Advertisement

A systematic literature mapping of goal and non-goal modelling methods for legal and regulatory compliance

  • Okhaide Akhigbe
  • Daniel Amyot
  • Gregory Richards
Original Article

Abstract

Much research is ongoing to assess and improve compliance to laws and regulations. As this domain continues to grow and mature, and with more modelling methods introduced to support compliance tasks, important questions need to be asked. What exactly are these methods used for? Where have they been applied? What benefits do they offer? This paper explores how goal-oriented and non-goal-oriented modelling methods have been used for legal and regulatory compliance, and identifies their main claimed benefits and drawbacks based on the kind of compliance tasks they perform. Using a systematic literature mapping approach, we evaluated 103 articles describing the use of modelling methods obtained from a pool of 286 articles. The results indicate that modelling methods focus on the intent of a law, but goal-oriented modelling methods do so while also reflecting the structure of a law, generally with substantial benefits for all compliance tasks. In addition, whereas modelling methods are used for compliance modelling, checking, analysis and enactment tasks, our analysis indicates that the coverage of these methods is more frequent in the healthcare domain with 55% of the articles reviewed targeting it. In terms of the contexts modelling methods address, privacy has the highest level of attention with a focus from 54% of the reviewed articles. The articles reviewed revealed a total of 60 different laws and regulations from 14 different countries, with 62% focusing on privacy. Moreover, while 82% of the articles reviewed addressed concerns of regulated parties, only 12% addressed the concerns of regulators, and 6% addressed concerns of both regulating and regulated parties. This study highlights the benefits and drawbacks of both types of modelling methods and identifies potential benefits and common drawbacks that will be of interest to researchers and practitioners in the selection of modelling methods or in the identification of selection criteria. Finally, the mapping results emphasize the need for more studies outside of healthcare, that are related to contexts other than privacy, that target compliance enactment tasks or that take the concerns of regulators into consideration.

Keywords

Goal-oriented modelling Legal and regulatory compliance Regulators Requirements engineering Systematic literature mapping 

Notes

Acknowledgements

This research was supported by the National Science and Engineering Research Council of Canada (NSERC) Discovery program and by Interis Consulting/BDO. We also thank the anonymous reviewers for their comments and suggestions, which led to many improvements in this paper.

Authors’ contributions

DA defined the research questions while OA developed the search strategies and carried out the review. DA reviewed the analysis results for consistency and completeness. All authors discussed the results. OA finalized the article with assistance from DA and GR.

Compliance with ethical standards

Conflict of interest

The authors declare that they have no conflict of interest.

