Towards an Ontology for Privacy Requirements via a Systematic Literature Review

  • Mohamad GharibEmail author
  • Paolo Giorgini
  • John Mylopoulos
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10650)


Privacy has been frequently identified as a main concern for systems that deal with personal information. However, much of existing work on privacy requirements deals with them as a special case of security requirements, thereby overlooking key aspects of privacy. In this paper, we address this problem by proposing an ontology for privacy requirements. The ontology is mined from the literature through a systematic literature review whose main purpose is to identify key concepts/relationships for capturing privacy requirements. In addition, identified concepts/relations are further analyzed to identify redundancies and semantic overlaps.


Privacy ontology Privacy requirements Privacy by Design (PbD) Requirements engineering 


  1. 1.
    Gharib, M., Salnitri, M., Paja, E., Giorgini, P., Mouratidis, H., Pavlidis, M., Ruiz, J.F., Fernandez, S., Della Siria, A.: Privacy requirements: findings and lessons learned in developing a privacy platform. In: The 24th International Requirements Engineering Conference (RE), pp. 256–265. IEEE (2016)Google Scholar
  2. 2.
    Hong, J.I., Ng, J.D., Lederer, S., Landay, J.A.: Privacy risk models for designing privacy-sensitive ubiquitous computing systems. In: Proceedings of the 5th Conference on Designing Interactive Systems: Processes, Practices, Methods, and Techniques, pp. 91–100. ACM (2004)Google Scholar
  3. 3.
    Labda, W., Mehandjiev, N., Sampaio, P.: Modeling of privacy-aware business processes in BPMN to protect personal data. In: Proceedings of the 29th Annual ACM Symposium on Applied Computing, pp. 1399–1405. ACM (2014)Google Scholar
  4. 4.
    Kalloniatis, C., Kavakli, E., Gritzalis, S.: Addressing privacy requirements in system design: the PriS method. Requirements Eng. 13(3), 241–255 (2008)CrossRefGoogle Scholar
  5. 5.
    Mouratidis, H., Giorgini, P.: Secure tropos: a security-oriented extension of the tropos methodology. J. Softw. Eng. Knowl. Eng. 17(2), 285–309 (2007)CrossRefGoogle Scholar
  6. 6.
    Zannone, N.: A requirements engineering methodology for trust, security, and privacy. Ph.D. thesis, University of Trento (2006)Google Scholar
  7. 7.
    Solove, D.J.: A taxonomy of privacy. Univ. Pa. Law Rev. 154, 477–564 (2006)CrossRefGoogle Scholar
  8. 8.
    Souag, A., Salinesi, C., Mazo, R., Comyn-Wattiau, I.: A security ontology for security requirements elicitation. In: Piessens, F., Caballero, J., Bielova, N. (eds.) ESSoS 2015. LNCS, vol. 8978, pp. 157–177. Springer, Cham (2015). doi: 10.1007/978-3-319-15618-7_13CrossRefGoogle Scholar
  9. 9.
    Liu, L., Yu, E., Mylopoulos, J.: Security and privacy requirements analysis within a social setting. In: 11th International RE Conference, pp. 151–161. IEEE (2003)Google Scholar
  10. 10.
    Kitchenham, B.: Procedures for performing systematic reviews. UK Keele Univ. 33, 1–26 (2004)Google Scholar
  11. 11.
    Kitchenham, B., Charters, S.: Guidelines for performing systematic literature reviews in software engineering. Technical report, Keele University (2007)Google Scholar
  12. 12.
    Gharib, M., Giorgini, P., Mylopoulos, J.: Ontologies for privacy requirements engineering: a systematic literature review. arXiv preprint arXiv:1611.10097 (2016)
  13. 13.
    Van Lamsweerde, A.: Elaborating security requirements by construction of intentional anti-models. In: Proceedings of the 26th International Conference on Software Engineering, pp. 148–157. IEEE Computer Society (2004)Google Scholar
  14. 14.
