A Core Ontology for Privacy Requirements Engineering

Nowadays, most companies need to collect, store, and manage personal information in order to deliver their services. Accordingly, privacy has emerged as a key concern for these companies since they need to comply with privacy laws and regulations. To deal with them properly, such privacy concerns should be considered since the early phases of system design. Ontologies have proven to be a key factor for elaborating high-quality requirements models. However, most existing work deals with privacy as a special case of security requirements, thereby missing essential traits of this family of requirements. In this paper, we introduce COPri, a Core Ontology for Privacy requirements engineering that adopts and extends our previous work on privacy requirements engineering ontology that has been mined through a systematic literature review. Additionally, we implement, validate and then evaluate our ontology.

[1]  John Mylopoulos,et al.  Security and privacy requirements analysis within a social setting , 2003, Proceedings. 11th IEEE International Requirements Engineering Conference, 2003..

[2]  William M. K. Trochim,et al.  Research methods knowledge base , 2001 .

[3]  Norman M. Sadeh,et al.  PrivOnto: A semantic framework for the analysis of privacy policies , 2017 .

[4]  David J. Danelski,et al.  Privacy and Freedom , 1968 .

[5]  A. Pfitzmann,et al.  A terminology for talking about privacy by data minimization: Anonymity, Unlinkability, Undetectability, Unobservability, Pseudonymity, and Identity Management , 2010 .

[6]  G. Lakemeyer,et al.  Modeling the Impact of Trust and Distrust in Agent Networks , 2022 .

[7]  Sarah Spiekermann,et al.  Online social networks: why we disclose , 2010, J. Inf. Technol..

[8]  Athanasios V. Vasilakos,et al.  A Distributed Trust Evaluation Model and Its Application Scenarios for Medical Sensor Networks , 2012, IEEE Transactions on Information Technology in Biomedicine.

[9]  Hinda R. Chaikind The Health Insurance Portability and Accountability Act (HIPAA) of 1996: Overview and Guidance on Frequently Asked Questions , 2005 .

[10]  Asunción Gómez-Pérez,et al.  A Double Classification of Common Pitfalls in Ontologies , 2010 .

[11]  Dennis G. Kafura,et al.  Preprocess before You Build: Introducing a Framework for Privacy Requirements Engineering , 2013, 2013 International Conference on Social Computing.

[12]  Leonard Ellis Privacy and the computer : steps to practicality : areview of recent work carried out by the Privacy and Public Welfare Committee of the British Computer Society , 1972 .

[13]  Paolo Giorgini,et al.  Analyzing Trust Requirements in Socio-Technical Systems: A Belief-Based Approach , 2015, PoEM.

[14]  Bart De Decker,et al.  Linking Privacy Solutions to Developer Goals , 2009, 2009 International Conference on Availability, Reliability and Security.

[15]  Shirley Beul-Leusmann,et al.  It's All about the Medium: Identifying Patients' Medial Preferences for Telemedical Consultations , 2011, USAB.

[16]  Sabrina Sicari,et al.  Introducing privacy in a hospital information system , 2008, SESS '08.

[17]  Paolo Giorgini,et al.  Modeling and Reasoning About Information Quality Requirements , 2015, REFSQ.

[18]  Yijun Yu,et al.  An Extended Ontology for Security Requirements , 2011, CAiSE Workshops.

[19]  John Mylopoulos,et al.  Ontologies for Privacy Requirements Engineering: A Systematic Literature Review , 2016, ArXiv.

[20]  Jan Pries-Heje,et al.  A Comprehensive Framework for Evaluation in Design Science Research 1 , 2022 .

[21]  Per Runeson,et al.  Guidelines for conducting and reporting case study research in software engineering , 2009, Empirical Software Engineering.

[22]  Steffen Staab,et al.  OntoEdit: Guiding Ontology Development by Methodology and Inferencing , 2002, OTM.

[23]  James A. Landay,et al.  Privacy risk models for designing privacy-sensitive ubiquitous computing systems , 2004, DIS '04.

[24]  I. Altman Privacy: A Conceptual Analysis. , 1976 .

[25]  R. Field THE LIMITS OF PRIVACY , 2000 .

[26]  Jan Pries-Heje,et al.  Strategies for Design Science Research Evaluation , 2008, ECIS.

[27]  Stefanos Gritzalis,et al.  Addressing privacy requirements in system design: the PriS method , 2008, Requirements Engineering.

[28]  Michael Uschold,et al.  Ontologies: principles, methods and applications , 1996, The Knowledge Engineering Review.

