![Problem Characterization
n Is necessary address the privacy issues since the early
stages of development, ie the Requirements Engineering
phase [Kalloniatis et al., 2008; Omoronyia et al., 2012; Tun et
al., 2012].
n There is a need for systematic approaches for reasoning,
modeling and analyzing privacy from the early stages of the
software development [Webster et al., 2005].
n Privacy is a multifaceted concept, comes in many forms, relating to
what one wishes to keep private [Kalloniatis et al., 2008; Gharib et
al., 2017]. This has resulted in much confusion among designers
and stakeholders, and has led in turn to wrong design decisions
[Gharib et al., 2017].
3](https://image.slidesharecdn.com/modelinglanguagetosupportprivacyrequirements-180824180423/85/Modeling-language-to-support-privacy-requirements-3-320.jpg)
Modeling language to support privacy requirements
- 1. www.cin.ufpe.br/~ler Laboratório de Engenharia de Requisitos Universidade Federal de Pernambuco Modeling Languages to Support Privacy Requirements: Results from a Systematic Literature Review Mariana Peixoto and Carla Silva {mmp2, ctlls}@cin.ufpe.br 08/2018
- 2. Outline n Problem Characterization n Research methodology n Results n Future Work 2
- 3. Problem Characterization n Is necessary address the privacy issues since the early stages of development, ie the Requirements Engineering phase [Kalloniatis et al., 2008; Omoronyia et al., 2012; Tun et al., 2012]. n There is a need for systematic approaches for reasoning, modeling and analyzing privacy from the early stages of the software development [Webster et al., 2005]. n Privacy is a multifaceted concept, comes in many forms, relating to what one wishes to keep private [Kalloniatis et al., 2008; Gharib et al., 2017]. This has resulted in much confusion among designers and stakeholders, and has led in turn to wrong design decisions [Gharib et al., 2017]. 3
- 4. Problem Characterization n Motivated by this scenario, we perform a Systematic Literature Review to investigate requirements modeling languages for privacy and provides an extensive analysis of them. ¨ This SLR focuses on approaches that consider privacy, by explicitly representing and analyzing privacy concepts in a requirements model. 4
- 5. Research Methodology 5 Fig 1. SLR Process adapted from Kitchenham and Charters (2007).
- 6. Research Methodology n What are the modeling languages used to modeling and analysis of privacy requirements? ¨ SRQ1 - What modeling languages capture privacy concepts? Is it an extension of existing language? The language has tool support? ¨ SRQ2 - What are the benefits and limitations reported in the use of the modeling languages? ¨ SRQ3 - What are the privacy concepts captured by modeling languages? ¨ SRQ4 - What are the modeling elements used to capture privacy concepts and their relationships? ¨ SRQ5 – Do these languages support requirements analysis? What are the methods of analysis used? ¨ SRQ6 - Are the modeling languages concerned with cognitive understanding aspects? 6
- 7. Research Methodology Search Strategy: automatic search and snowball method n Search String: (“privacy”) AND (“requirements engineering”) AND (“modeling” OR “modelling” OR “model” OR “language” OR “notation) n Search Engines: ¨ IEEExplore ¨ ACM Digital Library ¨ Science Direct ¨ Scopus ¨ Compendex ¨ Springer 7
- 8. SLR Preliminary Results 8 Inclusion Criteria Exclusion Criteria I1 Primary Studies E1 Studies that are not focused on Requirements Engineering I2 Peer-reviewed studies E2 Duplicate studies (only one copy of each study was included) I3 Studies that present privacy representation in some visual language E3 Redundant paper of same author I4 Original studies in languages: English, Portuguese or Spanish E4 Studies not available I5 Studies published in any year E5 Incomplete studies (short papers (≤ 3 pages) E6 Presentations, reports, dissertations, theses, secondary studies, tertiary and meta-analysis, gray literature. E7 Studies that do not capture privacy concepts E8 Studies irrelevant to the research questions Table 1. Selection Criteria.
- 9. Research Methodology Selection Procedure n Step 1: reading titles, abstracts and keywords; considering the inclusion and exclusion criteria. n Step 2: reading introduction and conclusion; considering the inclusion and exclusion criteria. n Step 3: the studies included are fully read; excluding irrelevant papers for the research questions. 9
- 10. Research Methodology 10 Data Description Identifier (ID) Unique identifier for each paper Year, Affiliations, List of Authors, Title, Abstract and Keywords Source IEEE, ACM, Scopus, Science Direct, Ei COMPENDEX and Springer Application context Industrial, academic, both Study Type Journal, conference, symposium, workshop, book chapter Research Type (based on Wieringa et al., 2006) Evaluation research, validation research, solution proposal, philosophical papers, experience papers, opinion papers Evaluation Method (based on Easterbrook et al., 2008 ) Controlled experiment, case study, survey, ethnography, action research, illustrative scenario, not applicable Application Domain Any domain. For example, Health Care Research Questions Answer to each research question Table 2. Data Extraction.
