A requirements taxonomy for reducing Web site privacy vulnerabilities

Authors:
I. Antón;B. Earp
Affiliations:
North Carolina State University, College of Engineering, 27695-8207, Raleigh, NC , USA;North Carolina State University, College of Management, 27695, Raleigh, NC , USA
Venue:
Requirements Engineering
Year:
2004

Citing 0
Cited 12

Mining rule semantics to understand legislative compliance

Proceedings of the 2005 ACM workshop on Privacy in the electronic society
HIPAA's Effect on Web Site Privacy Policies

IEEE Security and Privacy
Security Attack Testing (SAT)-testing the security of information systems at design time

Information Systems
The ChoicePoint Dilemma: How Data Brokers Should Handle the Privacy of Personal Information

IEEE Security and Privacy
End-user privacy in human-computer interaction

Foundations and Trends in Human-Computer Interaction
Secure information systems engineering: a manifesto

International Journal of Electronic Security and Digital Forensics
Semantic parameterization: A process for modeling domain descriptions

ACM Transactions on Software Engineering and Methodology (TOSEM)
Towards the development of privacy-aware systems

Information and Software Technology
A Requirements-based Comparison of Privacy Taxonomies

RELAW '08 Proceedings of the 2008 Requirements Engineering and Law
Using a security requirements engineering methodology in practice: The compliance with the Italian data protection legislation

Computer Standards & Interfaces
Security and trust requirements engineering

Foundations of Security Analysis and Design III
Secure by Design: Developing Secure Software Systems from the Ground Up

International Journal of Secure Software Engineering

Quantified Score

Hi-index	0.00

Visualization

Abstract

The increasing use of personal information on Web-based applications can result in unexpected disclosures. Consumers often have only the stated Web site policies as a guide to how their information is used, and thus on which to base their browsing and transaction decisions. However, each policy is different, and it is difficult—if not impossible—for the average user to compare and comprehend these policies. This paper presents a taxonomy of privacy requirements for Web sites. Using goal-mining, the extraction of pre-requirements goals from post-requirements text artefacts, we analysed an initial set of Internet privacy policies to develop the taxonomy. This taxonomy was then validated during a second goal extraction exercise, involving privacy policies from a range of health care related Web sites. This validation effort enabled further refinement to the taxonomy, culminating in two classes of privacy requirements: protection goals and vulnerabilities. Protection goals express the desired protection of consumer privacy rights, whereas vulnerabilities describe requirements that potentially threaten consumer privacy. The identified taxonomy categories are useful for analysing implicit internal conflicts within privacy policies, the corresponding Web sites, and their manner of operation. These categories can be used by Web site designers to reduce Web site privacy vulnerabilities and ensure that their stated and actual policies are consistent with each other. The same categories can be used by customers to evaluate and understand policies and their limitations. Additionally, the policies have potential use by third-party evaluators of site policies and conflicts.