Identifying vulnerabilities and critical requirements using criminal court proceedings

Authors:
Travis D. Breaux;Jonathan D. Lewis;Paul N. Otto;Annie I. Antón
Affiliations:
North Carolina State University;North Carolina State University;North Carolina State University and Duke University;North Carolina State University
Venue:
Proceedings of the 2009 ACM symposium on Applied Computing
Year:
2009

Citing 9
Cited 0

Goal-directed requirements acquisition

6IWSSD Selected Papers of the Sixth International Workshop on Software Specification and Design
Initial Industrial Experience of Misuse Cases in Trade-Off Analysis

RE '02 Proceedings of the 10th Anniversary IEEE Joint International Conference on Requirements Engineering
Using Abuse Case Models for Security Requirements Analysis

ACSAC '99 Proceedings of the 15th Annual Computer Security Applications Conference
A Hierarchical Use Case Model with Graphical Representation

ECBS '96 Proceedings of the IEEE Symposium and Workshop on Engineering of Computer Based Systems
Elaborating Security Requirements by Construction of Intentional Anti-Models

Proceedings of the 26th International Conference on Software Engineering
Risk Analysis in Software Design

IEEE Security and Privacy
Eliciting security requirements with misuse cases

Requirements Engineering
Towards Regulatory Compliance: Extracting Rights and Obligations to Align Requirements with Regulations

RE '06 Proceedings of the 14th IEEE International Requirements Engineering Conference
Analyzing Regulatory Rules for Privacy and Security Requirements

IEEE Transactions on Software Engineering

Quantified Score

Hi-index	0.00

Visualization

Abstract

Information systems governed by laws and regulations are subject to civil and criminal violations. In the United States, these violations are documented in court records, such as complaints, indictments, plea agreements, and verdicts, which thus constitute a source of real-world software vulnerabilities. This paper reports on an exploratory case study to identify legal vulnerabilities and provides guidance to practitioners in the analysis of court documents. As legal violations occur after system deployment, court records reveal vulnerabilities that were likely overlooked during software development. We evaluate established requirements engineering techniques, including sequence and misuse case diagrams and goal models, as applied to criminal court records to identify mitigating requirements that improve privacy protections. These techniques, when properly applied, can help organizations focus their risk-management efforts on emerging legal vulnerabilities. We illustrate our analysis using criminal indictments involving the U.S. Health Insurance Portability and Accountability Act (HIPAA).