References

  1. 1.
    Akhigbe O, Alhaj M, Amyot D, Badreddin O, Braun E, Cartwright N, Richards G, Mussbacher G (2014) Creating quantitative goal models: governmental experience. In: 33rd international conference on conceptual modeling (ER’14). LNCS, vol 8824, Springer, Berlin, pp 466–473Google Scholar
  2. 2.
    Akhigbe O, Amyot D, Richards G (2015) Information technology artifacts in the regulatory compliance of business processes: a meta-analysis. In: 6th international MCETECH conference on E-technologies. LNBIP, vol 209, Springer, pp 89–104Google Scholar
  3. 3.
    Amyot D, Ghanavati S, Horkoff J, Mussbacher G, Peyton L, Yu E (2010) Evaluating goal models within the goal-oriented requirement language. Int J Intell Syst 25(8):841–877CrossRefGoogle Scholar
  4. 4.
    Amyot D, Mussbacher G (2011) User requirements notation: the first ten years, the next ten years. Invited paper, J Softw (JSW), Academy Publisher, 6(5): 747–768Google Scholar
  5. 5.
    Badreddin O, Mussbacher G, Amyot D, Behnam SA, Rashidi-Tabrizi R, Braun E, Richards G (2013) Regulation-based dimensional modeling for regulatory intelligence. In: 6th International Workshop on Requirements Engineering and Law (RELAW), pp 1–10Google Scholar
  6. 6.
    Bano M, Zowghi D, Ikram N (2014) Systematic reviews in requirements engineering: a tertiary study. In: 2014 IEEE 4th international workshop on empirical requirements engineering (EmpiRE), IEEE CS, pp 9–16Google Scholar
  7. 7.
    Behnam SA, Amyot D, Mussbacher G, Braun E, Cartwright N, Saucier M (2012) Using the goal-oriented pattern family framework for modelling outcome-based regulations. In: 2nd international workshop on requirements patterns (RePa’12), IEEE CS, pp 35–40Google Scholar
  8. 8.
    Braun E, Cartwright N, Shamsaei A, Behnam SA, Richards G, Mussbacher G, Alhaj M, Tawhid R (2012) Drafting and modeling of regulations: Is it being done backwards? In: Fifth international workshop on requirements engineering and law (RELAW), IEEE CS, pp 1–6Google Scholar
  9. 9.
    Feldt R, Magazinius A (2010) Validity threats in empirical software engineering research—an initial survey. In: Proceedings of the 22nd international conference on software engineering and knowledge engineering (SEKE). Knowledge Systems Institute Graduate School, pp 374–379Google Scholar
  10. 10.
    Ghanavati S, Amyot D, Peyton L (2007) A requirements management framework for privacy compliance. In: Proceedings of the 10th workshop on requirements engineering (WER’07), pp 149–159Google Scholar
  11. 11.
    Ghanavati S, Amyot D, Peyton L (2008) Comparative analysis between document-based and model-based compliance management approaches. In: Requirements engineering and law (RELAW’08), IEEE CS, pp 35–39Google Scholar
  12. 12.
    Ghanavati S, Amyot D, Peyton L (2009) Compliance analysis based on a goal-oriented requirement language evaluation methodology. In: 17th IEEE international conference on requirements engineering (RE), IEEE CS, pp 133–142Google Scholar
  13. 13.
    Ghanavati S, Amyot D, Siena A, Susi A, Perini A (2010a) Making business processes law compliant. In: First workshop on law compliancy issues in organisational systems and strategies (iComply’10). Retrieved 05 Feb 2016 from http://jucmnav.softwareengineering.ca/ucm/pub/UCM/VirLibiComply2010/iComply2010-GASSP.pdf
  14. 14.
    Ghanavati S, Amyot D, Peyton L, Siena A, Perini A, Susi A (2010) Integrating business strategies with requirement models of legal compliance. Int J Electron Bus 8(3):260–280CrossRefGoogle Scholar
  15. 15.
    Ghanavati S, Amyot D, Peyton L (2011) A systematic review of goal-oriented requirements management frameworks for business process compliance. In: Fourth international workshop on requirements engineering and law (RELAW), IEEE CS, pp 25–34Google Scholar
  16. 16.
    Ghanavati S, Amyot D, Rifaut, A (2014a) Legal goal-oriented requirement language (legal GRL) for modeling regulations. In: 6th international workshop on modeling in software engineering (MiSE), ACM, pp 1–6Google Scholar
  17. 17.
    Ghanavati S, Amyot D, Rifaut A, Dubois E (2014b) Goal-oriented compliance with multiple regulations. In: 22nd IEEE international on requirements engineering conference (RE’14), IEEE CS, pp 73–82Google Scholar
