacy vulnerabilities , 2004, Requirements Engineering.

[19]  Daniel M. Berry,et al.  AbstFinder, a prototype abstraction finder for natural language text for use in requirements elicitation: design, methodology, and evaluation , 1994, Proceedings of IEEE International Conference on Requirements Engineering.

[20]  Daniela Tiscornia,et al.  Esplex: A rule and conceptual model for representing statutes , 1987, ICAIL '87.

[21]  Michael I. Harrison,et al.  Organizational Diagnosis and Assessment: Bridging Theory and Practice , 1998 .

[22]  Jean Hartley,et al.  Case study research , 2004 .

[23]  Annie I. Antón,et al.  Legal Requirements, Compliance and Practice: An Industry Case Study in Accessibility , 2008, 2008 16th IEEE International Requirements Engineering Conference.

[24]  Thomas Andreas Meyer,et al.  Sydney OWL Syntax - towards a Controlled Natural Language Syntax for OWL 1.1 , 2007, OWLED.

[25]  P. Keevil Representing the Building Regulations in frame-based format , 1995 .

[26]  Layman E. Allen,et al.  Better language, better thought, better communication: the A-Hohfeld language for legal analysis , 1995, ICAIL '95.

[27]  Annie I. Antón,et al.  Analyzing goal semantics for rights, permissions, and obligations , 2005, 13th IEEE International Conference on Requirements Engineering (RE'05).

[28]  Jaehong Park,et al.  The UCONABC usage control model , 2004, TSEC.

[29]  J. Horty Agency and Deontic Logic , 2001 .

[30]  Linda H. Rosenberg,et al.  Automated Analysis of Requirement Specifications , 1997, Proceedings of the (19th) International Conference on Software Engineering.

[31]  Stephen Fickas,et al.  Goal-Directed Requirements Acquisition , 1993, Sci. Comput. Program..

[32]  Annie I. Antón,et al.  The ChoicePoint Dilemma: How Data Brokers Should Handle the Privacy of Personal Information , 2007, IEEE Security & Privacy.

[33]  Charles J. Fillmore,et al.  THE CASE FOR CASE. , 1967 .

[34]  B.H.C. Cheng,et al.  Real-time specification patterns , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[35]  Pete Sawyer,et al.  Requirements Engineering: A Good Practice Guide , 1997 .

[36]  Jorge Lobo,et al.  A Policy Description Language , 1999, AAAI/IAAI.

[37]  Kaarel Kaljurand,et al.  Verbalizing OWL in Attempto Controlled English , 2007, OWLED.

[38]  Hans-Jürgen Hippler,et al.  Response Alternatives: The Impact of Their Choice and Presentation Order , 2011 .

[39]  Tom M. van Engers POWER: using UML/OCL for modeling legislation - an application report , 2001, ICAIL '01.

[40]  B. Webber,et al.  Extracting formal specifications from natural language regulatory documents , 2006 .

[41]  Tom M. van Engers,et al.  Improving legal quality: an application report , 2003, ICAIL.

[42]  W. Shadish,et al.  Experimental and Quasi-Experimental Designs for Generalized Causal Inference , 2001 .

[43]  John Mylopoulos,et al.  Extracting rights and obligations from regulations: toward a tool-supported process , 2007, ASE.

[44]  Eric S. K. Yu,et al.  Towards modelling and reasoning support for early-phase requirements engineering , 1997, Proceedings of ISRE '97: 3rd IEEE International Symposium on Requirements Engineering.

[45]  Annie I. Antón,et al.  Deriving semantic models from privacy policies , 2005, Sixth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'05).

[46]  Ivy Hooks,et al.  What Is A Requirement , 1993 .

[47]  Diego Calvanese,et al.  The Description Logic Handbook: Theory, Implementation, and Applications , 2003, Description Logic Handbook.

[48]  A. Strauss,et al.  The Discovery of Grounded Theory , 1967 .

[49]  Victoria Ungureanu,et al.  Law-governed interaction: a coordination and control mechanism for heterogeneous distributed systems , 2000, TSEM.

[50]  John Mylopoulos,et al.  Modeling security requirements through ownership, permission and delegation , 2005, 13th IEEE International Conference on Requirements Engineering (RE'05).

[51]  Laurence Cholvy Checking regulation consistency by using SOL-resolution , 1999, ICAIL '99.

[52]  Claudia Soria,et al.  Automatic semantics extraction in law documents , 2005, ICAIL '05.

[53]  N. Isaacs,et al.  Fundamental Legal Conceptions as Applied in Judicial Reasoning: And Other Legal Essays , 2010 .

[54]  D. M. Sherman A Prolog model of the income tax act of Canada , 1987, ICAIL '87.

[55]  Annie I. Antón,et al.  A Web-based requirements analysis tool , 1996, Proceedings of WET ICE '96. IEEE 5th Workshop on Enabling Technologies; Infrastucture for Collaborative Enterprises.

[56]  Timothy W. Finin,et al.  A policy language for a pervasive computing environment , 2003, Proceedings POLICY 2003. IEEE 4th International Workshop on Policies for Distributed Systems and Networks.

[57]  John Mylopoulos,et al.  From object-oriented to goal-oriented requirements analysis , 1999, CACM.

[58]  Annie I. Antón,et al.  Impalpable constraints: Framing requirements for formal methods , 2007 .

