The Use of Goals to Extract Privacy and Security Requirements from Policy Statements

This paper addresses the use of goals to extract non-functional requirements from policy statements. Goals are important precursors to software requirements, but the process of abstracting them from security and policy policies has not been thoroughly researched. We present a summary of a goal-based approach for extracting standard security and privacy requirements from policy statements and illustrate its application to analyze 40 financial privacy policies. We present heuristics to support goal analysis, goal refinement, and the development of tool support, including the establishment of a goal repository that can be used in future goal analyses. To gain a deeper understanding of the goal set, and to identify potential conflicts and inconsistencies between goals, we used i* to model semantic relationships between goals, their actors and strategic dependencies. The goal-based process will assist software engineers in the specification of system requirements that are in alignment an organization’s policies.

[1]  Bashar Nuseibeh,et al.  Expressing the relationships between multiple views in requirements specification , 1993, ICSE '93.

[2]  Philippe Massonet,et al.  Goal-directed elaboration of requirements for a meeting scheduler: problems and lessons learnt , 1995, Proceedings of 1995 IEEE International Symposium on Requirements Engineering (RE'95).

[3]  Bashar Nuseibeh,et al.  Modelling access policies using roles in requirements engineering , 2003, Inf. Softw. Technol..

[4]  A. Antón,et al.  Strategies for Developing Policies and Requirements for Secure Electronic Commerce Systems , 2000 .

[5]  Steve M. Easterbrook,et al.  Domain modelling with hierarchies of alternative viewpoints , 1993, [1993] Proceedings of the IEEE International Symposium on Requirements Engineering.

[6]  John Mylopoulos,et al.  Security and privacy requirements analysis within a social setting , 2003, Proceedings. 11th IEEE International Requirements Engineering Conference, 2003..

[7]  Axel van Lamsweerde,et al.  Goal-Oriented Requirements Engineering: A Guided Tour , 2001, RE.

[8]  Jonathan D. Moffett Requirements and Policies , 1999 .

[9]  Bashar Nuseibeh,et al.  Security requirements engineering: when anti-requirements hit the fan , 2002, Proceedings IEEE Joint International Conference on Requirements Engineering.

[10]  Donald Firesmith Analyzing and Specifying Reusable Security Requirements , 2003 .

[11]  Q. He A Framework for Modeling Privacy Requirements in Role Engineering , 2003 .

[12]  Barry W. Boehm,et al.  Theory-W Software Project Management: Principles and Examples , 1989, IEEE Trans. Software Eng..

[13]  Stephen Fickas,et al.  Goal-Directed Requirements Acquisition , 1993, Sci. Comput. Program..

[14]  John Mylopoulos,et al.  Analyzing security requirements as relationships among strategic actors , 2002 .

[15]  Colin Potts,et al.  Using schematic scenarios to understand user needs , 1995, Symposium on Designing Interactive Systems.

[16]  E. Letier,et al.  Goal-Oriented Elaboration of Security Requirements , 2001 .

[17]  Sharman Lichtenstein,et al.  Developing Internet security policy for organizations , 1997, Proceedings of the Thirtieth Hawaii International Conference on System Sciences.

[18]  Klaus Pohl,et al.  Adapting traceability environments to project-specific needs , 1998, CACM.

[19]  Nicodemos Constantinou Damianou,et al.  A policy framework for management of distributed systems , 2002 .

[20]  Ana I. Anton,et al.  Goal identification and refinement in the specification of software-based information systems , 1997 .

[21]  Balasubramaniam Ramesh,et al.  Factors influencing requirements traceability practice , 1998, CACM.

[22]  Eric S. K. Yu,et al.  Modeling organizations for information systems requirements engineering , 1993, [1993] Proceedings of the IEEE International Symposium on Requirements Engineering.

[23]  Annie I. Antón,et al.  Precluding incongruous behavior by aligning software requirements with security and privacy policies , 2003, Inf. Softw. Technol..