Addressing privacy requirements in system design: the PriS method

A major challenge in the field of software engineering is to make users trust the software that they use in their every day activities for professional or recreational reasons. Trusting software depends on various elements, one of which is the protection of user privacy. Protecting privacy is about complying with user’s desires when it comes to handling personal information. Users’ privacy can also be defined as the right to determine when, how and to what extend information about them is communicated to others. Current research stresses the need for addressing privacy issues during the system design rather than during the system implementation phase. To this end, this paper describes PriS, a security requirements engineering method, which incorporates privacy requirements early in the system development process. PriS considers privacy requirements as organisational goals that need to be satisfied and adopts the use of privacy-process patterns as a way to: (1) describe the effect of privacy requirements on business processes; and (2) facilitate the identification of the system architecture that best supports the privacy-related business processes. In this way, PriS provides a holistic approach from ‘high-level’ goals to ‘privacy-compliant’ IT systems. The PriS way-of-working is formally defined thus, enabling the development of automated tools for assisting its application.

Compliance to the fair information practices: How are the Fortune 500 handling online privacy disclosures?

Privacy concerns and practices, especially those dealing with the acquisition and use of consumer personal information, are at the forefront of global business and social issues associated with the information age. Our research examined the privacy policies of the Fortune 500 to assess the substance and content of their stated information practices and the degree to which they adhered to the fair information practices (FIP).From the observations, we developed a Privacy Policy Assessment Matrix that can be used to evaluate how well a firm addresses information privacy concerns. The matrix was used to analyze the Fortune 500 firms to understand their privacy maturity. The results provided practical and theoretical implications for addressing information privacy issues.     

Managing information privacy: developing a context for security and privacy standards convergence

Information privacy is much broader than data security. It's about the collection, processing, use, and protection of personal information. Essentially, business processes, IT systems, and compliance controls must support the full set of requirements embodied in these principles and expressed in relevant laws and policies. Implementation choices, including automation level and security control selection, become business and business-risk decisions. To institute such principles, businesses should understand the critical need for policy-driven security and privacy compliance in developing the right business processes and overall technical architecture.     

A requirements taxonomy for reducing Web site privacy vulnerabilities

The increasing use of personal information on Web-based applications can result in unexpected disclosures. Consumers often have only the stated Web site policies as a guide to how their information is used, and thus on which to base their browsing and transaction decisions. However, each policy is different, and it is difficult—if not impossible—for the average user to compare and comprehend these policies. This paper presents a taxonomy of privacy requirements for Web sites. Using goal-mining, the extraction of pre-requirements goals from post-requirements text artefacts, we analysed an initial set of Internet privacy policies to develop the taxonomy. This taxonomy was then validated during a second goal extraction exercise, involving privacy policies from a range of health care related Web sites. This validation effort enabled further refinement to the taxonomy, culminating in two classes of privacy requirements: protection goals and vulnerabilities. Protection goals express the desired protection of consumer privacy rights, whereas vulnerabilities describe requirements that potentially threaten consumer privacy. The identified taxonomy categories are useful for analysing implicit internal conflicts within privacy policies, the corresponding Web sites, and their manner of operation. These categories can be used by Web site designers to reduce Web site privacy vulnerabilities and ensure that their stated and actual policies are consistent with each other. The same categories can be used by customers to evaluate and understand policies and their limitations. Additionally, the policies have potential use by third-party evaluators of site policies and conflicts.

Protecting privacy during peer-to-peer exchange of medical documents

Privacy is an important aspect of interoperable medical information systems. Governments and health care organizations have established privacy policies to prevent abuse of personal health data. These policies often require organizations to obtain patient consent prior to exchanging personal information with other interoperable systems. The consents are defined in form of so-called disclosure directives. However, policies are often not precise enough to address all possible eventualities and exceptions. Unanticipated priorities and other care contexts may cause conflicts between a patient’s disclosure directives and the need to receive treatments from informed caregivers. It is commonly agreed that in these situations patient safety takes precedence over information privacy. Therefore, caregivers are typically given the ability to override the patient’s disclosure directives to protect patient safety. These overrides must be logged and are subject to privacy audits to prevent abuse. Centralized “shared health record” (SHR) infrastructures include consent management systems that enact the above functionality. However, consent management mechanisms do not extend to information systems that exchange clinical information on a peer-to-peer basis, e.g., by secure messaging. Our article addresses this gap by presenting a consent management mechanism for peer-to-peer interoperable systems. The mechanism restricts access to sensitive, medical data based on defined consent directives, but also allows overriding the policies when needed. The overriding process is monitored and audited in order to prevent misuse. The mechanism has been implemented in an open source project called CDAShip and has been made available on SourceForge.     

