Elsevier

Data & Knowledge Engineering

Volume 87, September 2013, Pages 279-296
Data & Knowledge Engineering

Arguing regulatory compliance of software requirements

https://doi.org/10.1016/j.datak.2012.12.004Get rights and content

Abstract

A software system complies with a regulation if its operation is consistent with the regulation under all circumstances. The importance of regulatory compliance for software systems has been growing, as regulations are increasingly impacting both the functional and non-functional requirements of legacy and new systems. HIPAA and SOX are recent examples of laws with broad impact on software systems, as attested by the billions of dollars spent in the US alone on compliance. In this paper we propose a framework for establishing regulatory compliance for a given set of software requirements. The framework assumes as inputs models of the requirements (expressed in i*) and the regulations (expressed in Nòmos). In addition, we adopt and integrate with i* and Nòmos a modeling technique for capturing arguments and establishing their acceptability. Given these, the framework proposes a systematic process for revising the requirements, and arguing through a discussion among stakeholders that the revisions make the requirements compliant. A pilot industrial case study involving fragments of the Italian regulation on privacy for Electronic Health Records provides preliminary evidence of the framework's adequacy and indicates directions for further improvements.

Introduction

The problem of legal compliance of software systems is gaining relevance in recent years. Government regulations that impact software systems are becoming ever-more prevalent in current legislative scenarios around the world. Organizations that don't comply with regulations are vulnerable to fines and prosecution that could damage both their financial and marketing prospects both in the short and long term. The impact of this situation has been immense on software engineering as much as on business practices. It has been estimated that in the Healthcare domain alone, organizations have spent $17.6 billion over a number of years to align their systems and procedures with a single law, the Health Insurance Portability and Accountability Act (HIPAA), introduced in 1996.1 In the Business domain, it was estimated that organizations spent $5.8 billion in one year alone (2005) to ensure compliance of their reporting and risk management procedures with the Sarbanes–Oxley Act (SOX).2 In short, compliance is a costly proposition and not dealing with it is not an option.

We are interested in addressing the compliance problem at the requirements level. This means asking the question “Does a given set of requirements R comply with law L?”, also offering a systematic, iterative process for transforming non-compliant requirements R to a compliant variation R′.

A key issue for the requirements compliance problem concerns the form of evidence provided that indeed a requirements model complies with a given law (fragment). There is an abundance of formal method techniques developed in AI and Software Engineering (SE) for dealing with this issue, for example refs. [1], [2], [3]. Unfortunately, such techniques are generally heavy-handed in the notations they use for modeling laws and requirements, and intractable in the reasoning tools they employ to establish compliance.

In our work, we lower the bar by adopting a conceptual modeling approach whereby laws and requirements are captured through conceptual models. These models capture logical relationships among law fragments and requirements, such as “If P is satisfied then Q is denied”, but leave much of the content of laws and requirements unformalized. Moreover, compliance is not established through automated proof, but rather through argumentation among the stakeholders who state positions, e.g., “this requirement does not comply with this part of the law” and argue for or against them until (hopefully) consensus is reached.

The objective of this paper is to propose a systematic process to establish compliance of system requirements to a given law using argumentation as a means. The process takes as input a requirements model R and a law model L. Requirements engineers iteratively transform R = R(0) into revised requirements models R(1), …, R(i), …, and discuss each with stakeholders until the stakeholders agree that a revised model R(N) indeed complies with L.

The contributions of the paper include an extension of the Nòmos framework [4] for dealing with compliance. With this extension, we are able to both detect compliance and pinpoint which requirements don't comply and need to be revised. To accomplish this, we integrate into Nòmos the modeling and analytical elements of an argumentation framework. Through a systematic process, compliance of software requirements to a given law is established. The process ends with a revised version of the input model that is compliant with the law. This paper extends the work presented at ER2011 [5] by including: a more detailed description of the process and an empirical evaluation through an industrial case study. This evaluation was conducted over a period of 2 months and gave us the opportunity to assess the conceptual adequacy of our proposal.

The rest of the paper is structured as follows. Section 2 presents an overview of the modeling concepts and the validation method we have adopted. In Section 3 we describe our framework for supporting a compliance discussion, its metamodel and how compliance can be defined in terms of argumentation. The process we propose for establishing compliance is detailed in Section 4 together with a running example showing how the steps work in a scenario involving fragments of the HIPAA regulation. In Section 5 we present the pilot case study aimed at evaluating the conceptual adequacy of the proposed framework and process, detailing how we designed and executed it and discussing derived results. Section 6 overviews related work. Finally, Section 7 concludes the paper and outlines directions for further research.

Section snippets

Requirements models

Requirements engineering frameworks are grounded on the elicitation and analysis of stakeholder needs. i* [6] is an agent-oriented modeling framework for requirements, where stakeholders are modeled as actors, and goals represent their respective requirements. In addition, actors are interrelated through social relationships, such as “Actor A depends on actor B for the fulfillment of goal G”. The two main components of an i* model are a Strategic Dependency (SD) model and a Strategic Rationale

Proposed framework

The key idea proposed in this paper is that evidence of requirements compliance with respect to a given law results from a discussion about the requirements and how they relate to the law. If acceptance is established, then the discussion is said to support the claim of compliance. Otherwise, new information is added to the discussion. If no more information can be added, and no acceptance is established, then the discussion is said to reject the claim of compliance. The discussion is

Compliance process

According to the above, reaching compliance is a gradual process aimed at reconciling given norms with stakeholder wants. Accordingly, we are proposing a systematic process to amend and revise the initial requirements model to guarantee that two properties (compliance and conformity) are met in the final model. The procedure we propose is structured along three logical phases:

  • 1.