  18. 18.
    Gordon G, Breaux T (2013) A cross-domain empirical study and legal evaluation of the requirements water marking method. Requir Eng 18(2):147–173CrossRefGoogle Scholar
  19. 19.
    Governatori G, Hoffmann J, Sadiq S, Weber I (2008) Detecting regulatory compliance for business process models through semantic annotations. In: BPD-08: 4th international workshop on business process designm, LNBIP, vol 17, Springer, Berlin Heidelberg, pp 5–17Google Scholar
  20. 20.
    Hashmi M (2015) Evaluating business process compliance management frameworks. PhD Thesis, Information Systems School, Queensland University of Technology, Australia, December, 2015. Retrieved 2 Feb 2016, from http://ssrg.nicta.com.au/publications/nictaabstracts/9138.pdf
  21. 21.
    Hohfeld WN (1913) Some fundamental legal conceptions as applied in judicial reasoning. Yale Law J 23(1):16–59. Retrieved 2 Feb 2016, from http://www.jstor.org/stable/785533
  22. 22.
    Horkoff J, Aydemir FB, Cardoso E, Li T, Maté A, Paja E, Salnitri M, Piras L, Mylopoulos J, Giorgini P (2017) Goal-oriented requirements engineering: an extended systematic mapping study. Requir Eng (online first) pp 1–28.  https://doi.org/10.1007/s00766-017-0280-z
  23. 23.
    Horkoff J, Yu ESK (2013) Comparison and evaluation of goal-oriented satisfaction analysis techniques. Requir Eng 18(3):199–222CrossRefGoogle Scholar
  24. 24.
    Ingolfo S, Siena A, Mylopoulos J (2011) Establishing regulatory compliance for software requirements. In: Conceptual modeling—ER 2011. LNCS, vol 6998, Springer, Heidelberg, pp 47–61Google Scholar
  25. 25.
    Ingolfo S, Siena A, Mylopoulos J, Susi A, Perini A (2013) Arguing regulatory compliance of software requirements. Data Knowl Eng 87:279–296CrossRefGoogle Scholar
  26. 26.
    Ingolfo S, Siena A, Jureta I, Susi A, Perini A, Mylopoulos J (2013b) Choosing compliance solutions through stakeholder preferences. In: Requirements engineering: foundation for software quality (REFSQ 2013). LNCS, vol 7830, Springer, Heidelberg, pp 206–220Google Scholar
  27. 27.
    Ingolfo S, Souza VES (2013) Law and adaptivity in requirements engineering. In: 8th international symposium on software engineering for adaptive and self-managing systems, IEEE Press, pp 163–168Google Scholar
  28. 28.
    Ingolfo S, Jureta I, Siena A, Perini A, Susi A (2014) Nòmos 3: legal compliance of roles and requirements. In: 33rd international conference on conceptual modeling. LNCS, vol 8824, Springer, Switzerland, pp 275–288Google Scholar
  29. 29.
    Jureta I, Breaux T, Siena A, Gordon D (2013) Toward benchmarks to assess advancement in legal requirements modeling. In: Sixth international workshop on requirements engineering and law workshop (RELAW), IEEE CS, pp 25–33Google Scholar
  30. 30.
    Kavakli E (2002) Goal-oriented requirements engineering: a unifying framework. Requir Eng 6(4):237–251CrossRefzbMATHGoogle Scholar
  31. 31.
    Kharbili ME, Stein S, Markovic I, Pulvermüller E (2008a) Towards a framework for semantic business process compliance management. In: Proceedings of the 1st international workshop on governance, risk and compliance (GRCIS’08), CEUR-WS, vol 339, pp 1–15Google Scholar
  32. 32.
    Kharbili ME, de Medeiros AKA, Stein S, van der Aalst WMP (2008b) Business process compliance checking: Current state and future challenges. In: MobIS 2008. LNI, vol 141, GI, pp 107–113Google Scholar
  33. 33.
    Kitchenham B, Charters S (2007) Guidelines for performing systematic literature reviews in software engineering, version 2.3. Tech. rep., Keele Univ. and Univ. of Durham, UKGoogle Scholar
  34. 34.
    Maxwell JC, Antón AI (2009) Checking existing requirements for compliance with law using a production rule model. In: Second international workshop on requirements engineering and law (RELAW), IEEE CS, pp 1–6Google Scholar
  35. 35.
    Maxwell J, Anton AI, Swire P (2011) A legal cross-references taxonomy for identifying conflicting software requirements. In: 19th IEEE international requirements engineering conference (RE’11), IEEE CS, pp 197–206Google Scholar
  36. 36.
    Maxwell JC, Antón AI, Swire P, Riaz M, McCraw CM (2012) A legal cross-references taxonomy for reasoning about compliance requirements. Requir Eng 17(2):9–115CrossRefGoogle Scholar