Analyzing Regulatory Rules for Privacy and Security Requirements

Information practices that use personal, financial, and health-related information are governed by US laws and regulations to prevent unauthorized use and disclosure. To ensure compliance under the law, the security and privacy requirements of relevant software systems must properly be aligned with these regulations. However, these regulations describe stakeholder rules, called rights and obligations, in complex and sometimes ambiguous legal language. These "rules" are often precursors to software requirements that must undergo considerable refinement and analysis before they become implementable. To support the software engineering effort to derive security requirements from regulations, we present a methodology for directly extracting access rights and obligations from regulation texts. The methodology provides statement-level coverage for an entire regulatory document to consistently identify and infer six types of data access constraints, handle complex cross references, resolve ambiguities, and assign required priorities between access rights and obligations to avoid unlawful information disclosures. We present results from applying this methodology to the entire regulation text of the US Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.     

Hierarchical hippocratic databases with minimal disclosure for virtual organizations

The protection of customer privacy is a fundamental issue in today’s corporate marketing strategies. Not surprisingly, many research efforts have proposed new privacy-aware technologies. Among them, Hippocratic databases offer mechanisms for enforcing privacy rules in database systems for inter-organizational business processes (also known as virtual organizations). This paper extends these mechanisms to allow for hierarchical purposes, distributed authorizations and minimal disclosure supporting the business processes of virtual organizations that want to offer their clients a number of ways to fulfill a service. Specifically, we use a goal-oriented approach to analyze privacy policies of the enterprises involved in a business process. On the basis of the purpose hierarchy derived through a goal refinement process, we provide algorithms for determining the minimum set of authorizations needed to achieve a service. This allows us to automatically derive access control policies for an inter-organizational business process from the collection of privacy policies associated with different participating enterprises. By using effective on-line algorithms, the derivation of such minimal information can also be done on-the-fly by the customer wishing to access a service.This is an expanded and revised version of [20].     

A probabilistic model for optimal insurance contracts against security risks and privacy violation in IT outsourcing environments

Day by day the provision of information technology goods and services becomes noticeably expensive. This is mainly due to the high labor cost for the service providers, resulting from the need to cover a vast variety of application domains and at the same time to improve or/and enhance the services offered in accordance to the requirements set by the competition. A business model that could ease the problem is the development or/and provision of the service by an external contractor on behalf of the service provider; known as Information Technology Outsourcing. However, outsourcing a service may have the side effect of transferring personal or/and sensitive data from the outsourcing company to the external contractor. Therefore the outsourcing company faces the risk of a contractor who does not adequately protect the data, resulting to their non-deliberate disclosure or modification, or of a contractor that acts maliciously in the sense that she causes a security incident for making profit out of it. Whatever the case, the outsourcing company is legally responsible for the misuse of personal data or/and the violation of an individual’s privacy. In this paper we demonstrate how companies adopting the outsourcing model can protect the personal data and privacy of their customers through an insurance contract. Moreover a probabilistic model for optimising, in terms of the premium and compensation amounts, the insurance contract is presented.     

Identifying incompleteness in privacy policy goals using semantic frames

Requirements Engineering - Companies that collect personal information online often maintain privacy policies that are required to accurately reflect their data practices and privacy goals. To be...     

Young people,disclosure of personal information and online privacy: Control,choice and consequences

This paper examines the privacy implications of the different online practices in which young people disclose personal information, and how associated configurations of choice and control create possibilities for violations of online privacy. The implications of the commercial and non-commercial use of young peoples' personal information are examined, with a specific focus on how this can potentially facilitate cyberbullying. The paper suggests that educational strategies should more clearly focus on encouraging young people to protect their online privacy, encourage control over disclosure practices, and consider the potential commercial and non-commercial uses of their information. There is a need for development of these strategies to be informed by empirical research exploring the everyday contexts and social norms which influence young peoples' online behaviour. Such an evidence-base can inform a critical review of educational, legal and regulatory actions which aim to protect their online privacy and safety.     

The Spiral of Change Model for Coping with Changing and Ongoing Requirements

This paper is a discussion on the problem of establishing information requirements in changing and ongoing business organisations. Attempts within existing software development paradigms to cope with business change are identified and discussed, and their problems concerning business change are highlighted. The alternative spiral of change model of tailorable information systems is proposed for thinking about establishing changing and ongoing information systems requirements. It is also proposed that information should be reconceptualised as tailorable. Such a reconceptualisation would allow us to explore ways of establishing information systems requirements that cope with business change. Deferred system’s design is proposed as a form of business software design and development that can cope with business change, as well as with the contextual and situational nature of tailorable information.     