[29]  Martin Bichler,et al.  Design science in information systems research , 2006, Wirtschaftsinf..

[30]  Lillian. Rostad An extended misuse case notation: Including vulnerabilities and the insider threat , 2006 .

[31]  Helen Nissenbaum,et al.  Privacy and contextual integrity: framework and applications , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[32]  K. Sheehan,et al.  Dimensions of Privacy Concern among Online Consumers , 2000 .

[33]  Thomas R. Gruber,et al.  Toward principles for the design of ontologies used for knowledge sharing? , 1995, Int. J. Hum. Comput. Stud..

[34]  Benjamin Gerber,et al.  Conceptualizing privacy , 2010, CSOC.

[35]  John Mylopoulos,et al.  Strategic business modeling: representation and reasoning , 2014, Software & Systems Modeling.

[36]  Asunción Gómez-Pérez,et al.  Towards a Method to Conceptualize Domain Ontologies , 1996 .

[37]  H. Nissenbaum Privacy as contextual integrity , 2004 .

[38]  Huseyin Cavusoglu,et al.  The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers , 2004, Int. J. Electron. Commer..

[39]  Edward V. Comber Management of confidential information , 1969, AFIPS '69 (Fall).

[40]  J. Phelps,et al.  Privacy Concerns and Consumer Willingness to Provide Personal Information , 2000 .

[41]  Heng Xu,et al.  Information privacy and correlates: an empirical attempt to bridge and distinguish privacy-related concepts , 2013, Eur. J. Inf. Syst..

[42]  Cristiano Castelfranchi,et al.  Modeling Social Action for AI Agents , 1997, IJCAI.

[43]  Nicola Guarino,et al.  A Formal Ontology of Properties , 2000, EKAW.

[44]  Mari Carmen Suárez-Figueroa,et al.  NeOn methodology for building ontology networks: specification, scheduling and reuse , 2011, DISKI.

[45]  Eric S. K. Yu,et al.  A vulnerability-centric requirements engineering framework: analyzing security attacks, countermeasures, and requirements based on vulnerabilities , 2010, Requirements Engineering.

[46]  E. Miller,et al.  The technical and interpersonal aspects of telemedicine: effects on doctor–patient communication , 2003, Journal of telemedicine and telecare.

[47]  James A. Hendler,et al.  Swoop: A Web Ontology Editing Browser , 2006, J. Web Semant..

[48]  Lei Zhou,et al.  The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market , 2003, J. Comput. Secur..

[49]  Alex Mihailidis,et al.  A Survey on Ambient-Assisted Living Tools for Older Adults , 2013, IEEE Journal of Biomedical and Health Informatics.

[50]  Annie I. Antón,et al.  A requirements taxonomy for reducing Web site privacy vulnerabilities , 2004, Requirements Engineering.

[51]  Duminda Wijesekera,et al.  Ontologies for modeling enterprise level security metrics , 2010, CSIIRW '10.

[52]  A. Meyer The Health Insurance Portability and Accountability Act. , 1997, Tennessee medicine : journal of the Tennessee Medical Association.

[53]  Nicolas Mayer,et al.  Model-based Management of Information System Security Risk , 2012 .

[54]  José F. Ruiz,et al.  Privacy Requirements: Findings and Lessons Learned in Developing a Privacy Platform , 2016, 2016 IEEE 24th International Requirements Engineering Conference (RE).

[55]  J. Rubenfeld The Right of Privacy , 1989 .

[56]  Elizabeth Chang,et al.  Application of Protege and SPARQL in the field of project knowledge management , 2007, 2007 Second International Conference on Systems and Networks Communications (ICSNC 2007).

[57]  Mike Uschold,et al.  Building Ontologies: Towards a Unified Methodology , 1996 .

[58]  William A. Wallace,et al.  Trust in electronic environments , 2003, 36th Annual Hawaii International Conference on System Sciences, 2003. Proceedings of the.

[59]  Atsushi Ohnishi,et al.  Ontology-Based Reasoning in Requirements Elicitation , 2009, 2009 Seventh IEEE International Conference on Software Engineering and Formal Methods.

[60]  Nicola Zannone A requirements engineering methodology for trust, security, and privacy , 2007 .

[61]  P. Brandão Abstracting information on body area networks , 2012 .

[62]  Martin L. King,et al.  Towards a Methodology for Building Ontologies , 1995 .

[63]  Alessandro Acquisti,et al.  Is There a Cost to Privacy Breaches? An Event Study , 2006, WEIS.

