{"title":"Assessing identification of compliance requirements from privacy policies","authors":"J. Schmidt, A. Antón, J. Earp","doi":"10.1109/RELAW.2012.6347806","DOIUrl":null,"url":null,"abstract":"In the United States, organizations can be held liable by the Federal Trade Commission for the statements they make in their privacy policies. Thus, organizations must include their privacy policies as a source of requirements in order to build systems that are policy-compliant. In this paper, we describe an empirical user study in which we measure the ability of requirements engineers to effectively extract compliance requirements from a privacy policy using one of three analysis approaches-CPR (commitment, privilege, and right) analysis, goal-based analysis, and non-method-assisted (control) analysis. The results of these three approaches were then compared to an expert-produced set of expected compliance requirements. The requirements extracted by the CPR subjects reflected a higher percentage of requirements that were expected compliance requirements as well as a higher percentage of the total expected compliance requirements. In contrast, the goal-based and control subjects produced a higher number of synthesized requirements, or requirements not directly derived from the policy than the CPR subjects. This larger number of synthesized requirements may be attributed to the fact that these two subject groups employed more inquiry-driven approaches than the CPR subjects who relied primarily on focused and direct extraction of compliance requirements.","PeriodicalId":444010,"journal":{"name":"2012 Fifth IEEE International Workshop on Requirements Engineering and Law (RELAW)","volume":"240 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2012-09-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"10","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2012 Fifth IEEE International Workshop on Requirements Engineering and Law (RELAW)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/RELAW.2012.6347806","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 10
Abstract
In the United States, organizations can be held liable by the Federal Trade Commission for the statements they make in their privacy policies. Thus, organizations must include their privacy policies as a source of requirements in order to build systems that are policy-compliant. In this paper, we describe an empirical user study in which we measure the ability of requirements engineers to effectively extract compliance requirements from a privacy policy using one of three analysis approaches-CPR (commitment, privilege, and right) analysis, goal-based analysis, and non-method-assisted (control) analysis. The results of these three approaches were then compared to an expert-produced set of expected compliance requirements. The requirements extracted by the CPR subjects reflected a higher percentage of requirements that were expected compliance requirements as well as a higher percentage of the total expected compliance requirements. In contrast, the goal-based and control subjects produced a higher number of synthesized requirements, or requirements not directly derived from the policy than the CPR subjects. This larger number of synthesized requirements may be attributed to the fact that these two subject groups employed more inquiry-driven approaches than the CPR subjects who relied primarily on focused and direct extraction of compliance requirements.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