- 11. Research Methodology Quality Assessment n To verify the quality, the studies were classified according to Wieringa (2005): ¨ Validation Research ¨ Evaluation Research ¨ Experience Papers ¨ Opinion Papers ¨ Philosophical Papers ¨ Solution Proposal 11
- 12. 12 Quality Assessment Question Eva Val Sol Phi Exp Opi QA1- Are the proposed concepts/relations clearly defined? (Gharib et al., 2017). x x x x x x QA2- Does the work propose sufficient concepts/relations to deal with privacy aspects? (Gharib et al., 2017). x x x x x x QA3- Is the problem clearly stated? (Wieringa, 2006). x x x QA4- Is the research method clearly stated? (Wieringa, 2006). x x QA5- Is there an adequate description of the context? (Dyba and Dingsoyr, 2008). x x QA6- Was the data collected in a way that addressed the research issue? (Dyba and Dingsoyr, 2008). x x QA7- Was the data analysis sufficiently rigorous? (Dyba and Dingsoyr, 2008). x x QA8- Is there a clear statement of findings? (Dyba and Dingsoyr, 2008). x x QA9- Was there a control group with which to compare treatments? (Dyba and Dingsoyr, 2008). x QA10- Is the technique novel, or is the application of the techniques to this kind of problem novel? (Wieringa, 2006). x QA11- Is the technique argued? (Wieringa, 2006). x QA12- Is the broader relevance of this novel technique argued? (Wieringa, 2006). x QA13- Is there sufficient discussion of related work? (Wieringa, 2006). x QA14- Is the conceptual framework original? (Wieringa, 2006). x QA15- Is it argued? (Wieringa, 2006). x QA16- Is the experience original? (Wieringa, 2006). x QA17- Is the report about it sound? (Wieringa, 2006). x QA18- Is the report relevant for practitioners? (Wieringa, 2006). x QA19- Is the stated position argued? (Wieringa, 2006). x QA20- Is the opinion Innovating? (Wieringa, 2006). x Table 3. Quality Assessment
- 13. Research Methodology Quality Assessment n To verify the quality, the studies were classified according to Wieringa (2005): ¨ Validation Research (less than 4.5 of 9.0) ¨ Evaluation Research (less than 3.5 of 8.0) ¨ Experience Papers (less than 2.5 of 5.0) ¨ Opinion Papers (less than 2.5 of 5.0) ¨ Philosophical Papers (less than 2.5 of 4.0) ¨ Solution Proposal (less than 2.5 of 7.0) 13
- 14. Research Methodology Threats to validity n This review was conducted by only one researcher and one advisor. To reduce the bias in this case, a structured data extraction approach was used, as indicated by Cruzes and Dyba (2011). n The search string used for the automatic search may not include all the existing synonyms for the terms present in the expression "Modeling languages that support privacy requirements" and thus be insufficient to capture all area studies. To reduce this bias the snowball search was performed. 14
- 15. SLR Results 15 Fig 2. SLR Results.
- 16. SLR Results 16 ID Title Authors ACM7 Distilling Privacy Requirements for Mobile Applications Thomas, K; Bandara, A. K.; Price, B.A.; Nuseibeh, B. (2014) ACM8 Elaborating Security Requirements by Construction of Intentional Anti-Models Lamsweerde, A.V. (2004) ACM17 Legal Goal-oriented Requirement Language (Legal GRL) for Modeling Regulations Ghanavati, S.; Amyot, D.; Rifaut, A. (2014) COMPEDEX9 Designing privacy-aware personal health record systems Samavi, R.; Topaloglou, T. (2008) IEEE18 Compliance Analysis Based on a Goal-oriented Requirement Language Evaluation Methodology Ghanavati, S.; Amyot D.;, Peyton, L. (2009) IEEE30 Goal-oriented compliance with multiple regulations Ghanavati, S.; Rifaut;, A.; Dubois, E.; Amyot, D. (2014) IEEE48 Requirements engineering patterns for the modeling of Online Social Networks features Bouraga, S.; Jureta, I.; Faulkner, S. (2014) ... .... ... Table 4. Selected Papers
- 17. SLR Results n Overview Results 17 Fig 3. Publication year. 1 6 4 3 3 2 5 4 2 4 3 3 9 3 4 2 0 1 2 3 4 5 6 7 8 9 10 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017
- 18. SLR Results n Overview Results 18 Fig 4. Authors nationalities. 1 6 1 17 1 1 1 1 9 2 1 2 17 1 3 2 2 1 3 13 1 0 2 4 6 8 10 12 14 16 18 Australia Belgium Brazil Canada Chile China Cyprus France Germany Greece India Ireland Italy Japan Luxembourg Netherlands Norway Saudi Arabia Spain UK USA
- 19. SLR Results n Overview Results 19 Table 5. Paper type x context. Application Context Study Type Academic Academic/Industrial Total Conference 24 0 24 Journal 17 4 21 Symposium 2 0 2 Workshop 11 0 11 Total 54 (93.1%) 4 (6.8%) 58 (100%)
