Goal-directed requirements acquisition
6IWSSD Selected Papers of the Sixth International Workshop on Software Specification and Design
Initial Industrial Experience of Misuse Cases in Trade-Off Analysis
RE '02 Proceedings of the 10th Anniversary IEEE Joint International Conference on Requirements Engineering
Using Abuse Case Models for Security Requirements Analysis
ACSAC '99 Proceedings of the 15th Annual Computer Security Applications Conference
A Hierarchical Use Case Model with Graphical Representation
ECBS '96 Proceedings of the IEEE Symposium and Workshop on Engineering of Computer Based Systems
Elaborating Security Requirements by Construction of Intentional Anti-Models
Proceedings of the 26th International Conference on Software Engineering
Risk Analysis in Software Design
IEEE Security and Privacy
Eliciting security requirements with misuse cases
Requirements Engineering
RE '06 Proceedings of the 14th IEEE International Requirements Engineering Conference
Analyzing Regulatory Rules for Privacy and Security Requirements
IEEE Transactions on Software Engineering
Hi-index | 0.00 |
Information systems governed by laws and regulations are subject to civil and criminal violations. In the United States, these violations are documented in court records, such as complaints, indictments, plea agreements, and verdicts, which thus constitute a source of real-world software vulnerabilities. This paper reports on an exploratory case study to identify legal vulnerabilities and provides guidance to practitioners in the analysis of court documents. As legal violations occur after system deployment, court records reveal vulnerabilities that were likely overlooked during software development. We evaluate established requirements engineering techniques, including sequence and misuse case diagrams and goal models, as applied to criminal court records to identify mitigating requirements that improve privacy protections. These techniques, when properly applied, can help organizations focus their risk-management efforts on emerging legal vulnerabilities. We illustrate our analysis using criminal indictments involving the U.S. Health Insurance Portability and Accountability Act (HIPAA).