    The analysis phase [step 1 and 2] takes as input the model of requirements, expressed as a set of goals to be achieved

A pilot case study using the Italian Electronic Health Record (EHR)

We designed an empirical evaluation, based on an industrial case study, with the aim of evaluating the conceptual adequacy of the proposed framework and process. A case study approach [11] was deemed appropriate because it allows us to draw some preliminary conclusions on our proposal. The object of the case study was the design of a system for managing Italian Electronic Health Record (EHR) data. Such systems need to comply with existing laws in force (e.g. Italian Privacy Law, and Guidelines

Related work

Analysis of regulatory compliance of a system has been also examined in [14] where the authors suggest using a production rule model to check for compliance. Differently from our work, their work was aimed at providing support for a compliance check, while our work extends this concept with both a framework and a systematic process for obtaining compliance through the traceability and soundness provided by argumentation.

A more targeted approach dealing specifically with privacy law, was

Conclusions

The present work proposes a goal-oriented, norm-driven requirements modeling framework for modeling law, requirements and compliance solutions of requirements with respect to law. The key idea proposed in this paper is that argumentation can be adopted to establish compliance. Evidence and proof of compliance are provided by the arguments made by the stakeholders discussing models of requirements and law. The systematic process we propose, allows us to amend an initial requirements model by

Acknowledgments

The authors would like to thank Paolo Guarda (University of Trento), Jovan Stevovic (GPI Trento — University of Trento) and Annamaria Chiasera (GPI Trento — University of Trento) for the time and expertise they contributed towards the case study presented in this paper.

This work has been supported by the ERC advanced grant 267856 “Lucretius: Foundations for Software Evolution”, unfolding during the period of April 2011–March 2016 — http://www.lucretius.eu.

References (23)

  • G. Sartor

    Fundamental legal concepts: a formal and teleological characterisation

    Artificial Intelligence and Law

    (2006)
  • S. Ghanavati et al.

    Towards a framework for tracking legal compliance in healthcare

  • J.D. Young et al.

    A method for identifying software requirements based on policy commitments

    IEEE International Conference on Requirements Engineering

    (2010)
  • A. Siena, Engineering law-compliant requirements. The Nòmos framework, Ph.D. thesis, University of Trento, Italy,...
  • S. Ingolfo et al.

    Establishing regulatory compliance for software requirements

  • E. Yu., Modelling Strategic Relationships for Process Reengineering, Ph.D. thesis, University of Toronto, Canada,...
  • W.N. Hohfeld

    Fundamental legal conceptions as applied in judicial reasoning

    Yale Law Journal

    (1913)
  • I. Jureta et al.

    Analysis of multi-party agreement in requirements validation

    IEEE International Conference on Requirements Engineering

    (2009)
  • S. Ingolfo, Establishing compliance of software requirements through argumentation, Master's thesis, University of...
  • A.T. Guzman

    A compliance-based theory of international law

    California Law Review

    (2002)
  • R.K. Yin

    Case Study Research: Design and Methods

    (1994)
  • Cited by (35)

    • Software Compliance Requirements, Factors, and Policies: A Systematic Literature Review

      2023, Computers and Security
      Citation Excerpt :

      The theory of planned behavior is on top of the list followed by deterrence and protection motivation theories. Other concepts and theories, which are discussed at least twice include: requirement engineering (Granlund et al., 2020; Ingolfo et al., 2013; Maxwell et al., 2013; Islam et al., 2011; Usman et al., 2020; Wickramage et al., 2019; Marques and da Cunha, 2018; Antinyan and Sandgren, 2021; Steffens et al., 2018), privacy-by-design (Diamantopoulou and Mouratidis, 2019; Antignac et al., 2018; Bednar et al., 2019; Barati et al., 2020), rational choice theory (Alanazi et al., 2020; Carmi and Bouhnik, 2020; Stafford et al., Jan. 2018; Ifinedo, 2016), social bond theory (Dong et al., 2021; Choi and Song, 2018; Ali et al., 2020; Ifinedo, 2014), ontology (Hale and Gamble, 2019; Joshi et al., 2020; Samavi and Consens, 2018), design principles (Máñez-Carvajal et al., 2021; Montazeri et al., 2020), neutralization theory (Bansal et al., 2020; Kim et al., 2014), organizational climate theory (Dong et al., 2021; Ifinedo, 2016), theory of workarounds (Davison et al., 2019; Alter, 2015), and compliance-by-design (Castellanos-Ardila et al., 2021; Julisch et al., 2011). The table in Appendix F lists the theories, the references to those theories, and the primary studies using them.

    • NómosT: Building large models of law with a tool-supported process

      2018, Data and Knowledge Engineering
      Citation Excerpt :

      The performances of the new tool have been evaluated and compared with those obtained with GaiusT 1.0–84.0% of precision and 87% of recall – showing an overall of 86.0% precision and 90% recall rate [29]. Nómos is a modeling language for law, intended to support compliance analysis for software requirements [7,21]. The modeling framework is founded on the concept of a norm, an atomic fragment of law with deontic status.

    • A Systematic Literature Review of iStar extensions

      2018, Journal of Systems and Software
      Citation Excerpt :

      This conflict is shown in Fig. 36. In Nòmos papers Ingolfo et al. (2013, 2014a,b), Siena et al. (2009, 2012), the consistency in representations was not maintained. In paper Ingolfo et al. (2013), the identifier of nodes is represented outside and without highlight (Fig. 37-A), but the works in Ingolfo et al. (2014a,b), the identification is represented in a grey square on the border of the nodes (Fig. 37-B).

    View all citing articles on Scopus
    View full text