Abstract
Government regulations are increasingly affecting the security, privacy and governance of information systems in the United States, Europe and elsewhere. Consequently, companies and software developers are required to ensure that their software systems comply with relevant regulations, either through design or re-engineering. We previously proposed a methodology for extracting stakeholder requirements, called rights and obligations, from regulations. In this paper, we examine the challenges to developing tool support for this methodology using the Cerno framework for textual semantic annotation. We present the results from two empirical evaluations of a tool called “Gaius T.” that is implemented using the Cerno framework and that extracts a conceptual model from regulatory texts. The evaluation, carried out on the U.S. HIPAA Privacy Rule and the Italian accessibility law, measures the quality of the produced models and the tool’s effectiveness in reducing the human effort to derive requirements from regulations.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Berghel, H.: The two sides of ‘ROI’: Return-on-investment vs. risk-of-incarceration. Communications of ACM 48(4), 15–20 (2005)
Breaux, T.D., Vail, M.W., Antón, A.I.: Towards regulatory compliance: Extracting rights and obligations to align requirements with regulations. In: Proc. of RE 2006, Washington, DC, USA, pp. 46–55. IEEE Computer Society Press, Los Alamitos (2006)
Breaux, T.D., Antón, A.I.: Analyzing regulatory rules for privacy and security requirements. IEEE Transactions on Software Engineering 34(1), 5–20 (2008)
Breaux, T.D., Antón, A.I., Doyle, J.: Semantic parameterization: A process for modeling domain descriptions. ACM Transactions on Software Engineering Methodology 18(2) (2009)
Breaux, T.D., Anton, A.I.: A systematic method for acquiring regulatory requirements: A frame-based approach. In: Proc. of RHAS-6, Pittsburgh, PA, USA, September 2007, Software Engineering Institute (SEI) (2007)
Kiyavitskaya, N., Zeni, N., Mich, L., Cordy, J.R., Mylopoulos, J.: Text mining through semi automatic semantic annotation. In: Reimer, U., Karagiannis, D. (eds.) PAKM 2006. LNCS (LNAI), vol. 4333, pp. 143–154. Springer, Heidelberg (2006)
U.S.A. Government: Standards for privacy of individually identifiable health information, 45 CFR part 160, Part 164 subpart E. In Federal Register 68(34), 8334–8381, February 20 (2003)
Italian Parliament: Stanca Act, Law no. 4, January 9, 2004: Provisions to support the access to information technologies for the disabled. Gazzetta Ufficiale 13, January 17 (2004)
Kiyavitskaya, N., Zeni, N., Breaux, T.D., Antón, A.I., Cordy, J.R., Mich, L., Mylopoulos, J.: Extracting rights and obligations from regulations: Toward a tool-supported process. In: Proc. of ASE 2007, pp. 429–432 (2007)
Moulin, B., Rousseau, D.: Knowledge acquisition from prescriptive texts. In: Proc. 3rd Int. Conf. on Industrial and engineering applications of artificial intelligence and expert systems, pp. 1112–1121. ACM Press, New York (1990)
Cordy, J.R.: The TXL source transformation language. Science of Computer Programming 61(3), 190–210 (2006)
Dean, T.R., Cordy, J.R., Schneider, K.A., Malton, A.J.: Using design recovery techniques to transform legacy systems. In: Proc. of ICSM 2001, November 2001, pp. 622–631 (2001)
Zeni, N., Kiyavitskaya, N., Mich, L., Mylopoulos, J., Cordy, J.R.: A lightweight approach to semantic annotation of research papers. In: Kedad, Z., Lammari, N., Métais, E., Meziane, F., Rezgui, Y. (eds.) NLDB 2007. LNCS, vol. 4592, pp. 61–72. Springer, Heidelberg (2007)
Schmid, H.: Probabilistic part-of-speech tagging using decision trees. In: Proc. of Int. Conf. on New Methods in Language Processing, Manchester, UK (1994)
Presidenza del Consiglio dei Ministri: Guida alla redazione dei testi normativi. Gazzetta Ufficiale 101(2), 105 (2001)
Moulin, B., Rousseau, D.: Automated knowledge acquisition from regulatory texts. IEEE Expert 7(5), 27–35 (1992)
Cleland-Huang, J., Settimi, R., Zou, X., Solc, P.: The detection and classification of non-functional requirements with application to early aspects. In: Proc. of RE 2006, Washington, DC, USA, pp. 36–45. IEEE Computer Society, Los Alamitos (2006)
Sampaio, A., Chitchyan, R., Rashid, A., Rayson, P.: EA-Miner: a tool for automating aspect-oriented requirements identification. In: Proc. of ASE 2005, pp. 352–355. ACM Press, New York (2005)
Antón, A.I., Earp, J.B., He, Q., Stufflebeam, W., Bolchini, D., Jensen, C.: Financial privacy policies and the need for standardization. IEEE Security and Privacy 2(2), 36–45 (2004)
Breaux, T.D., Antón, A.I.: Analyzing goal semantics for rights, permissions, and obligations. In: Proc. of RE 2005, pp. 177–186 (2005)
Wilson, W.M., Rosenberg, L.H., Hyatt, L.E.: Automated analysis of requirement specifications. In: Proc. of ICSE 1997, May 1997, pp. 161–171. ACM Press, New York (1997)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Kiyavitskaya, N. et al. (2008). Automating the Extraction of Rights and Obligations for Regulatory Compliance. In: Li, Q., Spaccapietra, S., Yu, E., Olivé, A. (eds) Conceptual Modeling - ER 2008. ER 2008. Lecture Notes in Computer Science, vol 5231. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-87877-3_13
Download citation
DOI: https://doi.org/10.1007/978-3-540-87877-3_13
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-87876-6
Online ISBN: 978-3-540-87877-3
eBook Packages: Computer ScienceComputer Science (R0)