Arguing regulatory compliance of software requirements
Introduction
The problem of legal compliance of software systems is gaining relevance in recent years. Government regulations that impact software systems are becoming ever-more prevalent in current legislative scenarios around the world. Organizations that don't comply with regulations are vulnerable to fines and prosecution that could damage both their financial and marketing prospects both in the short and long term. The impact of this situation has been immense on software engineering as much as on business practices. It has been estimated that in the Healthcare domain alone, organizations have spent $17.6 billion over a number of years to align their systems and procedures with a single law, the Health Insurance Portability and Accountability Act (HIPAA), introduced in 1996.1 In the Business domain, it was estimated that organizations spent $5.8 billion in one year alone (2005) to ensure compliance of their reporting and risk management procedures with the Sarbanes–Oxley Act (SOX).2 In short, compliance is a costly proposition and not dealing with it is not an option.
We are interested in addressing the compliance problem at the requirements level. This means asking the question “Does a given set of requirements R comply with law L?”, also offering a systematic, iterative process for transforming non-compliant requirements R to a compliant variation R′.
A key issue for the requirements compliance problem concerns the form of evidence provided that indeed a requirements model complies with a given law (fragment). There is an abundance of formal method techniques developed in AI and Software Engineering (SE) for dealing with this issue, for example refs. [1], [2], [3]. Unfortunately, such techniques are generally heavy-handed in the notations they use for modeling laws and requirements, and intractable in the reasoning tools they employ to establish compliance.
In our work, we lower the bar by adopting a conceptual modeling approach whereby laws and requirements are captured through conceptual models. These models capture logical relationships among law fragments and requirements, such as “If P is satisfied then Q is denied”, but leave much of the content of laws and requirements unformalized. Moreover, compliance is not established through automated proof, but rather through argumentation among the stakeholders who state positions, e.g., “this requirement does not comply with this part of the law” and argue for or against them until (hopefully) consensus is reached.
The objective of this paper is to propose a systematic process to establish compliance of system requirements to a given law using argumentation as a means. The process takes as input a requirements model R and a law model L. Requirements engineers iteratively transform R = R(0) into revised requirements models R(1), …, R(i), …, and discuss each with stakeholders until the stakeholders agree that a revised model R(N) indeed complies with L.
The contributions of the paper include an extension of the Nòmos framework [4] for dealing with compliance. With this extension, we are able to both detect compliance and pinpoint which requirements don't comply and need to be revised. To accomplish this, we integrate into Nòmos the modeling and analytical elements of an argumentation framework. Through a systematic process, compliance of software requirements to a given law is established. The process ends with a revised version of the input model that is compliant with the law. This paper extends the work presented at ER2011 [5] by including: a more detailed description of the process and an empirical evaluation through an industrial case study. This evaluation was conducted over a period of 2 months and gave us the opportunity to assess the conceptual adequacy of our proposal.
The rest of the paper is structured as follows. Section 2 presents an overview of the modeling concepts and the validation method we have adopted. In Section 3 we describe our framework for supporting a compliance discussion, its metamodel and how compliance can be defined in terms of argumentation. The process we propose for establishing compliance is detailed in Section 4 together with a running example showing how the steps work in a scenario involving fragments of the HIPAA regulation. In Section 5 we present the pilot case study aimed at evaluating the conceptual adequacy of the proposed framework and process, detailing how we designed and executed it and discussing derived results. Section 6 overviews related work. Finally, Section 7 concludes the paper and outlines directions for further research.
Section snippets
Requirements models
Requirements engineering frameworks are grounded on the elicitation and analysis of stakeholder needs. i* [6] is an agent-oriented modeling framework for requirements, where stakeholders are modeled as actors, and goals represent their respective requirements. In addition, actors are interrelated through social relationships, such as “Actor A depends on actor B for the fulfillment of goal G”. The two main components of an i* model are a Strategic Dependency (SD) model and a Strategic Rationale
Proposed framework
The key idea proposed in this paper is that evidence of requirements compliance with respect to a given law results from a discussion about the requirements and how they relate to the law. If acceptance is established, then the discussion is said to support the claim of compliance. Otherwise, new information is added to the discussion. If no more information can be added, and no acceptance is established, then the discussion is said to reject the claim of compliance. The discussion is
Compliance process
According to the above, reaching compliance is a gradual process aimed at reconciling given norms with stakeholder wants. Accordingly, we are proposing a systematic process to amend and revise the initial requirements model to guarantee that two properties (compliance and conformity) are met in the final model. The procedure we propose is structured along three logical phases:
- 1.
The analysis phase [step 1 and 2] takes as input the model of requirements, expressed as a set of goals to be achieved
A pilot case study using the Italian Electronic Health Record (EHR)
We designed an empirical evaluation, based on an industrial case study, with the aim of evaluating the conceptual adequacy of the proposed framework and process. A case study approach [11] was deemed appropriate because it allows us to draw some preliminary conclusions on our proposal. The object of the case study was the design of a system for managing Italian Electronic Health Record (EHR) data. Such systems need to comply with existing laws in force (e.g. Italian Privacy Law, and Guidelines
Related work
Analysis of regulatory compliance of a system has been also examined in [14] where the authors suggest using a production rule model to check for compliance. Differently from our work, their work was aimed at providing support for a compliance check, while our work extends this concept with both a framework and a systematic process for obtaining compliance through the traceability and soundness provided by argumentation.