Supporting Community Emergency Management Planning through a Geocollaboration Software Architecture

Emergency management is more than just events occurring within an emergency situation. It encompasses a variety of persistent activities such as planning, training, assessment, and organizational change. We are studying emergency management planning practices in which geographic communities (towns and regions) prepare to respond efficiently to significant emergency events. Community emergency management planning is an extensive collaboration involving numerous stakeholders throughout the community and both reflecting and challenging the community’s structure and resources. Geocollaboration is one aspect of the effort. Emergency managers, public works directors, first responders, and local transportation managers need to exchange information relating to possible emergency event locations and their surrounding areas. They need to examine geospatial maps together and collaboratively develop emergency plans and procedures. Issues such as emergency vehicle traffic routes and staging areas for command posts, arriving media, and personal first responders’ vehicles must be agreed upon prior to an emergency event to ensure an efficient and effective response. This work presents a software architecture that facilitates the development of geocollaboration solutions. The architecture extends prior geocollaboration research and reuses existing geospatial information models. Emergency management planning is one application domain for the architecture. Geocollaboration tools can be developed that support community-wide emergency management planning and preparedness. This paper describes how the software architecture can be used for the geospatial, emergency management planning activities of one community.     

Improving the secure management of personal data: Privacy on-line IS important,but it's not easy

This article introduces the growing importance of privacy and the need for an improved understanding of the issues involved. A key requirement is for organisations to better understand the relationship between security and privacy and, therefore, to ensure the design of their systems includes the ability to safeguard privacy and staff consistently apply controls that include the protection of individuals' personal data. A new approach to information security is proposed, as well as some outline results of the application of new methods and mechanisms for ensuring privacy in multi-agency data sharing. It is hoped that this article will prompt dialogue about the need to reconsider existing methods and tools for securely managing data.     

Privacy and Commercial Use of Personal Data: Policy Developments in the United States

In the online and offline worlds, the value of personal information – especially information about commercial purchases and preferences – has long been recognised. Exchanges and uses of personal information have also long sparked concerns about privacy. Public opinion surveys consistently indicate that overwhelming majorities of the American public are concerned that they have lost all control over information about themselves and do not trust organisations to protect the privacy of their information. Somewhat smaller majorities favour federal legislation to protect privacy. Despite public support for stronger privacy protection, the prevailing policy stance for over thirty years has been one of reluctance to legislate and a preference for self‐regulation by business to protect privacy. Although some privacy legislation has been adopted, policy debates about the commercial uses of personal information have been dominated largely by business concerns about intrusive government regulation, free speech and the flow of commercial information, costs, and effectiveness. Public concerns about privacy, reflected in public opinion surveys and voiced by a number of public interest groups, are often discredited because individuals seem to behave as though privacy is not important. Although people express concern about privacy, they routinely disclose personal information because of convenience, discounts and other incentives, or a lack of understanding of the consequences. This disconnect between public opinion and public behaviour has been interpreted to support a self‐regulatory approach to privacy protections with emphasis on giving individuals notice and choice about information practices. In theory the self‐regulatory approach also entails some enforcement mechanism to ensure that organisations are doing what they claim, and a redress mechanism by which individuals can seek compensation if they are wronged. This article analyses the course of policy formulation over the last twenty years with particular attention on how policymakers and stakeholders have used public opinion about the commercial use of personal information in formulating policy to protect privacy. The article considers policy activities in both Congress and the Federal Trade Commission that have resulted in an emphasis on “notice and consent.” The article concludes that both individual behaviour and organisational behaviour are skewed in a privacy invasive direction. People are less likely to make choices to protect their privacy unless these choices are relatively easy, obvious, and low cost. If a privacy protection choice entails additional steps, most rational people will not take those steps. This appears logically to be true and to be supported by behaviour in the physical world. Organisations are unlikely to act unilaterally to make their practices less privacy invasive because such actions will impose costs on them that are not imposed on their competitors. Overall then, the privacy level available is less than what the norms of society and the stated preferences of people require. A consent scheme that is most protective of privacy imposes the largest burden on the individual, as well as costs to the individual, while a consent scheme that is least protective of privacy imposes the least burden on the individual, as well as fewer costs to the individual. Recent experience with privacy notices that resulted from the financial privacy provisions in Gramm‐Leach‐Bliley supports this conclusion. Finally, the article will consider whether the terrorist attacks of 11 September have changed public opinion about privacy and what the policy implications of any changes in public opinion are likely to be.     