    Braghin, S., Coen-Porisini, A., Colombo, P., Sicari, S., Trombetta, A.: Introducing privacy in a hospital information system. In: Proceedings of the Fourth International Workshop on Software Engineering for Secure Systems, pp. 9–16. ACM (2008)Google Scholar
  15. 15.
    Singhal, A., Wijesekera, D.: Ontologies for modeling enterprise level security metrics. In: Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research, p. 58. ACM (2010)Google Scholar
  16. 16.
    Wang, J.A., Guo, M.: OVM: an ontology for vulnerability management. In: Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research, p. 34. ACM (2009)Google Scholar
  17. 17.
    Velasco, J.L., Valencia-García, R., Fernández-Breis, J.T., Toval, A., et al.: Modelling reusable security requirements based on an ontology framework. J. Res. Pract. Inf. Technol. 41(2), 119 (2009)Google Scholar
  18. 18.
    Souag, A., Salinesi, C., Wattiau, I., Mouratidis, H.: Using security and domain ontologies for security requirements analysis. In: Computer Software and Applications Conference Workshops (COMPSACW), pp. 101–107. IEEE (2013)Google Scholar
  19. 19.
    Tsoumas, B., Gritzalis, D.: Towards an ontology-based security management. In: 20th International Conference on Advanced Information Networking and Applications (AINA), vol. 1, pp. 985–992. IEEE (2006)Google Scholar
  20. 20.
    Giorgini, P., Massacci, F., Mylopoulos, J., Zannone, N.: Modeling security requirements through ownership, permission and delegation. In: 13th International Conference on Requirements Engineering, pp. 167–176. IEEE (2005)Google Scholar
  21. 21.
    Kang, W., Liang, Y.: A security ontology with MDA for software development. In: 2013 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery (CyberC), pp. 67–74. IEEE (2013)Google Scholar
  22. 22.
    Massacci, F., Mylopoulos, J., Paci, F., Tun, T.T., Yu, Y.: An extended ontology for security requirements. In: Salinesi, C., Pastor, O. (eds.) CAiSE 2011. LNBIP, vol. 83, pp. 622–636. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-22056-2_64CrossRefGoogle Scholar
  23. 23.
    Elahi, G., Yu, E., Zannone, N.: A modeling ontology for integrating vulnerabilities into security requirements conceptual foundations. In: Laender, A.H.F., Castano, S., Dayal, U., Casati, F., de Oliveira, J.P.M. (eds.) ER 2009. LNCS, vol. 5829, pp. 99–114. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-04840-1_10CrossRefGoogle Scholar
  24. 24.
    Sindre, G., Opdahl, A.L.: Eliciting security requirements with misuse cases. Requirements Eng. 10(1), 34–44 (2005)CrossRefGoogle Scholar
  25. 25.
    Fenz, S., Ekelhart, A.: Formalizing information security knowledge. In: Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, pp. 183–194. ACM (2009)Google Scholar
  26. 26.
    Asnar, Y., Moretti, R., Sebastianis, M., Zannone, N.: Risk as dependability metrics for the evaluation of business solutions: a model-driven approach. In: Third Conference on Availability, Reliability and Security, ARES 2008, pp. 1240–1247. IEEE (2008)Google Scholar
  27. 27.
    den Braber, F., Dimitrakos, T., Gran, B.A., Lund, M.S., Stølen, K., Aagedal, J.: The CORAS methodology: model-based risk assessment using UML and up. UML Unified Process 332–357 (2003)Google Scholar
  28. 28.
    Elahi, G., Yu, E., Zannone, N.: A vulnerability-centric requirements engineering framework: analyzing security attacks, countermeasures, and requirements based on vulnerabilities. Requirements Eng. 15(1), 41–62 (2010)CrossRefGoogle Scholar
  29. 29.
    Jürjens, J.: UMLsec: extending UML for secure systems development. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 412–425. Springer, Heidelberg (2002). doi: 10.1007/3-540-45800-X_32CrossRefzbMATHGoogle Scholar
  30. 30.
