Requirements Engineering

, Volume 15, Issue 1, pp 119–137 | Cite as

Evaluating existing security and privacy requirements for legal compliance

  • Aaron K. Massey
  • Paul N. Otto
  • Lauren J. Hayward
  • Annie I. Antón
Special Issue—Security Requirements Engineering


Governments enact laws and regulations to safeguard the security and privacy of their citizens. In response, requirements engineers must specify compliant system requirements to satisfy applicable legal security and privacy obligations. Specifying legally compliant requirements is challenging because legal texts are complex and ambiguous by nature. In this paper, we discuss our evaluation of the requirements for iTrust, an open-source Electronic Health Records system, for compliance with legal requirements governing security and privacy in the healthcare domain. We begin with an overview of the method we developed, using existing requirements engineering techniques, and then summarize our experiences in applying our method to the iTrust system. We illustrate some of the challenges that practitioners face when specifying requirements for a system that must comply with law and close with a discussion of needed future research focusing on security and privacy requirements.


Security requirements Privacy requirements Legal compliance Refactoring requirements 



The authors would like to thank Mr. Andy Meneely for hosting our wiki site throughout our study and Dr. Williams, Dr. Xie, and Mr. Meneely for their work in building iTrust, as well as ThePrivacyPlace.Org Reading Group members. This work was supported by NSF ITR Grant #0325269, NSF Cyber Trust Grant #0430166, and NSF Science of Design Grant #0725144.