- 20. SLR Results n Overview Results 20 Table 6. Research type. Research Type Frequency Percentage Solution Proposal 48 82.8 Evaluation Research 7 12.1 Validation Research 3 5.2 Total 58 100.0
- 21. SLR Results n Overview Results 21 Table 7. Evaluation method Evaluation Method Frequency Percentage Case study 13 22.4 Case study and Survey 1 1.7 Controlled Experiment 3 5.2 Illustrative Scenario 35 60.3 Not Applicable 5 8.6 Survey 1 1.7 Total 58 100.0
- 22. SLR Results 22 Table 8 Application Domain Application Domain Frequency Percentage Business Process Management 1 1.7 Cloud Computing Systems 2 3.4 Context-sensitive systems 1 1.7 General 32 55.2 Health Care 5 8.6 Internet Services 1 1.7 Legal Regulations 6 10.3 Mobile Applications 2 3.4 Online Social Networks 1 1.7 Public Key Infrastructures 1 1.7 Security Policies 1 1.7 Smart Grids 1 1.7 Socio-Technical Systems 3 5.2 Web of Things 1 1.7 Total 58 100.0
- 23. 23 Table 9. Languages used for privacy. Language Frequency Percentage UML4PF 1 1.4 BPMN 1 1.4 CORAS Risk Modeling 1 1.4 Data Flow Diagrams 1 1.4 Goal/Agent Modeling 8 11.4 GRL 3 4.3 i-Star 9 12.9 KAOS 1 1.4 Legal GRL 2 2.9 Misuse Cases 4 5.7 NFR Framework 3 4.3 Problem Frames 5 7.1 SecBPMN-ml 1 1.4 Secure Tropos 6 8.6 Security-Aware Tropos 1 1.4 SI* modelling 3 4.3 STS-ml 2 2.9 Threat Model 2 2.9 Threat Tree 1 1.4 Tropos 6 8.6 UML 3 4.3 UMLsec 3 4.3 Use Case Maps 2 2.9 User Requirements Notation 1 1.4 Total 70 100.0
- 24. SLR Results What modeling languages capture privacy concepts? 24 Fig 5. Taxonomy of privacy modeling languages.
- 25. SLR Results Is it an extension of existing language? n 44 (75.9%) studies used an existing language; n 14 (24.1%) studies proposed an extension of an existing language; n It was not possible to observe the proposal of no new language. 25
- 26. SLR Results The language has tool support? 26 Table 10. Paper Whose has Tool Support. ID Tool Name ACM7 Customized OpenArgue ACM17/ IEEE18/ IEEE30/ SCOPUS6/ SPRINGER119/ SPRINGER277 Extended tool support (jUCMNav) SPRINGER183/ SPRINGER420/ SPRINGER23 UMLsec tool SPRINGER23 Used Secure Tropos tool SPRINGER160 Toolset for modeling in SecBPMN-ml IEEE58/SPRINGER302 Extended/Used UML profile SCOPUS20 Used CREE-tool SCIENCE27 Tool developed using the Open Models Initiative Platform
- 27. SLR Results What are the privacy concepts captured by modeling languages? Privacy Concepts Catalog Private/ Public/ Semi Public/ Owner/ Third Party/ Personal Information/ Privacy Mechanism- goals/ Safeguards/ Awareness – Necessity to know/ Openness/ Consent/ Accuracy/ Agreement/ Obligation/ Socialization/ Intentionality/ Non Repudiation/ Availability/ Permission/ Collect/ Disclosure/ Use/ Access Control/ Autonomy/ Vulnerability/ Confidentiality/ Intervenability/ Dectectability/ Integrity/ Unobservability/ Unlikability/ Anonymity/ Pseudonymity/ Authorization/ Authentication/ Opportunity/ Strength/ Weakness/ Conflict/ Trust/ Constraint/ Assurance/ Measure/ Privacy Threats/ Harms/ Exposure/ Surveillance/ Aggregation/ Misinformation/ Power Imbalance/ Contextl/ Intrusion/ Identification/ Accountability/ Compliance/ Auditability/ Processor/ Privacy policy/ Privacy Preferences 27
- 28. SLR Results What are the privacy concepts captured by modeling languages? n UML is used to support Personal Information, Awareness, Consent, Obligation, Non Repudiation, Disclosure, Access Control, Confidentiality, Integrity, Anonymity, Authorization and Harms. n NFR Framework is used to support, Privacy Mechanism, Awareness, Socialization, Intentionality, Permission, Autonomy, Vulnerability, Confidentiality, Anonymity, Conflict, Trust, Privacy Threats in COMPEDEX9, SCIENCE178 and SNOW115. 28
- 29. SLR Preliminary Results What are the modeling elements used to capture privacy concepts and their relationships? 29 Concept <Element; Relationships (ID)> Private <Resource; Dependency (IEEE48)> Public <Resource; Dependency (IEEE48)> Semi-Public <Resource; Dependency (IEEE48)> Owner <Owner; Dependency (SNOW122) Third Party <Goal; Decomposition link (ACM17)> Personal Information <Resource; Dependency (COMPEDEX9/IEEE48/SNOW123), part of (SCOPUS31), Trust relation, Owner relation, Permission relation (SCOPUS30)>, <Goal; Contribution Link (IEEE18/SNOW7), Goal decomposition (SNOW46), Dependency (SCIENCE323/SCIENCE332)>, <Softgoal; Decomposition Link (IEEE30), Strategic Dependencies (IEEE53), Association (SCIENCE40)>, < Stereotype; Extension (IEEE58)>, <Document; Contribution link SNOW122)> Table 11. Modeling elements and relationships.