The influence of the informal social learning environment on information privacy policy compliance efficacy and intention

Throughout the world, sensitive personal information is now protected by regulatory requirements that have translated into significant new compliance oversight responsibilities for IT managers who have a legal mandate to ensure that individual employees are adequately prepared and motivated to observe policies and procedures designed to ensure compliance. This research project investigates the antecedents of information privacy policy compliance efficacy by individuals. Using Health Insurance Portability and Accountability Act compliance within the healthcare industry as a practical proxy for general organizational privacy policy compliance, the results of this survey of 234 healthcare professionals indicate that certain social conditions within the organizational setting (referred to as external cues and comprising situational support, verbal persuasion, and vicarious experience) contribute to an informal learning process. This process is distinct from the formal compliance training procedures and is shown to influence employee perceptions of efficacy to engage in compliance activities, which contributes to behavioural intention to comply with information privacy policies. Implications for managers and researchers are discussed.     

A methodical procedure for designing consumer oriented on-demand IT service propositions

IT providers are increasingly facing the challenge to adapt their previously resource oriented service portfolios in order to offer their customers services which explicitly support business processes. Such customer centric service propositions, however, seem to contradict the demand for standardized and automated operational IT processes more than traditional IT service offers, as they are even more subject to customer individual reengineering efforts due to permanently changing business requirements. In order to reconcile increased efficiency in operational processes and effectiveness in consumer oriented service propositions, we propose (1) to predefine all service propositions in consideration of both consumer oriented commitments and operational processes, and (2) to allow for standardized customization by offering a selection of complementary service propositions that extend commitments regarding customer oriented functionality and performance. Such service propositions are aligned with a company’s entities such as workplaces. Thereby the customer organization is enabled to trace, control and adjust commitments, value and expenses of IT services per entity in its business. We introduce a procedural model for designing and on-demand requesting this kind of service propositions, and we illustrate the model’s application and impact by examples taken from two large projects with an associated IT provider.     

COAT: COnstraint-based anonymization of transactions

Publishing transactional data about individuals in an anonymous form is increasingly required by organizations. Recent approaches ensure that potentially identifying information cannot be used to link published transactions to individuals’ identities. However, these approaches are inadequate to anonymize data that is both protected and practically useful in applications because they incorporate coarse privacy requirements, do not integrate utility requirements, and tend to explore a small portion of the solution space. In this paper, we propose the first approach for anonymizing transactional data under application-specific privacy and utility requirements. We model such requirements as constraints, investigate how these constraints can be specified, and propose COnstraint-based Anonymization of Transactions, an algorithm that anonymizes transactions using a flexible anonymization scheme to meet the specified constraints. Experiments with benchmark datasets verify that COAT significantly outperforms the current state-of-the-art algorithm in terms of data utility, while being comparable in terms of efficiency. Our approach is also shown to be effective in preserving both privacy and utility in a real-world scenario that requires disseminating patients’ information.     

Bodyshopping versus offshoring among Indian software and information technology firms

Investigations of offshore outsourcing of information systems have presented little evidence on developing country software and information technology (IT) industries. This study probes how Indian software and IT suppliers trade off work in India versus bodyshopping of employees. Worldwide clients view these practices as full offshoring versus on-shore temporary hiring from an Indian firm, but these practices are probed from suppliers’ perspective. Suppliers’ characteristics are theorized to affect their use of bodyshopping versus in-India work. A Reserve Bank of India survey of every Indian software and IT firm elicited suppliers’ use of bodyshopping to serve clients abroad. Consistent with theoretical rationales, suppliers that were larger, incorporated, public, and owned foreign subsidiaries most frequently provided bodyshopping among their international services. Bodyshopping was used frequently for IT purchasing and systems maintenance and infrequently for business process applications, and was infrequent to nations where bodyshopped labor costs were high. The evidence expands knowledge of the vibrant entrepreneurial IT industry in India and how it serves client firms abroad.     

A Negotiation Scheme for Access Rights Establishment in Autonomic Communication

Autonomic computing and communication has become a new paradigm for dynamic service integration and resource sharing in today's ambient networks. Devices and systems need to dynamically collaborate and federate with little known or even unknown parties in order to perform everyday tasks. Those devices and systems act as independent nodes that autonomously manage and enforce their own security policies. Thus in autonomic pervasive communications clients may not know a priori what access rights they need in order to execute a service nor service providers know a priori what credentials and privacy requirements clients have so that they can take appropriate access decisions. To solve this problem we propose a negotiation scheme that protects security and privacy interests with respect to information disclosure while still providing effective access control to services. The scheme proposes a negotiation protocol that allows entities in a network to mutually establish sufficient access rights needed to grant a service.

---