[en] Data protection regulations impose requirements on organizations that require interdisciplinary. Conceptual modeling of information systems, particularly goal modeling, has served to communicate with stakeholders of different backgrounds for software requirements analysis. An extension for a Socio-Technical Security (STS) modeling language was proposed to include data protection modeling concepts to help represent relevant issues of the European Union’s General Data Protection Regulation. This article examines whether models designed with this extension serve as communication facilitators for privacy compliance and common ground across stakeholders. Through a series of 8 focus groups, with 21 subjects, we observed if professionals with different backgrounds (software developers, business analysts, and privacy experts) could detect discuss about the GDPR principles and identify privacy compliance “red flags” that we seeded in a use case. Using a qualitative approach to analyze the data, all the groups discussed the majority of the GDPR principles and identified more than 80% of the seeded red flags, with privacy experts identifying the most. This research provides preliminary results on using conceptual modeling as a communicator facilitator between stakeholders to contribute to a common ground between them.
Disciplines :
Computer science
Author, co-author :
NEGRI RIBALTA, Claudia Sofia ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > IRiSC
Noel, Rene; Escuela de Ingenieria Civil Informatica, Universidad de Valparaiso, Valparaiso, Chile
Pastor, Oscar; VRAIN, Universidad Politécnica de Valencia, Valencia, Spain
Salinesi, Camille; CRI, Université Paris 1 Panthéon-Sorbonne, Paris, France
External co-authors :
yes
Language :
English
Title :
An Empirical Study on Socio-technical Modeling for Interdisciplinary Privacy Requirements
Publication date :
2024
Event name :
International Conference on Cooperative Information Systems
Event place :
Groningen, Nld
Event date :
From 30-10-2023 to 03-11-2023
Audience :
International
Main work title :
Cooperative Information Systems - 29th International Conference, CoopIS 2023, Proceedings
Editor :
Sellami, Mohamed
Gaaloul, Walid
Publisher :
Springer Science and Business Media Deutschland GmbH
This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 956562. Part of first (and corre-sponding) author work was done at Paris 1 as part of her PhD. thesis.
Agostinelli, S., Maggi, F.M., Marrella, A., Sapio, F.: Achieving GDPR compliance of BPMN process models. In: Cappiello, C., Ruiz, M. (eds.) Information Systems Engineering in Responsible Information Systems, CAiSE 2019. Lecture Notes in Business Information Processing, vol. 350, pp. 10–22. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-21297-1 2
Alshammari, M., Simpson, A.: A UML profile for privacy-aware data lifecycle models. In: Katsikas, S.K., et al. (eds.) CyberICPS/SECPRE-2017. LNCS, vol. 10683, pp. 189–209. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-72817-9 13
Babbie, E.R.: The Practice of Social Research. Cengage Learning, Boston (2020)
Basili, V.R., Rombach, H.D.: The tame project: towards improvement-oriented software environments. IEEE Trans. Softw. Eng. 14(6) (1988)
Breaux, T., Norton, T.: Legal accountability as software quality: a US data processing perspective. In: 2022 IEEE 30th International Requirements Engineering Conference (RE). IEEE (2022)
Breaux, T.D., Antón, A.I.: A systematic method for acquiring regulatory requirements: a frame-based approach. RHAS-6), Delhi, India (2007)
Creswell, J.W., Creswell, J.D.: Research Design: Qualitative, Quantitative, and Mixed Methods Approaches. Sage Publications, Thousand Oaks (2017)
Damian, D., Chisan, J.: An empirical study of the complex relationships between requirements engineering processes and other processes that lead to payoffs in productivity, quality, and risk management. IEEE Trans. Software Eng. 32, 433– 453 (2006). https://doi.org/10.1109/TSE.2006.61
