Skip to main content
SpringerLink
Log in

Towards Identification of Privacy Requirements with Systems Thinking

  • Conference paper
  • First Online:
Business Modeling and Software Design (BMSD 2022)

Part of the book series: Lecture Notes in Business Information Processing ((LNBIP,volume 453))

Included in the following conference series:

  • 476 Accesses

Abstract

Implementing privacy as software functions is required by privacy regulation. Achieving this requires shared understanding between business process owners and software engineers, who implement it. Current literature reveals a major gap between privacy requirements and how engineers interpret privacy. Furthermore, as today’s sociotechnical systems are increasingly complex and ever-evolving, unknown privacy issues can emerge from them as a side-effect. Understanding privacy and identifying privacy threats are pre-requisites for deciding on and implementing the right functionality in software. However, current methods for privacy threat identification do not cover all aspects of privacy, suit complex sociotechnical systems or requirements engineering, or support engineers forming a mental model of privacy. We claim that this situation can be improved by applying a systems thinking approach to privacy threat identification. In this paper, we elaborate the problem and propose a research agenda that will help close the gap between privacy requirements and technical software functionality.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 69.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 89.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Regulation (EU) 2016/679 General Data Protection Regulation (GDPR). Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC. Official Journal Of The European Union L119/1 (2016). http://eur-lex.europa.eu/legal-content/FI/TXT/?uri=CELEX%253A32016R0679

  2. Kostova, B., Gürses, S.,Troncoso, C.: Privacy engineering meets software engineering. On the challenges of engineering privacy by design. ArXiv:2007.08613 [cs], 16 July 2020. http://arxiv.org/abs/2007.08613

  3. Sinnhofer, A.D., Oppermann, F.J., Potzmader, K., Orthacker, C., Steger, C., Kreiner, C.: Increasing the visibility of requirements based on combined variability management. In: Shishkov, B. (ed.) BMSD 2018. LNBIP, vol. 319, pp. 203–220. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-94214-8_13

    Chapter  Google Scholar 

  4. Hadar, I., et al.: Privacy by designers: software developers’ privacy mindset. Empir. Softw. Eng.. 23, 259–289 (2018)

    Article  Google Scholar 

  5. Ebert, C., Abrahamsson, P., Oza, N.: Lean software development. IEEE Comput. Archit. Lett. 29, 22–25 (2012)

    Google Scholar 

  6. Senge, P.M.: Mental models. Plann. Rev. 20(2), 4–44 (1992). https://doi.org/10.1108/eb054349

  7. Anthonysamy, P., Rashid, A., Chitchyan, R., Lancaster, S.: Privacy requirements: present & future. In: 2017 IEEE/ACM 39th International Conference on Software Engineering: Software Engineering in Society Track (ICSE-SEIS) (2017). https://ieeexplore.ieee.org/document/7961663

  8. Arnold, R., Wade, J.: A definition of systems thinking: a systems approach. Proc. Comput. Sci. 44, 669–678 (2015)

    Article  Google Scholar 

  9. Monat, J., Gannon, T.: What is systems thinking? A review of selected literature plus recommendations. Am. J. Syst. Sci. 59, 11–26 (2015). http://resources21.org/cl/files/project264_5674/Overv

  10. Richardson, G., Andersen, D., Maxwell, T., Stewart, T.: Foundations of mental model research. In: Proceedings of the 1994 International System Dynamics Conference, pp. 181–192 (1994)

    Google Scholar 

  11. Jones, N., Ross, H., Lynam, T., Perez, P., Leitch, A.: Mental models: an interdisciplinary synthesis of theory and methods. Ecol. Soc. (2011). https://www.jstor.org/stable/26268859

  12. Chung, L., Nixon, B., Yu, E., Mylopoulos, J.: Non-functional Requirements in Software Engineering. Springer, Heidelberg (2012). https://doi.org/10.1007/978-1-4615-5269-7

    Book  MATH  Google Scholar 

  13. Shishkov, B., Mendling, J.: Business process variability and public values. In: Shishkov, B. (ed.) BMSD 2018. LNBIP, vol. 319, pp. 401–411. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-94214-8_31

    Chapter  Google Scholar 

  14. Miri, M., Foomany, F.H., Mohammed, N.: Complying with GDPR: an agile case study. ISACA J. 2, 1–7 (2018)

    Google Scholar 

  15. Lehman, M.: Program evolution. Inf. Process. Manag. 20, 19–36 (1984)

    Article  Google Scholar 

  16. Ackoff, R.: Systems thinking and thinking systems. Syst. Dyn. Rev. 10, 175–188 (1994)

    Article  Google Scholar 

  17. Ashby, W.: Requisite variety and its implications for the control of complex systems. Cybernetica 1, 83–99 (1958). http://pcp.vub.ac.be/Books/AshbyReqVar.pdf

