Abstract
Data protection regulations impose requirements on organizations that require interdisciplinary. Conceptual modeling of information systems, particularly goal modeling, has served to communicate with stakeholders of different backgrounds for software requirements analysis. An extension for a Socio-Technical Security (STS) modeling language was proposed to include data protection modeling concepts to help represent relevant issues of the European Union’s General Data Protection Regulation. This article examines whether models designed with this extension serve as communication facilitators for privacy compliance and common ground across stakeholders.
Through a series of 8 focus groups, with 21 subjects, we observed if professionals with different backgrounds (software developers, business analysts, and privacy experts) could detect discuss about the GDPR principles and identify privacy compliance “red flags” that we seeded in a use case. Using a qualitative approach to analyze the data, all the groups discussed the majority of the GDPR principles and identified more than 80% of the seeded red flags, with privacy experts identifying the most. This research provides preliminary results on using conceptual modeling as a communicator facilitator between stakeholders to contribute to a common ground between them.
This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 956562. Part of first (and corresponding) author work was done at Paris 1 as part of her PhD. thesis.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
The complete exercise is available here: https://doi.org/10.5281/zenodo.7729512.
- 2.
Due to space issues, the models are available onlinehttps://doi.org/10.5281/zenodo.7729512.
- 3.
On an anecdotal note, some subjects said at the end of the activity that they had not read the handout and were a little lost at the beginning of the activity.
- 4.
- 5.
Some subjects contacted us even after the focus groups to continue discussing STAGE.
- 6.
- 7.
DEV of group 4 contributed significantly more than others, as it has a sound knowledge of goal modeling and could be treated as an atypical case.
References
Agostinelli, S., Maggi, F.M., Marrella, A., Sapio, F.: Achieving GDPR compliance of BPMN process models. In: Cappiello, C., Ruiz, M. (eds.) Information Systems Engineering in Responsible Information Systems, CAiSE 2019. Lecture Notes in Business Information Processing, vol. 350, pp. 10–22. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-21297-1_2
Alshammari, M., Simpson, A.: A UML profile for privacy-aware data lifecycle models. In: Katsikas, S.K., et al. (eds.) CyberICPS/SECPRE -2017. LNCS, vol. 10683, pp. 189–209. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-72817-9_13
Babbie, E.R.: The Practice of Social Research. Cengage Learning, Boston (2020)
Basili, V.R., Rombach, H.D.: The tame project: towards improvement-oriented software environments. IEEE Trans. Softw. Eng. 14(6) (1988)
Breaux, T., Norton, T.: Legal accountability as software quality: a US data processing perspective. In: 2022 IEEE 30th International Requirements Engineering Conference (RE). IEEE (2022)
Breaux, T.D., Antón, A.I.: A systematic method for acquiring regulatory requirements: a frame-based approach. RHAS-6), Delhi, India (2007)
Creswell, J.W., Creswell, J.D.: Research Design: Qualitative, Quantitative, and Mixed Methods Approaches. Sage Publications, Thousand Oaks (2017)
Dalpiaz, F., Paja, E., Giorgini, P.: Security Requirements Engineering: Designing Secure Socio-technical Systems. Massachusetts, Cambridge (2016)
Damian, D., Chisan, J.: An empirical study of the complex relationships between requirements engineering processes and other processes that lead to payoffs in productivity, quality, and risk management. IEEE Trans. Software Eng. 32, 433–453 (2006). https://doi.org/10.1109/TSE.2006.61
Dikici, A., Turetken, O., Demirors, O.: Factors influencing the understandability of process models: a systematic literature review. Inf. Softw. Technol. 93, 112–129 (2018)
Elo, S., Kyngäs, H.: The qualitative content analysis. J. Adv. Nurs. 62, 107–15 (2008). https://doi.org/10.1111/j.1365-2648.2007.04569.x