Dikici, A., Turetken, O., Demirors, O.: Factors influencing the understandability of process models: a systematic literature review. Inf. Softw. Technol. 93, 112–129 (2018)
Elo, S., Kyngäs, H.: The qualitative content analysis. J. Adv. Nurs. 62, 107–15 (2008). https://doi.org/10.1111/j.1365-2648.2007.04569.x
European Union: Charter of Fundamental Rights (2000). Article 8
European Union: Regulation (EU) 2016/678 of the European Parliament and of the Council-General Data Protection Regulation (2016)
Ezzini, S., Abualhaija, S., Arora, C., Sabetzadeh, M., Briand, L.C.: Using domain-specific corpora for improved handling of ambiguity in requirements. In: 2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE), pp. 1485–1497. IEEE (2021)
Ghanavati, S., Amyot, D., Rifaut, A.: Legal goal-oriented requirement language (legal GRL) for modeling regulations. In: Proceedings of the 6th International Workshop on Modeling in Software Engineering, pp. 1–6 (2014)
Hadar, I., et al.: Privacy by designers: software developers’ privacy mindset. In: Proceedings of the 40th International Conference on Software Engineering, Gothen-burg, Sweden. ICSE 2018, Association for Computing Machinery, New York, NY, USA (2018)
Hsieh, H.F., Shannon, S.E.: Three approaches to qualitative content analysis. Qual. Health Res. 15(9), 1277–1288 (2005)
Ingolfo, S., Jureta, I., Siena, A., Perini, A., Susi, A.: Nòmos 3: legal compliance of roles and requirements. In: Yu, E., Dobbie, G., Jarke, M., Purao, S. (eds.) ER 2014. LNCS, vol. 8824, pp. 275–288. Springer, Cham (2014). https://doi.org/10. 1007/978-3-319-12206-9 22
Mai, P.X., Goknil, A., Shar, L.K., Pastore, F., Briand, L.C., Shaame, S.: Modeling security and privacy requirements: a use case-driven approach. Inf. Softw. Technol. 100, 165–182 (2018)
Mendling, J., Recker, J., Reijers, H.A., Leopold, H.: An empirical review of the connection between model viewer characteristics and the comprehension of conceptual process models. Inf. Syst. Front. 21, 1111–1135 (2019)
Moody, D.L.: The method evaluation model: a theoretical model for validating information systems design methods. In: Proceedings of the European Conference on Information Systems 2003, pp. 1–17. AIS Electronic Library (2003)
Morgan, D.L.: Focus groups. Ann. Rev. Sociol. 22(1), 129–152 (1996)
Mouratidis, H., Giorgini, P.: Secure tropos: a security-oriented extension of the tropos methodology. Int. J. Softw. Eng. Knowl. Eng. 17(02), 285–309 (2007)
Negri-Ribalta, C., Noel, R., Herbaut, N., Pastor, O., Salinesi, C.: Socio-technical modelling for GDPR principles: an extension for the STS-ml. In: 2022 IEEE 30th International Requirements Engineering Conference Workshops (REW) (2022)
Paja, E., Dalpiaz, F., Poggianella, M., Roberti, P., Giorgini, P.: STS-tool: socio-technical security requirements through social commitments. In: 2012 20th IEEE International Requirements Engineering Conference (RE). IEEE (2012)
Robol, M., Salnitri, M., Giorgini, P.: Toward GDPR-compliant socio-technical systems: modeling language and reasoning framework. In: Poels, G., Gailly, F., Serral Asensio, E., Snoeck, M. (eds.) PoEM 2017. LNBIP, vol. 305, pp. 236–250. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70241-4 16
Stitzlein, C., Sanderson, P., Indulska, M.: Understanding healthcare processes. Proc. Human Factors Ergonom. Soc. Ann. Meet. 57, 240–244 (2013). https://doi. org/10.1177/1541931213571053
Wieringa, R.: Empirical research methods for technology validation: scaling up to practice. J. Syst. Softw. 95, 19–31 (2014)
Wieringa, R.J.: Design Science Methodology for Information Systems and Software Engineering. Springer, Berlin, Heidelberg (2014)
Wuyts, K., Sion, L., Joosen, W.: LINDDUN GO: a lightweight approach to privacy threat modeling. IEEE (2020)
Yu, E.: Modeling strategic relationships for process reengineering. Soc. Model. Requirements Eng. 11(2011), 66–87 (2011)