    Matulevičius, R., Mayer, N., Mouratidis, H., Dubois, E., Heymans, P., Genon, N.: Adapting secure tropos for security risk management in the early phases of information systems development. In: Bellahsène, Z., Léonard, M. (eds.) CAiSE 2008. LNCS, vol. 5074, pp. 541–555. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-69534-9_40CrossRefGoogle Scholar
  31. 31.
    Røstad, L.: An extended misuse case notation: including vulnerabilities and the insider threat. In: International Working Conference on Requirements Engineering: Foundation for Software Quality, pp. 33–34. Springer (2006). doi: Scholar
  32. 32.
    Mayer, N.: Model-based management of information system security risk. Ph.D. thesis, University of Namur (2009)Google Scholar
  33. 33.
    Dritsas, S., Gymnopoulos, L., Karyda, M., Balopoulos, T., Kokolakis, S., Lambrinoudakis, C., Katsikas, S.: A knowledge-based approach to security requirements for e-health applications. J. E-Commer. Tools Appl. 2, 1–24 (2006)Google Scholar
  34. 34.
    Lin, L., Nuseibeh, B., Ince, D., Jackson, M., Moffett, J.: Introducing abuse frames for analysing security requirements. In: 11th Requirements Engineering International Conference, pp. 371–372. IEEE (2003)Google Scholar
  35. 35.
    Avizienis, A., Laprie, J.C., Randell, B., Landwehr, C.: Basic concepts and taxonomy of dependable and secure computing. IEEE Trans. Dependable Secure Comput. 1(1), 11–33 (2004)CrossRefGoogle Scholar
  36. 36.
    Asnar, Y., Giorgini, P., Massacci, F., Zannone, N.: From trust to dependability through risk analysis. In: The Second International Conference on Availability, Reliability and Security, ARES 2007, pp. 19–26. IEEE (2007)Google Scholar
  37. 37.
    Asnar, Y., Giorgini, P., Mylopoulos, J.: Risk modelling and reasoning in goal models, DIT-06-008. Technical report, Universitá degli studi di Trento (2006)Google Scholar
  38. 38.
    Paja, E., Dalpiaz, F., Giorgini, P.: STS-tool: security requirements engineering for socio-technical systems. In: Heisel, M., Joosen, W., Lopez, J., Martinelli, F. (eds.) Engineering Secure Future Internet Services and Systems. LNCS, vol. 8431, pp. 65–96. Springer, Cham (2014). doi: 10.1007/978-3-319-07452-8_3CrossRefGoogle Scholar
  39. 39.
    Van Blarkom, G., Borking, J., Olk, J.: Handbook of privacy and privacy-enhancing technologies. Privacy Incorporated Software Agent Consortium, The Hague (2003)Google Scholar
  40. 40.
    Gharib, M., Giorgini, P.: Analyzing trust requirements in socio-technical systems: a belief-based approach. In: Ralyté, J., España, S., Pastor, Ó. (eds.) PoEM 2015. LNBIP, vol. 235, pp. 254–270. Springer, Cham (2015). doi: 10.1007/978-3-319-25897-3_17CrossRefGoogle Scholar
  41. 41.
    Runeson, P., Höst, M.: Guidelines for conducting and reporting case study research in software engineering. Empir. Softw. Eng. 14(2), 131–164 (2009)CrossRefGoogle Scholar
  42. 42.
    Souag, A., Salinesi, C., Comyn-Wattiau, I.: Ontologies for security requirements: a literature survey and classification. In: Bajec, M., Eder, J. (eds.) CAiSE 2012. LNBIP, vol. 112, pp. 61–69. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-31069-0_5CrossRefGoogle Scholar
  43. 43.
    Blanco, C., Lasheras, J., Valencia-García, R., Fernández-Medina, E., Toval, A., Piattini, M.: A systematic review and comparison of security ontologies. In: 3rd Conference on Availability, Reliability and Security, pp. 813–820. IEEE (2008)Google Scholar
  44. 44.
    Fabian, B., Gürses, S., Heisel, M., Santen, T., Schmidt, H.: A comparison of security requirements engineering methods. Requirements Eng. 15(1), 7–40 (2010)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Mohamad Gharib
    • 1
    Email author
  • Paolo Giorgini
    • 2
  • John Mylopoulos
    • 2
  1. 1.DiMaIUniversity of FlorenceFlorenceItaly
  2. 2.DISIUniversity of TrentoPovo, TrentoItaly

Personalised recommendations