Analyzing goal semantics for rights, permissions, and obligations

Software requirements, rights, permissions, obligations, and operations of policy enforcing systems are often misaligned. Our goal is to develop tools and techniques that help requirements engineers and policy makers bring policies and system requirements into better alignment. Goals from requirements engineering are useful for distilling natural language policy statements into structured descriptions of these interactions; however, they are limited in that they are not easy to compare with one another despite sharing common semantic features. In this paper, we describe a process called semantic parameterization that we use to derive semantic models from goals mined from privacy policy documents. We present example semantic models that enable comparing policy statements and present a template method for generating natural language policy statements (and ultimately requirements) from unique semantic models. The semantic models are described by a context-free grammar called KTL that has been validated within the context of the most frequently expressed goals in over 100 Internet privacy policy documents. KTL is supported by a policy analysis tool that supports queries and policy statement generation.

[1]  Ana I. Anton,et al.  Goal identification and refinement in the specification of software-based information systems , 1997 .

[2]  Annie I. Antón,et al.  Goal-based requirements analysis , 1996, Proceedings of the Second International Conference on Requirements Engineering.

[3]  A. Strauss,et al.  The Discovery of Grounded Theory , 1967 .

[4]  Annie I. Antón,et al.  A requirements taxonomy for reducing Web site privacy vulnerabilities , 2004, Requirements Engineering.

[5]  Annie I. Antón,et al.  The use of goals to surface requirements for evolving systems , 1998, Proceedings of the 20th International Conference on Software Engineering.

[6]  Roger C. Schank,et al.  Scripts, plans, goals and understanding: an inquiry into human knowledge structures , 1978 .

[7]  Elisa Bertino,et al.  A roadmap for comprehensive online privacy policy management , 2007, CACM.

[8]  Russell W. Quong,et al.  ANTLR: A predicated‐LL(k) parser generator , 1995, Softw. Pract. Exp..

[9]  Marvin Minsky,et al.  A framework for representing knowledge" in the psychology of computer vision , 1975 .

[10]  Annie I. Antón,et al.  Strategies for Developing Policies and Requirements for Secure and Private Electronic Commerce , 2001, E-Commerce Security and Privacy.

[11]  Annie I. Antón,et al.  ITR : Encoding Rights , Permissions and Obligations : Privacy Policy Specification and Compliance , 2003 .

[12]  Philippe Massonet,et al.  Goal-directed elaboration of requirements for a meeting scheduler: problems and lessons learnt , 1995, Proceedings of 1995 IEEE International Symposium on Requirements Engineering (RE'95).

[13]  A. Antón,et al.  Strategies for Developing Policies and Requirements for Secure Electronic Commerce Systems , 2000 .

[14]  Axel van Lamsweerde,et al.  Managing Conflicts in Goal-Driven Requirements Engineering , 1998, IEEE Trans. Software Eng..

[15]  Harry S. Delugach,et al.  Specifying multiple-viewed software requirements with conceptual graphs , 1992, J. Syst. Softw..

[16]  Colette Rolland,et al.  Guiding Goal Modeling Using Scenarios , 1998, IEEE Trans. Software Eng..

[17]  J. Alexander,et al.  Images of Organization , 1988 .

[18]  Stephen Fickas,et al.  Goal-Directed Requirements Acquisition , 1993, Sci. Comput. Program..

[19]  Marvin Minsky,et al.  A framework for representing knowledge , 1974 .

[20]  Annie I. Antón,et al.  Financial privacy policies and the need for standardization , 2004, IEEE Security & Privacy Magazine.

[21]  John Mylopoulos,et al.  Security and privacy requirements analysis within a social setting , 2003, Proceedings. 11th IEEE International Requirements Engineering Conference, 2003..

[22]  T. Koch,et al.  Policy definition language for automated management of distributed systems , 1996, Proceedings of IEEE International Workshop on System Management.

[23]  Alessandra Russo,et al.  A goal-based approach to policy refinement , 2004, Proceedings. Fifth IEEE International Workshop on Policies for Distributed Systems and Networks, 2004. POLICY 2004..