  37. 37.
    Maxwell JC, Antón AI, Swire P (2012b) Managing changing compliance requirements by predicting regulatory evolution: an adaptability framework. In: 20th IEEE international requirements engineering conference (RE’12), IEEE CS, pp 101–110Google Scholar
  38. 38.
    OMG (2008) Software process engineering meta-model specification, version 2.0. Document formal/2008-04-01Google Scholar
  39. 39.
    Otto PN, Antón AI (2007) Addressing legal requirements in requirements engineering. In: 15th IEEE international requirements engineering conference (RE’07), IEEE, pp 5–14Google Scholar
  40. 40.
    Palmieri A, Collet P, Amyot D (2015) Handling regulatory goal model families as software product lines. In: Advanced information systems engineering (CAiSE’15). LNCS, vol 9097, Springer, pp 181–196Google Scholar
  41. 41.
    Perry DE, Porter AA, Votta LG (2000) Empirical studies of software engineering: a roadmap. In: Future of software engineering, ICSE 2000, ACM Press, New York, pp 345–355Google Scholar
  42. 42.
    Petersen K, Feldt R, Mujtaba S, Mattson M (2008) Systematic mapping studies in software engineering. In: 12th Int. conf. on evaluation and assessment in software engineering (EASE’2008). BCS, paper 8Google Scholar
  43. 43.
    Rashidi-Tabrizi R, Mussbacher G, Amyot D (2013) Transforming regulations into performance models in the context of reasoning for outcome-based compliance. In: Sixth international workshop on requirements engineering and law (RELAW), IEEE CS, pp 34–43Google Scholar
  44. 44.
    Ramezani E, Fahland D, van Dongen B, van der Aalst W (2013) Diagnostic information for compliance checking of temporal compliance requirements. In: Advanced information systems engineering (CAiSE 2013). LNCS, vol 7908, Springer, Heidelberg, pp 304–320Google Scholar
  45. 45.
    Shamsaei A, Pourshahid A, Amyot D (2011) Business process compliance tracking using key performance indicators. In: Business process management workshops. LNBIP, vol 66, Springer, Heidelberg, pp 73–84Google Scholar
  46. 46.
    Shamsaei A, Amyot D, Pourshahid A, Braun E, Yu E, Mussbacher G, Tawhid R, Cartwright N (2013) An approach to specify and analyze goal model families. In: System Analysis and modelling: theory and practice (SAM 2012). LNCS, vol 7744, Springer, Berlin Heidelberg, pp 34–52Google Scholar
  47. 47.
    Sherman DMA (1987) Prolog model of the Income Tax Act of Canada. In: 1st international conference on artificial intelligence and law, ACM, pp 127–136Google Scholar
  48. 48.
    Siena A, Ingolfo S, Perini A, Susi A, Mylopoulos J (2013) Automated reasoning for regulatory compliance. In: Conceptual modeling (ER 2013). LNCS, vol 8217, Springer, Heidelberg, pp 47–60Google Scholar
  49. 49.
    Soltana G, Sabetzadeh M, Briand LC (2016) Model-based simulation of legal requirements: experience from tax policy simulation. In: 24th international requirements engineering conference (RE’16), IEEE CS, pp 303–312Google Scholar
  50. 50.
    Sweet M, Moynihan R (2007) Improving population health: the uses of systematic reviews. Milbank Memorial Fund, pp 1–84. Retrieved 22 Nov 2014, from http://wwwmilbank.org/uploads/documents/0712populationhealth/populationhealth.html
  51. 51.
    Tawhid R, Alhaj M, Mussbacher G, Braun E, Cartwright N, Shamsaei A, Amyot D, Behnam SA, Richards G (2012) Towards outcome-based regulatory compliance in aviation security. In: 20th international requirements engineering conference (RE’12), IEEE CS, pp 267–272Google Scholar
  52. 52.
    Yu E (1997) Towards modelling and reasoning support for early-phase requirements engineering. In: 3rd IEEE int. symp. on requirements engineering (RE’97), IEEE CS, pp 226–235Google Scholar
  53. 53.
    Zeni N, Kiyavitskaya N, Cordy JR, Mich L, Mylopoulos J (2008) Annotating regulations using Cerno: an application to Italian documents—extended abstract. In: Proceedings of ARES’08, IEEE Press, pp 1437–1442Google Scholar

Copyright information

© Springer-Verlag London Ltd., part of Springer Nature 2018

Authors and Affiliations

  1. 1.School of Electrical Engineering and Computer ScienceUniversity of OttawaOttawaCanada
  2. 2.Telfer School of ManagementUniversity of OttawaOttawaCanada

Personalised recommendations