A more targeted approach dealing specifically with privacy law, was
Conclusions
The present work proposes a goal-oriented, norm-driven requirements modeling framework for modeling law, requirements and compliance solutions of requirements with respect to law. The key idea proposed in this paper is that argumentation can be adopted to establish compliance. Evidence and proof of compliance are provided by the arguments made by the stakeholders discussing models of requirements and law. The systematic process we propose, allows us to amend an initial requirements model by
Acknowledgments
The authors would like to thank Paolo Guarda (University of Trento), Jovan Stevovic (GPI Trento — University of Trento) and Annamaria Chiasera (GPI Trento — University of Trento) for the time and expertise they contributed towards the case study presented in this paper.
This work has been supported by the ERC advanced grant 267856 “Lucretius: Foundations for Software Evolution”, unfolding during the period of April 2011–March 2016 — http://www.lucretius.eu.
References (23)
Fundamental legal concepts: a formal and teleological characterisation
Artificial Intelligence and Law
(2006)- et al.
Towards a framework for tracking legal compliance in healthcare
- et al.
A method for identifying software requirements based on policy commitments
IEEE International Conference on Requirements Engineering
(2010) - A. Siena, Engineering law-compliant requirements. The Nòmos framework, Ph.D. thesis, University of Trento, Italy,...
- et al.
Establishing regulatory compliance for software requirements
- E. Yu., Modelling Strategic Relationships for Process Reengineering, Ph.D. thesis, University of Toronto, Canada,...
Fundamental legal conceptions as applied in judicial reasoning
Yale Law Journal
(1913)- et al.
Analysis of multi-party agreement in requirements validation
IEEE International Conference on Requirements Engineering
(2009) - S. Ingolfo, Establishing compliance of software requirements through argumentation, Master's thesis, University of...
A compliance-based theory of international law
California Law Review
(2002)
Case Study Research: Design and Methods
Cited by (35)
Software Compliance Requirements, Factors, and Policies: A Systematic Literature Review
2023, Computers and SecurityCitation Excerpt :The theory of planned behavior is on top of the list followed by deterrence and protection motivation theories. Other concepts and theories, which are discussed at least twice include: requirement engineering (Granlund et al., 2020; Ingolfo et al., 2013; Maxwell et al., 2013; Islam et al., 2011; Usman et al., 2020; Wickramage et al., 2019; Marques and da Cunha, 2018; Antinyan and Sandgren, 2021; Steffens et al., 2018), privacy-by-design (Diamantopoulou and Mouratidis, 2019; Antignac et al., 2018; Bednar et al., 2019; Barati et al., 2020), rational choice theory (Alanazi et al., 2020; Carmi and Bouhnik, 2020; Stafford et al., Jan. 2018; Ifinedo, 2016), social bond theory (Dong et al., 2021; Choi and Song, 2018; Ali et al., 2020; Ifinedo, 2014), ontology (Hale and Gamble, 2019; Joshi et al., 2020; Samavi and Consens, 2018), design principles (Máñez-Carvajal et al., 2021; Montazeri et al., 2020), neutralization theory (Bansal et al., 2020; Kim et al., 2014), organizational climate theory (Dong et al., 2021; Ifinedo, 2016), theory of workarounds (Davison et al., 2019; Alter, 2015), and compliance-by-design (Castellanos-Ardila et al., 2021; Julisch et al., 2011). The table in Appendix F lists the theories, the references to those theories, and the primary studies using them.
NómosT: Building large models of law with a tool-supported process
2018, Data and Knowledge EngineeringCitation Excerpt :The performances of the new tool have been evaluated and compared with those obtained with GaiusT 1.0–84.0% of precision and 87% of recall – showing an overall of 86.0% precision and 90% recall rate [29]. Nómos is a modeling language for law, intended to support compliance analysis for software requirements [7,21]. The modeling framework is founded on the concept of a norm, an atomic fragment of law with deontic status.
A Systematic Literature Review of iStar extensions
2018, Journal of Systems and SoftwareCitation Excerpt :This conflict is shown in Fig. 36. In Nòmos papers Ingolfo et al. (2013, 2014a,b), Siena et al. (2009, 2012), the consistency in representations was not maintained. In paper Ingolfo et al. (2013), the identifier of nodes is represented outside and without highlight (Fig. 37-A), but the works in Ingolfo et al. (2014a,b), the identification is represented in a grey square on the border of the nodes (Fig. 37-B).
Thirty years of Artificial Intelligence and Law: the second decade
2022, Artificial Intelligence and LawCaRE: a refinement calculus for requirements engineering based on argumentation theory
2022, Software and Systems Modeling