Regulatory Requirements Traceability and Analysis Using Semi-formal Specifications

  • Travis D. Breaux
  • David G. Gordon
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7830)


Information systems are increasingly distributed and pervasive, enabling organizations to deliver remote services and share personal information, worldwide. However, developers face significant challenges in managing the many laws that govern their systems in this multi-jurisdictional environment. In this paper, we report on a computational requirements document expressible using a legal requirements specification language (LRSL). The purpose is to make legal requirements open and available to policy makers, business analysts and software developers, alike. We show how requirements engineers can codify policy and law using the LRSL and design, debug, analyze, trace, and visualize relationships among regulatory requirements. The LRSL provides new constructs for expressing distributed constraints, making regulatory specification patterns visually salient, and enabling metrics to quantitatively measure different styles for writing legal and policy documents. We discovered and validated the LRSL using thirteen U.S. state data breach notification laws.


requirements specification traceability domain specific languages legal requirements 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Allen, L.E., Saxon, C.S.: Better language, better thought, better communication: the a-hohfeld language for legal analysis. In: 5th Int’l Conf. AI & Law, pp. 219–228 (1995)Google Scholar
  2. 2.
    Biagioli, C., Mariani, P., Tiscornia, D.: ESPLEX: A rule and conceptual model for representing statutes. In: Proc. 1st Int’l Conf. AI & Law, pp. 240–251 (1987)Google Scholar
  3. 3.
    Bourcier, D., Mazzega, P.: Toward measures of complexity in legal systems. In: Int’l Conf. AI & Law, pp. 211–215 (2007)Google Scholar
  4. 4.
    Breaux, T.D., Antón, A.I.: Analyzing Regulatory Rules for Privacy and Security Requirements. IEEE Transactions on Software Engineering 34(1), 5–20 (2008)CrossRefGoogle Scholar
  5. 5.
    Breaux, T.D., Antón, A.I., Doyle, J.: Semantic parameterization: a process for modeling domain descriptions. ACM Trans. Soft. Engr. Method. 18(2), 5 (2008)CrossRefGoogle Scholar
  6. 6.
    Breaux, T.D., Vail, M.W., Antón, A.I.: Towards compliance: extracting rights and obligations to align requirements with regulations. In: 14th IEEE Int’l Req’ts Engr. Conf., pp. 49–58 (2006)Google Scholar
  7. 7.
    Breaux, T.D.: Exercising due diligence in legal requirements acquisition: a tool-supported, frame-based approach. In: IEEE 17th Int’l Req’ts Engr. Conf., pp. 225–230 (2009)Google Scholar
  8. 8.
    Breaux, T.D.: Legal requirements acquisition for the specification of legally compliance informaiton systems, North Carolina State Univ. Ph.D. thesis (2009)Google Scholar
  9. 9.
    Bench-Capon, T.J.M.: Deep models, normative reasoning and legal expert systems. In: Proc. 2nd International Conference on Artificial Intelligence and Law, Vancouver, British Columbia, Canada, pp. 37–45 (1989)Google Scholar
  10. 10.
    Corbin, J., Strauss, A.: Basics of Qualitative Research, 3rd edn. Sage Pubs (2008)Google Scholar
  11. 11.
    Dardenne, A., Fickas, S., van Lamsweerde, A.: Goal–directed requirements acquisition. Sci. Comp. Prog. 20, 3–50 (1993)zbMATHCrossRefGoogle Scholar
  12. 12.
    Dulac, N., Viguier, T., Leveson, N., Storey, M.-A.: On the use of visualization in formal requirements specification. In: IEEE Joint Int’l Conf. Req’ts Engr., pp. 71–80 (2002)Google Scholar
  13. 13.
    Fraser, M.D., Kumar, K., Vaishnavi, V.K.: Informal and formal requirements specification languages: bridging the gap. IEEE Trans. Soft. Engr. 17(5), 454–466 (1991)CrossRefGoogle Scholar
  14. 14.
    Fuxman, A., Liu, L., Mylopoulos, J., Pistore, M., Roveri, M., Traverso, P.: Specifying and analyzing early requirements in Tropos. Req’ts Engr. Journal 9(2), 132–150 (2004)CrossRefGoogle Scholar
  15. 15.
    Giorgini, P., Massacci, F., Mylopoulos, J., Zannone, N.: Modeling security requirements through ownership, permissions and delegation. In: IEEE 13th Int’l Req’ts Engr. Conf., pp. 167–176 (2005)Google Scholar