- 30. SLR Preliminary Results What are the modeling elements used to capture privacy concepts and their relationships? 30Fig 6. SLR Modeling Elements Results.
- 31. SLR Preliminary Results Do these languages support requirements analysis? What are the methods of analysis used? n 48 (82.8%) do support analysis and 10 (17.2%) don’t. 31 Fig 7. Requirements Analysis Methods.
- 32. SLR Results Do these languages support requirements analysis? What are the methods of analysis used? 32 ID Requirements Analysis Techniques Supported Concept SNOW115 Privacy and Transparency Together Analysis: Aims to analyze how privacy would impact Transparency and vice versa. Third Party, Personal Information, Privacy Mechanism, Awareness, Socialization, Collect, Use, Anonymity and Trust IEEE53/ SNOW123 Attacker Analysis: Aims to identify potential system abusers and their malicious intents Personal Information, Privacy Mechanism, Awareness, Consent, Collect, Disclosure, Access Control, Confidentiality, Authorization, Authentication, Trust, Constraint, Assurance and Privacy Threats SNOW122 Consistency Analysis: Aims to verify whether the diagram built by the designer is consistent and valid. Owner, Personal Information, Availability, Confidentiality, Integrity, Authorization and Privacy Threats IEEE53 Countermeasure Analysis: System designers make decisions on how to protect security and privacy from potential attackers and vulnerabilities Personal Information, Awareness, Disclosure, Access Control, Confidentiality, Authorization, Trust and Privacy Threats Table 12. Requirements Analysis Techniques X Supported Concept .
- 33. SLR Results Are the modeling languages concerned with cognitive understanding aspects? n only one study! ¨ They conducted a study in two countries with 152 participants in which they assessed the effectiveness of graphical representations with respect to extraction correct information about risks. 33
- 34. SLR Results - Quality Assessment n Evaluation research: 7 papers just one received maximum score, quality 80 ; n Validation research: 3 papers (two studies received 80) from a maximum of 90; n Solution proposal: 48 papers just three received maximum score, quality 70. 34
- 35. Future Work n Concepts Validation n Conceptual Model n Framework of Privacy Capabilities 35
- 36. Main References n Gharib, M., Giorgini, P., Mylopoulos, J. (2017) Towards an Ontology for Privacy Requirements via a Systematic Literature Review. In: Mayr H., Guizzardi G., Ma H., Pastor O. (eds) Conceptual Modeling. LNCS, vol 10650. Springer, pages 193– 208. n Hadar, I., Hasson, T., Ayalon, O., Toch, E., Birnhack, M., Sherman, S., & Balissa, A. (2018) Privacy by designers: software developers’ privacy mindset. Empirical Software Engineering, pages 259-289. n Kitchenham, B., Charters, S. Guidelines for performing Systematic Literature Reviews in Software Engineering. Technical Report, EBSE-2007-01, Software Engineering Group, School of Computer Science and Mathematics. Keele University, Keele, UK. n Privacy in RE: https://sites.google.com/cin.ufpe.br/ privacyconcepts/home 36
- 37. www.cin.ufpe.br/~ler Laboratório de Engenharia de Requisitos Universidade Federal de Pernambuco Modeling Languages to Support Privacy Requirements: Results from a Systematic Literature Review Mariana Peixoto and Carla Silva {mmp2, ctlls}@cin.ufpe.br 08/2018