Introducing Regulatory Compliance Requirements Engineering

  • Shahbaz Ali
  • Jon Hall


A recent study by the University of California at Berkeley [UclaO3] has observed that information in e-mails and other electronic records is growing at a rate of 30% per year. Secure, efficient information asset usage lends increasing importance to the integration, protection, analysis, and storage in organisational systems. Information assets are valuable, not least to the individual, and the introduction of legislative and regulatory frameworks, such as the Data Protection Act acknowledges this; it is the duty of organisations to exercise Regulatory Compliance [IdcO4, Fisma03, SoxO2, IsgiO6, and GrsmO6J, largely understood to be a component of the organisation’s information security contexts and Information Lifecycle Management (ILM).

Despite the increasing number of publications in security requirements engineering (RE), little or no research has so far taken place in order to address requirements for software systems to which Regulatory Compliance applies. Although a number of security RE approaches appear to offer potential for a solution, we argue that current approaches to security requirements are inadequate when it comes to addressing the issues of organisations as they face the changing legislation and regulation.

This position paper also argues the need for a flexible and responsive approach to system RE that properly distinguishes between security and compliance requirements and facilitates the understanding of the overall role of compliance requirements in RE. It calls attention to the potential benefits to be had from the unification of the views of compliance requirements analysis from the standpoints of software RE and of organisational systems. Using Problem Frames, our research is exploring the use of conceptual tools as a foundation to model the impact of compliance requirements, and will lead to a stronger compliance RE framework that allows an organisation to engineer changes to their existing socio-technical systems and to do so in a non-disruptive manner.


Requirement Engineering Security Requirement Trust Management Requirement Engineer Problem Frame 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [AlexO2]
    I. Alexander, “Misuse Cases,” Proceedings of International Requirements Engineering Conference (RE’02), 2002.Google Scholar
  2. [AnderOl]
    Ross Anderson (2001), “Why Information Security is Hard-An Economic Perspective” University of Cambridge, Computer Labs 30th January 2001Google Scholar
  3. [Ander02]
    Ross Anderson (2002), “Security Engineering”, A Guide to Building Dependable Distributed Systems, John Willey and Sons Inc (2001)Google Scholar
  4. [Blaz99]
    M. Blaze et el, “Trust Management and Network Layer Security Protocols,” Security Protocols Workshop, pp. 103–118, 1999.Google Scholar
  5. [Blaz96]
    Matt Blaze et el, “Decentralized Trust Management,” presented at Proc. IEEE Conference on Security and Privacy, Oakland CA, 1996Google Scholar
  6. [BlazOO]
    Matt Blaze et el, “The Role of Trust Management in Distributed Systems Security,” Secure Internet Programming, vol. 20, pp. 185–210, 1999-2000.CrossRefGoogle Scholar
  7. [Boza99]
    E. Bozaki, “IP Security Protocols,” Dr. Dobb’s Journal, vol. 306, pp. 42–55, 1999.Google Scholar
  8. [BrierO6]
    John Brier, Lucia Rapanotti, and Jon G. Hall. Problem based analysis of organisational change: a real-world example, International Workshop on Advances and Applications of Problem Frames. ACM, 2006Google Scholar
  9. [CaldO3]
    Jose Caldera, Survivability Requirements for the U.S. Health Care Industry, Carnegie Mellon University, Masters Thesis (May 2003)-pp37–45
  10. [Fismao3]
    FISMA-Federal Information Security Management Act. National Institute of Technology
  11. [Flyn98]
    D. Flynn. Information Systems Requirements: Determination and Analysis. McGraw-Hill, 2nd edition, 1998.Google Scholar
  12. [GrsmO6] Government Regulations and Security Management Survey
  13. [IdcO4]
    Regulatory Compliance: What Role Will Technology Play? DC #3 1213, April 2004.Google Scholar
  14. [IrviO3]
    C. E. Irvine, “Cybersecurity Considerations for Information Systems,” Center for Information Systems Security Studies and Research, Department of Computer Science, Naval Postgraduate School, Monterey, California 93943, 2003.Google Scholar
  15. [IsgiO6]
    Information Security Governance: Information Systems Audit and Controls Association. ITaggedPage/TaggedPageDisplay.cfm&TPLID=14&ContentID=7396
  16. [JackOO]
    M. Jackson, “Problem Frames: Analysing and Structuring Software Development Problems”, Addison Wesley. ISBN 020159627XGoogle Scholar
  17. [Jun01]
    J. Jurjens, “Developing Secure Systems with UMLsec From Business Processes to Implementation,” Paper at VIS’2001, Computing Laboratory, University of Oxford, GB, 2001.Google Scholar
  18. [KavaO2]
    Evangelia Kavakli, Goal Oriented Requirements Engineering: A Unifying Framework, Department of Cultural Technology and Communication, University of the Aegean.Google Scholar
  19. [LamsOl]
    A. van Lamsweerde et el, “Goal-oriented Elaboration of Security Requirements,” Louvain-la-Neuve, Annee academique 2000-2001, 2001Google Scholar
  20. [LamsOO]
    A. van Lamsweerde and E. Letier, “Handling Obstacles in Goal-oriented Requirements Engineering,” IEEE Transactions on Software Engineering, 26 (10). 2000. 2000.Google Scholar
  21. [LamsO4]
    A. van Lamsweerde et el, “Elaborating Security Requirements by Construction of Intentional Anti-Models”, Louvain-la-Neuve, Annee academique 2003-2004, 2004Google Scholar
  22. [McDe99]
    McDermott, J. & Fox, C. “Using Abuse Case Models for Security Requirements Analysis,” 55–64. Proceedings 15th Annual Computer Security Applications Conference. Scottsdale, AZ, Dec. 6-10, 1999. Los Alamitos, CA: IEEE Computer Society Press, 1999.Google Scholar
  23. [MassO5]
    Fabio Massacci and Marco Prest and Nicola Zannone, “Using a Security Requirements Engineering Methodology in Practice: The compliance with the Italian Data Protection Legislation” CSI, 2005Google Scholar
  24. [NuseO3]
    B. A. Nuseibeh and Jonathan D. Moffett, “A Framework for Security Requirements Engineering,” Open University Security Requirements Group, 2003.Google Scholar
  25. [RapaO4]
    Lucia Rapanotti, Jon G. Hall, Michael Jackson, and Bashar Nuseibeh. Architecture-driven problem decomposition. In 12th IEEE International Conference on Requirements Engineering (RE 2004), pages 80–89. IEEE Computer Society, 2004Google Scholar
  26. [RulesO4]
  27. [Schn96]
    B. Schneier, Applied Cryptography, Second Edition: Protocols, Algorithms, and Source Code in C: Wiley ComputerGoogle Scholar
  28. [Schn99]
    B. Schneier, “Attack Trees: Modeling Security Threats”, Dr. Dobb’s Journal, December 1999.Google Scholar
  29. [SindO3]
    D. G. F. Guttorm Sindre, Andreas L. Opdahl, “A Reuse-Based Approach to Determining Security Requirements,” 2003.Google Scholar
  30. [SoxO2]
  31. [UclaO3]
    How much information? University of California at Berkeley, 2003

Copyright information

© Friedr. Vieweg & Sohn Verlag | GWV-Fachverlage GmbH, Wiesbaden 2006

Authors and Affiliations

  • Shahbaz Ali
    • 1
  • Jon Hall
    • 2
  1. 1.Tarmin Technologies LtdUK
  2. 2.The Open UniversityUK

Personalised recommendations