[59]  Trevor J. M. Bench-Capon,et al.  Logic programming for large scale applications in law: A formalisation of supplementary benefit legislation , 1987, ICAIL '87.

[60]  Julio Cesar Sampaio do Prado Leite,et al.  Nonfunctional requirements: from elicitation to conceptual models , 2004, IEEE Transactions on Software Engineering.

[61]  C. M. Sperberg-McQueen,et al.  Extensible Markup Language (XML) , 1997, World Wide Web J..

[62]  Joan Hash,et al.  SP 800-66 Rev. 1. An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule , 2008 .

[63]  M Mernik,et al.  When and how to develop domain-specific languages , 2005, CSUR.

[64]  Paul Ashley,et al.  E-P3P privacy policies and privacy authorization , 2002, WPES '02.

[65]  Daniel M. Berry,et al.  AbstFinder, A Prototype Natural Language Text Abstraction Finder for Use in Requirements Elicitation , 1997, Automated Software Engineering.

[66]  Ana I. Anton,et al.  Goal identification and refinement in the specification of software-based information systems , 1997 .

[67]  Roel Wieringa,et al.  Requirements Engineering: Frameworks for Understanding , 1996 .

[68]  Eugene H. Spafford,et al.  A distributed requirements management framework for legal compliance and accountability , 2009, Comput. Secur..

[69]  Annie I. Antón,et al.  Goal-based requirements analysis , 1996, Proceedings of the Second International Conference on Requirements Engineering.

[70]  Lorrie Faith Cranor,et al.  The platform for privacy preferences , 1999, CACM.

[71]  Annie I. Antón,et al.  Analyzing Regulatory Rules for Privacy and Security Requirements , 2008, IEEE Transactions on Software Engineering.

[72]  John W. Creswell,et al.  Research Design: Qualitative, Quantitative, and Mixed Methods Approaches , 2010 .

[73]  Owen Rambow,et al.  Conceptual modeling through linguistic analysis using LIDA , 2001, Proceedings of the 23rd International Conference on Software Engineering. ICSE 2001.

[74]  Annie I. Antón,et al.  Mining rule semantics to understand legislative compliance , 2005, WPES '05.

[75]  Joseph Agassi The Logic of Scientific Inquiry , 1974 .

[76]  Kincho H. Law,et al.  A software infrastructure for regulatory information management and compliance assistance , 2003 .

[77]  Elisa Bertino,et al.  Privacy Protection , 2022 .

[78]  Kincho H. Law,et al.  Logic-based regulation compliance-assistance , 2003, ICAIL.

[79]  Guido Boella,et al.  Permissions and obligations in hierarchical normative systems , 2003, ICAIL.

[80]  Erik Kamsties,et al.  Higher quality requirements specifications through natural language patterns , 2003, Proceedings 2003 Symposium on Security and Privacy.

[81]  Marek J. Sergot,et al.  The British Nationality Act as a logic program , 1986, CACM.

[82]  Jolanta Cybulka,et al.  Dynamics of legal provisions and its representation , 2005, ICAIL '05.

[83]  Michael A. Jackson,et al.  Software requirements and specifications - a lexicon of practice, principles and prejudices , 1995 .

[84]  Peter P. Chen English Sentence Structure and Entity-Relationship Diagrams , 1983, Inf. Sci..

[85]  Annie I. Antón,et al.  Financial privacy policies and the need for standardization , 2004, IEEE Security & Privacy Magazine.

[86]  Lalana Kagal,et al.  A Policy-Based Approach to Governing Autonomous Behavior in Distributed Environments , 2004 .

[87]  Michael Jackson,et al.  The World and the Machine , 1995, 1995 17th International Conference on Software Engineering.

[88]  Travis D. Breaux Exercising Due Diligence in Legal Requirements Acquisition: A Tool-supported, Frame-Based Approach , 2009, 2009 17th IEEE International Requirements Engineering Conference.

[89]  T. Koch,et al.  Policy definition language for automated management of distributed systems , 1996, Proceedings of IEEE International Workshop on System Management.

[90]  Alessandra Russo,et al.  A goal-based approach to policy refinement , 2004, Proceedings. Fifth IEEE International Workshop on Policies for Distributed Systems and Networks, 2004. POLICY 2004..

[91]  Emil C. Lupu,et al.  Ponder: realising enterprise viewpoint concepts , 2000, Proceedings Fourth International Enterprise Distributed Objects Computing Conference. EDOC2000.

[92]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[93]  Gerald M. Weinberg,et al.  Exploring Requirements: Quality Before Design , 1989 .

[94]  George S. Avrunin,et al.  PROPEL: an approach supporting property elucidation , 2002, ICSE '02.

[95]  A. Pettitt,et al.  Ciradian performance differences between morning and evening "types". , 1980, Ergonomics.

[96]  Yarden Katz,et al.  Pellet: A practical OWL-DL reasoner , 2007, J. Web Semant..

[97]  Morris Sloman,et al.  The representation of policies as system objects , 1991, COCS '91.

[98]  John Mylopoulos,et al.  Specifying and analyzing early requirements in Tropos , 2004, Requirements Engineering.

[99]  A. Agresti,et al.  Statistical Methods for the Social Sciences , 1979 .

[100]  Kenji Takahashi,et al.  Inquiry-based requirements analysis , 1994, IEEE Software.