How to integrate legal requirements into a requirements engineering methodology for the development of security and privacy patterns

Authors:
Luca Compagna;Paul El Khoury;Alžbeta Krausová;Fabio Massacci;Nicola Zannone
Affiliations:
SAP Research, Nice, France;SAP Research, Nice, France and University of Lyon I, LIRIS, CNRS, Lyon, France;ICRI, K.U. Leuven, IBBT, Leuven, Belgium;University of Trento, Trento, Italy;University of Toronto, Toronto, ON, Canada
Venue:
Artificial Intelligence and Law
Year:
2009

Citing 25
Cited 7

Logic programming for large scale applications in law: A formalisation of supplementary benefit legislation

ICAIL '87 Proceedings of the 1st international conference on Artificial intelligence and law
Deontic logic in computer science: normative system specification

Deontic logic in computer science: normative system specification
Design patterns: elements of reusable object-oriented software

Design patterns: elements of reusable object-oriented software
Why cryptosystems fail

Communications of the ACM
Access Control: Policies, Models, and Mechanisms

FOSAD '00 Revised versions of lectures given during the IFIP WG 1.7 International School on Foundations of Security Analysis and Design on Foundations of Security Analysis and Design: Tutorial Lectures
Security Engineering with Patterns: Origins, Theoretical Models, and New Applications

Security Engineering with Patterns: Origins, Theoretical Models, and New Applications
A model of legal reasoning with cases incorporating theories and values

Artificial Intelligence - Special issue on AI and law
Security Patterns: A Method for Constructing Secure and Efficient Inter-Company Coordination Systems

EDOC '04 Proceedings of the Enterprise Distributed Object Computing Conference, Eighth IEEE International
Information systems outsourcing: a survey and analysis of the literature

ACM SIGMIS Database
Model driven security: From UML models to access control infrastructures

ACM Transactions on Software Engineering and Methodology (TOSEM)
The DLV system for knowledge representation and reasoning

ACM Transactions on Computational Logic (TOCL)
Data Protection and Compliance in Context

Data Protection and Compliance in Context
Securing analysis patterns

ACM-SE 45 Proceedings of the 45th annual southeast regional conference
How to capture, model, and verify the knowledge of legal, security, and privacy experts: a pattern-based approach

Proceedings of the 11th international conference on Artificial intelligence and law
An implementation of norm-based agent negotiation

Proceedings of the 11th international conference on Artificial intelligence and law
Model based development of access policies

International Journal on Software Tools for Technology Transfer (STTT)
Analyzing Regulatory Rules for Privacy and Security Requirements

IEEE Transactions on Software Engineering
Annotating Regulations Using Cerno: An Application to Italian Documents - Extended Abstract

ARES '08 Proceedings of the 2008 Third International Conference on Availability, Reliability and Security
Risk as Dependability Metrics for the Evaluation of Business Solutions: A Model-driven Approach

ARES '08 Proceedings of the 2008 Third International Conference on Availability, Reliability and Security
Security Patterns for Capturing Encryption-Based Access Control to Sensor Data

SECURWARE '08 Proceedings of the 2008 Second International Conference on Emerging Security Information, Systems and Technologies
Towards the development of privacy-aware systems

Information and Software Technology
Using a security requirements engineering methodology in practice: The compliance with the Italian data protection legislation

Computer Standards & Interfaces
Security patterns for physical access control systems

Proceedings of the 21st annual IFIP WG 11.3 working conference on Data and applications security
Security and trust requirements engineering

Foundations of Security Analysis and Design III
Security patterns meet agent oriented software engineering: a complementary solution for developing secure information systems

ER'05 Proceedings of the 24th international conference on Conceptual Modeling

How to capture and use legal patterns in IT

Proceedings of the 12th International Conference on Artificial Intelligence and Law
A systematic review of security requirements engineering

Computer Standards & Interfaces
Security requirements engineering framework for software product lines

Information and Software Technology
A method for security governance, risk, and compliance (GRC): a goal-process approach

Foundations of security analysis and design VI
Evaluation of the Pattern-based method for Secure Development (PbSD): A controlled experiment

Information and Software Technology
Product decomposition using design structure matrix for intellectual property protection in supply chain outsourcing

Computers in Industry
Organizational Patterns for Security and Dependability: From Design to Application

International Journal of Secure Software Engineering

Quantified Score

Hi-index	0.00

Visualization

Abstract

Laws set requirements that force organizations to assess the security and privacy of their IT systems and impose them to implement minimal precautionary security measures. Several IT solutions (e.g., Privacy Enhancing Technologies, Access Control Infrastructure, etc.) have been proposed to address security and privacy issues. However, understanding why, and when such solutions have to be adopted is often unanswered because the answer comes only from a broader perspective, accounting for legal and organizational issues. Security engineers and legal experts should analyze the business goals of a company and its organizational structure and derive from there the points where security and privacy problems may arise and which solutions best fit such (legal) problems. The paper investigates the methodological support for capturing security and privacy requirement of a concrete health care provider.