Abstract
Implementing privacy as software functions is required by privacy regulation. Achieving this requires shared understanding between business process owners and software engineers, who implement it. Current literature reveals a major gap between privacy requirements and how engineers interpret privacy. Furthermore, as today’s sociotechnical systems are increasingly complex and ever-evolving, unknown privacy issues can emerge from them as a side-effect. Understanding privacy and identifying privacy threats are pre-requisites for deciding on and implementing the right functionality in software. However, current methods for privacy threat identification do not cover all aspects of privacy, suit complex sociotechnical systems or requirements engineering, or support engineers forming a mental model of privacy. We claim that this situation can be improved by applying a systems thinking approach to privacy threat identification. In this paper, we elaborate the problem and propose a research agenda that will help close the gap between privacy requirements and technical software functionality.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Regulation (EU) 2016/679 General Data Protection Regulation (GDPR). Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC. Official Journal Of The European Union L119/1 (2016). http://eur-lex.europa.eu/legal-content/FI/TXT/?uri=CELEX%253A32016R0679
Kostova, B., Gürses, S.,Troncoso, C.: Privacy engineering meets software engineering. On the challenges of engineering privacy by design. ArXiv:2007.08613 [cs], 16 July 2020. http://arxiv.org/abs/2007.08613
Sinnhofer, A.D., Oppermann, F.J., Potzmader, K., Orthacker, C., Steger, C., Kreiner, C.: Increasing the visibility of requirements based on combined variability management. In: Shishkov, B. (ed.) BMSD 2018. LNBIP, vol. 319, pp. 203–220. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-94214-8_13
Hadar, I., et al.: Privacy by designers: software developers’ privacy mindset. Empir. Softw. Eng.. 23, 259–289 (2018)
Ebert, C., Abrahamsson, P., Oza, N.: Lean software development. IEEE Comput. Archit. Lett. 29, 22–25 (2012)
Senge, P.M.: Mental models. Plann. Rev. 20(2), 4–44 (1992). https://doi.org/10.1108/eb054349
Anthonysamy, P., Rashid, A., Chitchyan, R., Lancaster, S.: Privacy requirements: present & future. In: 2017 IEEE/ACM 39th International Conference on Software Engineering: Software Engineering in Society Track (ICSE-SEIS) (2017). https://ieeexplore.ieee.org/document/7961663
Arnold, R., Wade, J.: A definition of systems thinking: a systems approach. Proc. Comput. Sci. 44, 669–678 (2015)
Monat, J., Gannon, T.: What is systems thinking? A review of selected literature plus recommendations. Am. J. Syst. Sci. 59, 11–26 (2015). http://resources21.org/cl/files/project264_5674/Overv
Richardson, G., Andersen, D., Maxwell, T., Stewart, T.: Foundations of mental model research. In: Proceedings of the 1994 International System Dynamics Conference, pp. 181–192 (1994)
Jones, N., Ross, H., Lynam, T., Perez, P., Leitch, A.: Mental models: an interdisciplinary synthesis of theory and methods. Ecol. Soc. (2011). https://www.jstor.org/stable/26268859
Chung, L., Nixon, B., Yu, E., Mylopoulos, J.: Non-functional Requirements in Software Engineering. Springer, Heidelberg (2012). https://doi.org/10.1007/978-1-4615-5269-7
Shishkov, B., Mendling, J.: Business process variability and public values. In: Shishkov, B. (ed.) BMSD 2018. LNBIP, vol. 319, pp. 401–411. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-94214-8_31
Miri, M., Foomany, F.H., Mohammed, N.: Complying with GDPR: an agile case study. ISACA J. 2, 1–7 (2018)
Lehman, M.: Program evolution. Inf. Process. Manag. 20, 19–36 (1984)
Ackoff, R.: Systems thinking and thinking systems. Syst. Dyn. Rev. 10, 175–188 (1994)
Ashby, W.: Requisite variety and its implications for the control of complex systems. Cybernetica 1, 83–99 (1958). http://pcp.vub.ac.be/Books/AshbyReqVar.pdf
Braithwaite, J., Braithwaite, J., Wears, R., Hollnagel, E.: Resilient Health Care. Volume 3, Reconciling Work-as-Imagined and Work-as-Done. CRC Press (2016). https://www.finna.fi/Record/jamk.993205274806251
Senge, P., Sterman, J.: Systems thinking and organizational learning: acting locally and thinking globally in the organization of the future. Eur. J. Oper. Res. 59, 137–150 (1992)
Privacy Impact Assessment PIA Knowledge Base (2018). https://www.cnil.fr/sites/default/files/atoms/files/cnil-pia-3-en-knowledgebases.pdf
Raab, C.: Information privacy, impact assessment, and the place of ethics. Comput. Law Secur. Rev. 37, 105404 (2020)
Hendry, D.: Designing Tech Policy: Instructional Case Studies for Technologists and Policymakers. UW Tech Policy Lab (2020)
Denning, T., Friedman, B., Kohno, T.: Security and privacy threat discovery cards. University of Washington (2013). http://securitycards.cs.washington.edu/assets/security-cards-deck-with-croplines.pdf
Nemoto, E., Issaoui, R., Korbee, D., Jaroudi, I., Fournier, G.: How to measure the impacts of shared automated electric vehicles on urban mobility. Transp. Res. Part D: Transp. Environ. 93, 102766 (2021). https://www.sciencedirect.com/science/article/pii/S1361920921000705
Vakkuri, V., Kemell, K., Abrahamsson, P.: ECCOLA - a method for implementing ethically aligned AI systems. In: Proceedings - 46th Euromicro Conference on Software Engineering and Advanced Applications, SEAA 2020, pp. 195–204 (2020)
De, S., Métayer, D.: PRIAM: A Privacy Risk Analysis Methodology. Springer, Heidelberg (2016). http://link.springer.com/10.1007/978-3-319-47072-615
Oetzel, M., Spiekermann, S.: A systematic methodology for privacy impact assessments: a design science approach. Eur. J. Inf. Syst. 23, 126–150 (2014). https://www.tandfonline.com/doi/full/10.1057/ejis.2013.18. ISBN 1476-9344
Yskout, K., Heyman, T., Landuyt, D., Sion, L., Wuyts, K., Joosen, W.: Threat modeling: from infancy to maturity. In: Proceedings - 2020 ACM/IEEE 42nd International Conference on Software Engineering: New Ideas and Emerging Results, ICSE-NIER 2020, pp. 9–12 (2020)
F-Secure Elevation of Privacy, Privacy Cards for Software Developers (2018). https://github.com/F-Secure/elevation-of-privacy. Issue: 1.1, vol. 2021
Li, H., Wang, X., Zhao, X., Qi, Y.: Understanding systemic risk induced by climate change. Adv. Clim. Change Res. 12, 384–394 (2021). https://www.sciencedirect.com/science/article/pii/S1674927821000782
Acknowledgements
This research was partially funded by Business Finland under ITEA 18033 Mad@Work.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 Springer Nature Switzerland AG
About this paper
Cite this paper
Sarrala, T., Mikkonen, T., Nguyen Duc, A., Abrahamsson, P. (2022). Towards Identification of Privacy Requirements with Systems Thinking. In: Shishkov, B. (eds) Business Modeling and Software Design. BMSD 2022. Lecture Notes in Business Information Processing, vol 453. Springer, Cham. https://doi.org/10.1007/978-3-031-11510-3_16
Download citation
DOI: https://doi.org/10.1007/978-3-031-11510-3_16
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-11509-7
Online ISBN: 978-3-031-11510-3
eBook Packages: Computer ScienceComputer Science (R0)