  18. Braithwaite, J., Braithwaite, J., Wears, R., Hollnagel, E.: Resilient Health Care. Volume 3, Reconciling Work-as-Imagined and Work-as-Done. CRC Press (2016). https://www.finna.fi/Record/jamk.993205274806251

  19. Senge, P., Sterman, J.: Systems thinking and organizational learning: acting locally and thinking globally in the organization of the future. Eur. J. Oper. Res. 59, 137–150 (1992)

    Article  Google Scholar 

  20. Privacy Impact Assessment PIA Knowledge Base (2018). https://www.cnil.fr/sites/default/files/atoms/files/cnil-pia-3-en-knowledgebases.pdf

  21. Raab, C.: Information privacy, impact assessment, and the place of ethics. Comput. Law Secur. Rev. 37, 105404 (2020)

    Article  Google Scholar 

  22. Hendry, D.: Designing Tech Policy: Instructional Case Studies for Technologists and Policymakers. UW Tech Policy Lab (2020)

    Google Scholar 

  23. Denning, T., Friedman, B., Kohno, T.: Security and privacy threat discovery cards. University of Washington (2013). http://securitycards.cs.washington.edu/assets/security-cards-deck-with-croplines.pdf

  24. Nemoto, E., Issaoui, R., Korbee, D., Jaroudi, I., Fournier, G.: How to measure the impacts of shared automated electric vehicles on urban mobility. Transp. Res. Part D: Transp. Environ. 93, 102766 (2021). https://www.sciencedirect.com/science/article/pii/S1361920921000705

  25. Vakkuri, V., Kemell, K., Abrahamsson, P.: ECCOLA - a method for implementing ethically aligned AI systems. In: Proceedings - 46th Euromicro Conference on Software Engineering and Advanced Applications, SEAA 2020, pp. 195–204 (2020)

    Google Scholar 

  26. De, S., Métayer, D.: PRIAM: A Privacy Risk Analysis Methodology. Springer, Heidelberg (2016). http://link.springer.com/10.1007/978-3-319-47072-615

  27. Oetzel, M., Spiekermann, S.: A systematic methodology for privacy impact assessments: a design science approach. Eur. J. Inf. Syst. 23, 126–150 (2014). https://www.tandfonline.com/doi/full/10.1057/ejis.2013.18. ISBN 1476-9344

  28. Yskout, K., Heyman, T., Landuyt, D., Sion, L., Wuyts, K., Joosen, W.: Threat modeling: from infancy to maturity. In: Proceedings - 2020 ACM/IEEE 42nd International Conference on Software Engineering: New Ideas and Emerging Results, ICSE-NIER 2020, pp. 9–12 (2020)

    Google Scholar 

  29. F-Secure Elevation of Privacy, Privacy Cards for Software Developers (2018). https://github.com/F-Secure/elevation-of-privacy. Issue: 1.1, vol. 2021

  30. Li, H., Wang, X., Zhao, X., Qi, Y.: Understanding systemic risk induced by climate change. Adv. Clim. Change Res. 12, 384–394 (2021). https://www.sciencedirect.com/science/article/pii/S1674927821000782

Download references

Acknowledgements

This research was partially funded by Business Finland under ITEA 18033 Mad@Work.

Author information

Authors and Affiliations

  1. University of Jyväskylä, PO Box 35, 40014, Jyväskylä, Finland

    Tuisku Sarrala, Tommi Mikkonen & Pekka Abrahamsson

  2. Department of Business and IT, University of South-Eastern Norway, PO Box 4, 3199, Borre, Norway

    Anh Nguyen Duc

Authors
  1. Tuisku Sarrala
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Tommi Mikkonen
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Anh Nguyen Duc
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Pekka Abrahamsson
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Tuisku Sarrala .

Editor information

Editors and Affiliations

  1. Faculty of Information Sciences, University of Library Studies and Information Technologies, Sofia, Bulgaria

    Boris Shishkov

Rights and permissions

Reprints and permissions

Copyright information

© 2022 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Sarrala, T., Mikkonen, T., Nguyen Duc, A., Abrahamsson, P. (2022). Towards Identification of Privacy Requirements with Systems Thinking. In: Shishkov, B. (eds) Business Modeling and Software Design. BMSD 2022. Lecture Notes in Business Information Processing, vol 453. Springer, Cham. https://doi.org/10.1007/978-3-031-11510-3_16

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-11510-3_16

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-11509-7

  • Online ISBN: 978-3-031-11510-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation