@inproceedings{breaux_2009, title={Exercising due diligence in legal requirements acquisition: A tool-supported, frame-based approach}, booktitle={Proceedings of the 2009 17th IEEE International Requirements Engineering Conference}, author={Breaux, T. D.}, year={2009}, pages={225–230} } @article{breaux_anton_spafford_2009, title={A distributed requirements management framework for legal compliance and accountability}, volume={28}, ISSN={["1872-6208"]}, DOI={10.1016/j.cose.2008.08.001}, abstractNote={Increasingly, new regulations are governing organizations and their information systems. Individuals responsible for ensuring legal compliance and accountability currently lack sufficient guidance and support to manage their legal obligations within relevant information systems. While software controls provide assurances that business processes adhere to specific requirements, such as those derived from government regulations, there is little support to manage these requirements and their relationships to various policies and regulations. We propose a requirements management framework that enables executives, business managers, software developers and auditors to distribute legal obligations across business units and/or personnel with different roles and technical capabilities. This framework improves accountability by integrating traceability throughout the policy and requirements lifecycle. We illustrate the framework within the context of a concrete healthcare scenario in which obligations incurred from the Health Insurance Portability and Accountability Act (HIPAA) are delegated and refined into software requirements. Additionally, we show how auditing mechanisms can be integrated into the framework and how auditors can certify that specific chains of delegation and refinement decisions comply with government regulations.}, number={1-2}, journal={COMPUTERS & SECURITY}, author={Breaux, Travis D. and Anton, Annie I. and Spafford, Eugene H.}, year={2009}, pages={8–17} } @article{breaux_anton_2008, title={Analyzing regulatory rules for privacy and security requirements}, volume={34}, ISSN={["1939-3520"]}, DOI={10.1109/TSE.2007.70746}, abstractNote={Information practices that use personal, financial, and health-related information are governed by US laws and regulations to prevent unauthorized use and disclosure. To ensure compliance under the law, the security and privacy requirements of relevant software systems must properly be aligned with these regulations. However, these regulations describe stakeholder rules, called rights and obligations, in complex and sometimes ambiguous legal language. These "rules" are often precursors to software requirements that must undergo considerable refinement and analysis before they become implementable. To support the software engineering effort to derive security requirements from regulations, we present a methodology for directly extracting access rights and obligations from regulation texts. The methodology provides statement-level coverage for an entire regulatory document to consistently identify and infer six types of data access constraints, handle complex cross references, resolve ambiguities, and assign required priorities between access rights and obligations to avoid unlawful information disclosures. We present results from applying this methodology to the entire regulation text of the US Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.}, number={1}, journal={IEEE TRANSACTIONS ON SOFTWARE ENGINEERING}, author={Breaux, Travis D. and Anton, Annie I.}, year={2008}, pages={5–20} } @article{breaux_anton_doyle_2008, title={Semantic Parameterization: A Process for Modeling Domain Descriptions}, volume={18}, ISSN={["1557-7392"]}, url={http://www.scopus.com/inward/record.url?eid=2-s2.0-56149121201&partnerID=MN8TOARS}, DOI={10.1145/1416563.1416565}, abstractNote={ Software engineers must systematically account for the broad scope of environmental behavior, including nonfunctional requirements, intended to coordinate the actions of stakeholders and software systems. The Inquiry Cycle Model (ICM) provides engineers with a strategy to acquire and refine these requirements by having domain experts answer six questions: who, what, where, when, how, and why. Goal-based requirements engineering has led to the formalization of requirements to answer the ICM questions about when , how , and why goals are achieved, maintained, or avoided. In this article, we present a systematic process called Semantic Parameterization for expressing natural language domain descriptions of goals as specifications in description logic. The formalization of goals in description logic allows engineers to automate inquiries using who , what , and where questions, completing the formalization of the ICM questions. The contributions of this approach include new theory to conceptually compare and disambiguate goal specifications that enables querying goals and organizing goals into specialization hierarchies. The artifacts in the process include a dictionary that aligns the domain lexicon with unique concepts, distinguishing between synonyms and polysemes, and several natural language patterns that aid engineers in mapping common domain descriptions to formal specifications. Semantic Parameterization has been empirically validated in three case studies on policy and regulatory descriptions that govern information systems in the finance and health-care domains. }, number={2}, journal={ACM TRANSACTIONS ON SOFTWARE ENGINEERING AND METHODOLOGY}, publisher={Association for Computing Machinery (ACM)}, author={Breaux, Travis D. and Anton, Annie I. and Doyle, Jon}, year={2008}, month={Nov} }