  16. 16.
    Greenspan, S., Mylopoulos, J., Borgida, A.: On Formal Requirements Modeling Languages: RML Revisited. In: 6th IEEE Int’l Soft. Engr. Conf., pp. 1–13 (1994)Google Scholar
  17. 17.
    Glinz, M., Berner, S., Joos, S.: Object-oriented modeling with ADORA. Info. Sys. 27, 425–444 (2002)zbMATHCrossRefGoogle Scholar
  18. 18.
    Hohfeld, W.N.: Some fundamental legal conceptions as applied in judicial reasoning. The Yale Law Journal 23(1), 16–59 (1913)CrossRefGoogle Scholar
  19. 19.
    Lauritsen, M., Gordon, T.F.: Toward a general theory of document modeling. In: Int’l Conf. AI & Law, pp. 202–211 (2009)Google Scholar
  20. 20.
    Levene, A.A., Mullery, G.P.: An investigation of requirement specification languages: theory and practice. IEEE Computer 15(5), 50–59 (1982)CrossRefGoogle Scholar
  21. 21.
    Massey, A.K., Anton, A.I.: Triage for legal requirements. NCSU Technical Report #TR-2010-22 (October 11, 2010)Google Scholar
  22. 22.
    Maxwell, J., Anton, A.I.: Developing production rule models to aid in acquiring requirements from legal texts. In: IEEE 17th Int’l Req’ts Engr. Conf., pp. 101–110 (2009)Google Scholar
  23. 23.
    Maxwell, J., Anton, A.I., Swire, P.: A legal cross-references taxonomy for identifying conflicting software requirements. In: IEEE 19th Int’l Req’ts Engr. Conf., pp. 197–206 (2011)Google Scholar
  24. 24.
    Martinek, J., Cybulka, J.: Dynamics of legal provisions and its representation. In: Int’l Conf. AI & Law, pp. 20–24 (2005)Google Scholar
  25. 25.
    Mernik, M., Heering, J., Sloane, A.M.: When and how to develop domain-specific languages. ACM Computing Surveys 37(4), 316–344 (2005)CrossRefGoogle Scholar
  26. 26.
    Mylopoulos, J., Borgida, A., Jarke, M., Koubarakis, M.: Telos: representing knowledge about information systems. ACM Trans. on Info. Sys. 8(4), 325–362 (1990)CrossRefGoogle Scholar
  27. 27.
    Romanosky, S., Telang, R., Acquisti, A.: Do data breach disclosure laws reduce identity theft? In: W’shp Econ. of Info. Sec. (WEIS), June 25-28 (2008)Google Scholar
  28. 28.
    Rubinstein, I.: Privacy and Regulatory Innovation: Moving Beyond Voluntary Codes. I/S: A Journal of Law and Policy for the Information Society (April 2011) (in press)Google Scholar
  29. 29.
    Sergot, M.J., Sadri, F., Kowalski, R.A., Kriwaczek, F., Hammond, P., Cory, H.T.: The British Nationality Act as a logic program. Communications of the ACM 29(5), 370–386 (1986)CrossRefGoogle Scholar
  30. 30.
    Sergot, M.: A computational theory of normative positions. ACM Transactions of Computational Logic 2(4), 581–622 (2001)MathSciNetCrossRefGoogle Scholar
  31. 31.
    Siena, A., Jureta, I., Ingolfo, S., Susi, A., Perini, A., Mylopoulos, J.: Capturing variability of law with Nomós 2. In: 31st Int’l Conf. Conc. Mod., pp. 383–396 (2012)Google Scholar
  32. 32.
    Stamper, R.K.: LEGOL: Modelling legal rules by computer. In: Proc. Advanced Workshop on Computer Science and Law, pp. 45–71 (September 1979)Google Scholar
  33. 33.
    Wasson, K.S.: A case study in systematic improvement of language for requirements. In: Proc. IEEE 14th Int’l Req’ts Engr. Conf., pp. 6–15 (2006)Google Scholar
  34. 34.
    Winkels, R., Boer, A., de Maat, E., van Engers, T., Breebaart, M., Melger, H.: Constructing a semantic network for legal content. In: Int’l Conf. AI & Law, pp. 125–132 (2005)Google Scholar
  35. 35.
    Yin, R.K.: Case study research, 4th edn. Applied Social Research Methods Series, vol. 5. Sage Publications (2008)Google Scholar
  36. 36.
    Yu, E.: Modeling organizations for information systems requirements engineering. In: Int’l Symp. Req’ts Engr., pp. 34–41 (1993)Google Scholar
  37. 37.
    Zave, P., Jackson, M.: Four dark corners of requirements engineering. ACM Trans. Soft. Engr. & Method. 6(1), 1–30 (1997)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Travis D. Breaux
    • 1
  • David G. Gordon
    • 2
  1. 1.Institute for Software ResearchCarnegie Mellon UniversityPittsburghUSA
  2. 2.Engineering and Public PolicyCarnegie Mellon UniversityPittsburghUSA

Personalised recommendations