[64]  Salvador Trinxet,et al.  Personal Information Protection and Electronic Documents Act , 2015 .

[65]  Nikolay Mehandjiev,et al.  Modeling of privacy-aware business processes in BPMN to protect personal data , 2014, SAC.

[66]  Mayuram S. Krishnan,et al.  The Personalization Privacy Paradox: An Empirical Evaluation of Information Transparency and the Willingness to be Profiled Online for Personalization , 2006, MIS Q..

[67]  Stephen Marsh,et al.  Measuring Privacy , 2011, J. Internet Serv. Inf. Secur..

[68]  Ju An Wang,et al.  OVM: an ontology for vulnerability management , 2009, CSIIRW '09.

[69]  Asunción Gómez-Pérez,et al.  METHONTOLOGY: From Ontological Art Towards Ontological Engineering , 1997, AAAI 1997.

[70]  Bashar Nuseibeh,et al.  Introducing abuse frames for analysing security requirements , 2003, Proceedings. 11th IEEE International Requirements Engineering Conference, 2003..

[71]  Saeki Motoshi,et al.  Using Domain Ontology as Domain Knowledge for Requirements Elicitation , 2006 .

[72]  Andrea Bondavalli,et al.  A conceptual model for analyzing information quality in System-of-Systems , 2017, 2017 12th System of Systems Engineering Conference (SoSE).

[73]  Ying Liang,et al.  A Security Ontology with MDA for Software Development , 2013, 2013 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery.

[74]  Rein Turn Classification of personal information for privacy protection purposes , 1976, AFIPS '76.

[75]  D. Zwick,et al.  Whose Identity Is It Anyway? Consumer Representation in the Age of Database Marketing , 2004 .

[76]  Camille Salinesi,et al.  A Security Ontology for Security Requirements Elicitation , 2015, ESSoS.

[77]  Martina Ziefle,et al.  Medical Technology in Smart Homes: Exploring the User's Perspective on Privacy, Intimacy and Trust , 2011, 2011 IEEE 35th Annual Computer Software and Applications Conference Workshops.

[78]  J. Borges,et al.  A TAXONOMY OF PRIVACY , 2006 .

[79]  G. G. Stokes "J." , 1890, The New Yale Book of Quotations.

[80]  Haralambos Mouratidis,et al.  Secure Tropos: a Security-Oriented Extension of the Tropos Methodology , 2007, Int. J. Softw. Eng. Knowl. Eng..

[81]  Rafael Valencia-García,et al.  Modelling Reusable Security Requirements based on an Ontology Framework , 2009, J. Res. Pract. Inf. Technol..

[82]  Aldo Gangemi,et al.  Modelling Ontology Evaluation and Validation , 2006, ESWC.

[83]  Bashar Nuseibeh,et al.  Engineering adaptive privacy: On the role of privacy awareness requirements , 2013, 2013 35th International Conference on Software Engineering (ICSE).

[84]  Mikal Ziane,et al.  Monitoring and organizational-level adaptation of multi-agent systems , 2004, Proceedings of the Third International Joint Conference on Autonomous Agents and Multiagent Systems, 2004. AAMAS 2004..

[85]  M. Culnan,et al.  Information Privacy Concerns, Procedural Fairness, and Impersonal Trust: An Empirical Investigation , 1999 .

[86]  James A. Landay,et al.  An architecture for privacy-sensitive ubiquitous computing , 2004, MobiSys '04.

[87]  S. Margulis Privacy as a Social Issue and Behavioral Concept , 2003 .

[88]  Divya Sharma,et al.  Body area networks: A survey , 2016, 2016 3rd International Conference on Computing for Sustainable Global Development (INDIACom).

[89]  Khairuddin Yusof,et al.  Role of Teleconsultation in Moving the Healthcare System Forward , 2002, Asia-Pacific journal of public health.

[90]  Wouter Joosen,et al.  A privacy threat analysis framework: supporting the elicitation and fulfillment of privacy requirements , 2011, Requirements Engineering.

[91]  Mark S. Fox,et al.  A COMMON-SENSE MODEL OF THE ENTERPRISE , 2007 .

[92]  Eric S. K. Yu,et al.  A Modeling Ontology for Integrating Vulnerabilities into Security Requirements Conceptual Foundations , 2009, ER.

[93]  Peter Haase,et al.  The NeOn Ontology Engineering Toolkit , 2008, WWW 2008.

[94]  John Mylopoulos,et al.  Towards an Ontology for Privacy Requirements via a Systematic Literature Review , 2017, ER.