Prioritizing Legal Requirements

Requirements prioritization is used in the early phases of software development to determine the order in which requirements should be implemented. Requirements are not all equally important to the final software system because time constraints, expense, and design can each raise the urgency of implementing some requirements before others. Laws and regulations can make requirements prioritization particularly challenging due to the high costs of noncompliance and the substantial amount of domain knowledge needed to make prioritization decisions. In the context of legal requirements, implementation order ideally should be influenced by the laws and regulations governing a given software system. In this paper, we present a prioritization technique for legal requirements. We apply our technique on a set of 63 functional requirements for an open-source electronic health records system that must comply with the U.S. Health Insurance Portability and Accountability Act.

[1]  Fabio Massacci,et al.  Using a security requirements engineering methodology in practice: The compliance with the Italian data protection legislation , 2005, Comput. Stand. Interfaces.

[2]  Annie I. Antón,et al.  Evaluating existing security and privacy requirements for legal compliance , 2009, Requirements Engineering.

[3]  J. Cleland-Huang,et al.  Financially informed requirements prioritization , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[4]  Joachim Karlsson,et al.  A Cost-Value Approach for Prioritizing Requirements , 1997, IEEE Softw..

[5]  A. Herrmann,et al.  Requirements Prioritization Based on Benefit and Cost Prediction: An Agenda for Future Research , 2008, 2008 16th IEEE International Requirements Engineering Conference.

[6]  Rebecca Herold,et al.  The practical guide to HIPAA privacy and security compliance , 2003 .

[7]  M. Bohanec,et al.  The Analytic Hierarchy Process , 2004 .

[8]  Annie I. Antón,et al.  Analyzing Regulatory Rules for Privacy and Security Requirements , 2008, IEEE Transactions on Software Engineering.

[9]  A. Susi,et al.  An Empirical Study to Compare the Accuracy of AHP and CBRanking Techniques for Requirements Prioritization , 2007, 2007 Fifth International Workshop on Comparative Evaluation in Requirements Engineering.

[10]  Helen Nissenbaum,et al.  Privacy and contextual integrity: framework and applications , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[11]  Annie I. Antón,et al.  Towards Regulatory Compliance: Extracting Rights and Obligations to Align Requirements with Regulations , 2006, 14th IEEE International Requirements Engineering Conference (RE'06).

[12]  Joachim Karlsson,et al.  Software requirements prioritizing , 1996, Proceedings of the Second International Conference on Requirements Engineering.

[13]  Marjo Kauppinen,et al.  Requirements Prioritization Challenges in Practice , 2004, PROFES.

[14]  Annie I. Antón,et al.  Developing Production Rule Models to Aid in Acquiring Requirements from Legal Texts , 2009, 2009 17th IEEE International Requirements Engineering Conference.

[15]  Annie I. Antón,et al.  Addressing Legal Requirements in Requirements Engineering , 2007, 15th IEEE International Requirements Engineering Conference (RE 2007).

[16]  Claes Wohlin,et al.  An evaluation of methods for prioritizing software requirements , 1998, Inf. Softw. Technol..

[17]  R. Yin Case Study Research: Design and Methods , 1984 .

[18]  Annie I. Antón,et al.  Legal requirements acquisition for the specification of legally compliant information systems , 2009 .

[19]  Insup Lee,et al.  Privacy APIs: access control techniques to analyze and verify legal privacy policies , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[20]  Jonas S. Karlsson Towards a strategy for software requirements selection , 1995 .

[21]  Anna Perini,et al.  Facing scalability issues in requirements prioritization with machine learning techniques , 2005, 13th IEEE International Conference on Requirements Engineering (RE'05).