  1. 1.
    Choi YB, Capitan KE, Krause JS, Streeper MM (2006) Challenges associated with privacy in health care industry: implementation of HIPAA and the security rules. J Med Syst 30(1):57–64CrossRefGoogle Scholar
  2. 2.
    DesRoches CM, Campbell EG, Rao SR, Donelan K, Ferris TG, Jha A, Kaushal R, Levy DE, Rosenbaum S, Shields AE, Blumenthal D (2008) Electronic health records in ambulatory care—a national survey of physicians. N Engl J Med 359(1):50–60CrossRefGoogle Scholar
  3. 3.
    Williams L, Shin Y (2006) WIP: exploring security and privacy concepts through the development and testing of the iTrust medical records system. Front Educ S1F30–31Google Scholar
  4. 4.
    Otto PN, Antón AI (2007) Addressing legal requirements in requirements engineering. In: Proceedings of the 15th IEEE international requirements engineering conference, pp 5–14Google Scholar
  5. 5.
    Antón AI, Earp JB (2001) In: Ghosh AK (ed) Recent advances in E-commerce security and privacy. Kluwer, Dordrecht, pp 29–46Google Scholar
  6. 6.
    Breaux TD, Antón AI (2008) Analyzing regulatory rules for privacy and security requirements. IEEE Trans Softw Eng 34(1):5–20CrossRefGoogle Scholar
  7. 7.
    Robinson W (2005) Implementing rule-based monitors within a framework for continuous requirements monitoring. In: Proceedings of the 38th Hawaii international conference on system sciences, pp 188–197Google Scholar
  8. 8.
    Otoya S, Cerpa N (1999) An experience: a small software company attempting to improve its process. In: Proceedings of the software technology and engineering practice, pp 153–160Google Scholar
  9. 9.
    Beaver K, Herold R (2004) The practical guide to HIPAA privacy and security compliance. Auerbach, PhiladelphiaGoogle Scholar
  10. 10.
    Garner BA (ed) (2004) Black’s law dictionary, 8th edn. Thompson WestGoogle Scholar
  11. 11.
    Breaux TD, Antón AI, Karat C-M, Karat J (2006) Enforceability vs. accountability in electronic policies. In: Proceedings of the seventh IEEE international workshop on policies for distributed systems and networks, pp 227–230Google Scholar
  12. 12.
    Breaux TD, Vail MW, Antón AI (2006) Towards regulatory compliance: extracting rights and obligations to align requirements with regulations. In: RE’06: Proceedings of the 14th IEEE international requirements engineering conference, pp 49–58Google Scholar
  13. 13.
    Barth A, Datta A, Mitchell JC, Nissenbaum H (2006) Privacy and contextual integrity: framework and applications. In: Proceedings of the 2006 IEEE symposium on security and privacy, pp 184–198Google Scholar
  14. 14.
    May MJ, Gunter CA, Lee I (2006) Privacy APIs: access control techniques to analyze and verify legal privacy policies. In: 19th IEEE computer security foundations workshop (CSFW’06), pp 85–97Google Scholar
  15. 15.
    Massacci F, Prest M, Zannone N (2005) Using a security requirements engineering methodology in practice: the compliance with the Italian data protection legislation. Comput Stand Interfaces 27(5):445–455CrossRefGoogle Scholar
  16. 16.
    Antón AI, Carter R, Dagnino A, Dempster J, Siege D (2001) Deriving goals from a use-case based requirements specification. Requirements Eng 6(1):63–73MATHCrossRefGoogle Scholar
  17. 17.
    Glinz M (2000) Problems and deficiencies of uml as a requirements specification language. In: Tenth international workshop on software specification and design, pp 11–22Google Scholar
  18. 18.
    Alspaugh TA, Antón AI (2008) Scenario support for effective requirements. Inf Softw Technol 50(3):198–220CrossRefGoogle Scholar
  19. 19.
    Ben Achour C, Rolland C, Maiden NAM, Souveyet C (1999) Guiding use case authoring: results of an empirical study. In: Proceedings of the IEEE international symposium on requirements engineering, pp 36–43Google Scholar
  20. 20.
    Berenbach BA (2004) Comparison of uml and text based requirements engineering. In: OOPSLA ’04: companion to the 19th annual ACM SIGPLAN conference on object-oriented programming systems, languages, and applications, ACM, pp 247–252Google Scholar
  21. 21.
    Maiden NAM (1998) CREWS-SAVRE: scenarios for acquiring and validating requirements. Autom Softw Eng 5(4):419–446CrossRefGoogle Scholar
  22. 22.
    Potts C, Takahashi K, Antón A (1994) Inquiry-based requirements analysis. IEEE Softw 11:21–32CrossRefGoogle Scholar
  23. 23.
    Sutcliffe A (2003) Scenario-based requirements engineering. In: Proceedings of the 11th IEEE international requirements engineering conference, pp 320–329Google Scholar
  24. 24.
    Antón AI, Earp JB, Carter RA (2003) Precluding incongruous behavior by aligning software requirements with security and privacy policies. Inf Softw Technol 45(14):967–977CrossRefGoogle Scholar
  25. 25.
    Breaux TD (2009) Legal requirements acquisition for the specification of legally compliant information systems. PhD thesis, North Carolina State UniversityGoogle Scholar
  26. 26.
    Breaux TD, Antón AI (2005) Mining rule semantics to understand legislative compliance. In: WPES ’05: proceedings of the 2005 ACM workshop on privacy in the electronic society, pp 51–54Google Scholar
  27. 27.
    Williams L, Xie T, Meneely A, Hayward L (2008a) iTrust medical care requirements specification.
  28. 28.
    Williams L, Xie T, Meneely A, Hayward L, Massey A (2008b) iTrust medical care requirements specification.
  29. 29.
    Allenby K, Kelly T (2001) Deriving safety requirements using scenarios. In: Proceedings of the fifth IEEE international symposium on requirements engineering, pp 228–235Google Scholar
  30. 30.
    Antón AI (1996) Goal-based requirements analysis. In: Proceedings of the second international conference on requirements engineering, pp 136–144, 15–18Google Scholar
  31. 31.
    Antón AI, Potts C (1998) The use of goals to surface requirements for evolving systems. In: Proceedings of the 1998 international conference on software engineering, pp 157–166, 19–25Google Scholar
  32. 32.
    van Lamsweerde A. (2001) Goal-oriented requirements engineering: a guided tour. In: Proceedings of the fifth IEEE international symposium on requirements engineering, pp 249–262Google Scholar
  33. 33.
    Weidenhaupt K, Pohl K, Jarke M, Haumer P (1998) Scenarios in system development: current practice. IEEE Softw 15:34–45CrossRefGoogle Scholar
  34. 34.
    Whittle J, Schumann J (2000) Generating Statechart designs from scenarios. In: Proceedings of the 2000 international conference on software engineering, pp 314–323Google Scholar

Copyright information

© Springer-Verlag London Limited 2009

Authors and Affiliations

  • Aaron K. Massey
    • 1
  • Paul N. Otto
    • 1
    • 2
  • Lauren J. Hayward
    • 1
  • Annie I. Antón
    • 1
  1. 1.Department of Computer ScienceNorth Carolina State UniversityRaleighUSA
  2. 2.School of LawDuke UniversityDurhamUSA

Personalised recommendations