European Union: Charter of Fundamental Rights (2000). Article 8
European Union: Regulation (EU) 2016/678 of the European Parliament and of the Council - General Data Protection Regulation (2016)
Ezzini, S., Abualhaija, S., Arora, C., Sabetzadeh, M., Briand, L.C.: Using domain-specific corpora for improved handling of ambiguity in requirements. In: 2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE), pp. 1485–1497. IEEE (2021)
Ghanavati, S., Amyot, D., Rifaut, A.: Legal goal-oriented requirement language (legal GRL) for modeling regulations. In: Proceedings of the 6th International Workshop on Modeling in Software Engineering, pp. 1–6 (2014)
Hadar, I., et al.: Privacy by designers: software developers’ privacy mindset. In: Proceedings of the 40th International Conference on Software Engineering, Gothenburg, Sweden. ICSE 2018, Association for Computing Machinery, New York, NY, USA (2018)
Hsieh, H.F., Shannon, S.E.: Three approaches to qualitative content analysis. Qual. Health Res. 15(9), 1277–1288 (2005)
Ingolfo, S., Jureta, I., Siena, A., Perini, A., Susi, A.: Nòmos 3: legal compliance of roles and requirements. In: Yu, E., Dobbie, G., Jarke, M., Purao, S. (eds.) ER 2014. LNCS, vol. 8824, pp. 275–288. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-12206-9_22
Mai, P.X., Goknil, A., Shar, L.K., Pastore, F., Briand, L.C., Shaame, S.: Modeling security and privacy requirements: a use case-driven approach. Inf. Softw. Technol. 100, 165–182 (2018)
Mendling, J., Recker, J., Reijers, H.A., Leopold, H.: An empirical review of the connection between model viewer characteristics and the comprehension of conceptual process models. Inf. Syst. Front. 21, 1111–1135 (2019)
Moody, D.L.: The method evaluation model: a theoretical model for validating information systems design methods. In: Proceedings of the European Conference on Information Systems 2003, pp. 1–17. AIS Electronic Library (2003)
Morgan, D.L.: Focus groups. Ann. Rev. Sociol. 22(1), 129–152 (1996)
Mouratidis, H., Giorgini, P.: Secure tropos: a security-oriented extension of the tropos methodology. Int. J. Softw. Eng. Knowl. Eng. 17(02), 285–309 (2007)
Negri-Ribalta, C., Noel, R., Herbaut, N., Pastor, O., Salinesi, C.: Socio-technical modelling for GDPR principles: an extension for the STS-ml. In: 2022 IEEE 30th International Requirements Engineering Conference Workshops (REW) (2022)
Paja, E., Dalpiaz, F., Poggianella, M., Roberti, P., Giorgini, P.: STS-tool: socio-technical security requirements through social commitments. In: 2012 20th IEEE International Requirements Engineering Conference (RE). IEEE (2012)
Robol, M., Salnitri, M., Giorgini, P.: Toward GDPR-compliant socio-technical systems: modeling language and reasoning framework. In: Poels, G., Gailly, F., Serral Asensio, E., Snoeck, M. (eds.) PoEM 2017. LNBIP, vol. 305, pp. 236–250. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70241-4_16
Stitzlein, C., Sanderson, P., Indulska, M.: Understanding healthcare processes. Proc. Human Factors Ergonom. Soc. Ann. Meet. 57, 240–244 (2013). https://doi.org/10.1177/1541931213571053
Wieringa, R.: Empirical research methods for technology validation: scaling up to practice. J. Syst. Softw. 95, 19–31 (2014)
Wieringa, R.J.: Design Science Methodology for Information Systems and Software Engineering. Springer, Berlin, Heidelberg (2014)
Wuyts, K., Sion, L., Joosen, W.: LINDDUN GO: a lightweight approach to privacy threat modeling. IEEE (2020)
Yu, E.: Modeling strategic relationships for process reengineering. Soc. Model. Requirements Eng. 11(2011), 66–87 (2011)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Negri-Ribalta, C., Noel, R., Pastor, O., Salinesi, C. (2024). An Empirical Study on Socio-technical Modeling for Interdisciplinary Privacy Requirements. In: Sellami, M., Vidal, ME., van Dongen, B., Gaaloul, W., Panetto, H. (eds) Cooperative Information Systems. CoopIS 2023. Lecture Notes in Computer Science, vol 14353. Springer, Cham. https://doi.org/10.1007/978-3-031-46846-9_8
Download citation
DOI: https://doi.org/10.1007/978-3-031-46846-9_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-46845-2
Online ISBN: 978-3-031-46846-9
eBook Packages: Computer ScienceComputer Science (R0)