research-article

Identifying vulnerabilities and critical requirements using criminal court proceedings

Authors:

Travis D. Breaux,

Jonathan D. Lewis,

Annie I. AntónAuthors Info & Claims

SAC '09: Proceedings of the 2009 ACM symposium on Applied Computing

Pages 355 - 359

https://doi.org/10.1145/1529282.1529360

Published: 08 March 2009 Publication History

Abstract

Information systems governed by laws and regulations are subject to civil and criminal violations. In the United States, these violations are documented in court records, such as complaints, indictments, plea agreements, and verdicts, which thus constitute a source of real-world software vulnerabilities. This paper reports on an exploratory case study to identify legal vulnerabilities and provides guidance to practitioners in the analysis of court documents. As legal violations occur after system deployment, court records reveal vulnerabilities that were likely overlooked during software development. We evaluate established requirements engineering techniques, including sequence and misuse case diagrams and goal models, as applied to criminal court records to identify mitigating requirements that improve privacy protections. These techniques, when properly applied, can help organizations focus their risk-management efforts on emerging legal vulnerabilities. We illustrate our analysis using criminal indictments involving the U.S. Health Insurance Portability and Accountability Act (HIPAA).

References

[1]

I. Alexander, "Initial industrial experience of misuse cases in trade-off analysis," IEEE Joint Int'l Conf. Req'ts Engr., pp. 61--68, 2002.

Digital Library

[2]

A. I. Antón. Goal-based Requirements Analysis Method, PhD Thesis, Georgia Tech, 1996.

[3]

T. D. Breaux, M. W. Vail, A. I. Antón. "Towards compliance: extracting rights and obligations to align requirements with regulations," IEEE Int'l Conf. Req'ts Engr., pp. 49--58, 2006.

Digital Library

[4]

T. D. Breaux, A. I. Antón. "Analyzing regulatory rules for privacy and security requirements," IEEE Trans. Soft. Engr., Special Issue on Soft. Engr. for Secure Sys., 34(1): 5--20, 2008.

Digital Library

[5]

F. Dardenne, A. van Lamsweerde, S. Fickas. "Goal-directed requirements acquisition", Science of Computer Programming. 20: 3--50, 1993.

Digital Library

[6]

United States v. Ferrer, et al. Case No. 0:06-CR-60261-JIC, S. D. FI., Dec. 7, 2006.

[7]

B. A. Garner, Ed., Black's Law Dictionary, 8^th ed., Thompson West, 2004.

[8]

Y. Kamisar et al. Modern Criminal Procedure: Cases, Comments, and Questions, 11^th ed., St. Paul, Minn.: Thomson/West, 2005, pp. 2--20.

[9]

A. van Lamsweerde, "Elaborating security requirements by construction of intentional anti-models," IEEE 26^th Int'l Conf. Soft. Engr., pp. 148--157, 2004.

Digital Library

[10]

J. McDermott, C. Fox, "Using abuse case models for security requirements analysis", 15^th Computer Security Applications Conf., pp. 55--64, 1999.

Digital Library

[11]

P. N. Otto, A. I. Antón, "Addressing legal requirements in requirements engineering," 15^th IEEE Int'l Req'ts Engr. Conf., pp. 5--14, 2007.

[12]

B. Regnell, M. Andersson, J. Bersrand. "A hierarchical use case model with graphical representation", IEEE Int'l Symp. and Workshop on Engr. of Computer-based Sys., pp. 270--277, 1996.

Digital Library

[13]

G. Sindre, A. L. Opdahl. "Eliciting security requirements with misuse cases", Req'ts Engr. 10: 34--44, 2005.

Digital Library

[14]

D. Verdon, G. McGraw, "Risk analysis in software design," IEEE Security & Privacy, 2(4): 79--84, 2004.

Digital Library

[15]

P. Winn, "Confronting the threats of medical identity theft," Health Information Privacy/Security Alert, July 24, 2007.

[16]

S. Yanovitch, K. Kimberland, "2007 E-crime watch survey shows security incidents, electronic crimes and their impact steady versus last year," CSO Magazine, Sep. 2007.

[17]

R. K. Y in. Case Study Research, 3rd ed. Applied Social Research Methods Series, v. 5, Sage Pubs., 2003.

Cited By

Vilela JGoncalves EHolanda ACastro JFigueiredo B(2016)A retrospective analysis of SAC requirementsACM SIGAPP Applied Computing Review10.1145/2993231.299323416:2(26-41)Online publication date: 29-Aug-2016
https://dl.acm.org/doi/10.1145/2993231.2993234
Breaux TBaumer D(2011)Legally "reasonable" security requirementsComputers and Security10.1016/j.cose.2010.11.00330:4(178-193)Online publication date: 1-Jun-2011
https://dl.acm.org/doi/10.1016/j.cose.2010.11.003
Otto PAntón A(2009)Managing Legal Texts in Requirements EngineeringDesign Requirements Engineering: A Ten-Year Perspective10.1007/978-3-540-92966-6_21(374-393)Online publication date: 2009
https://doi.org/10.1007/978-3-540-92966-6_21

Index Terms

Identifying vulnerabilities and critical requirements using criminal court proceedings
1. Software and its engineering
  1. Software creation and management
    1. Designing software
      1. Requirements analysis

Recommendations

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

SAC '09: Proceedings of the 2009 ACM symposium on Applied Computing

March 2009

2347 pages

ISBN:9781605581668

DOI:10.1145/1529282

Conference Chairs:
Sung Y. Shin
South Dakota State University, United States
,
Sascha Ossowski
University Rey Juan Carlos, Spain

Copyright © 2009 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGAPP: ACM Special Interest Group on Applied Computing

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 08 March 2009

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article

Funding Sources

National Science Foundation

Conference

SAC09

Sponsor:

SIGAPP

SAC09: The 2009 ACM Symposium on Applied Computing

March 8, 2009 - March 12, 2008

Hawaii, Honolulu

Acceptance Rates

Overall Acceptance Rate 1,286 of 5,316 submissions, 24%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
290
Total Downloads

Downloads (Last 12 months)1
Downloads (Last 6 weeks)0

Reflects downloads up to 24 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Vilela JGoncalves EHolanda ACastro JFigueiredo B(2016)A retrospective analysis of SAC requirementsACM SIGAPP Applied Computing Review10.1145/2993231.299323416:2(26-41)Online publication date: 29-Aug-2016
https://dl.acm.org/doi/10.1145/2993231.2993234
Breaux TBaumer D(2011)Legally "reasonable" security requirementsComputers and Security10.1016/j.cose.2010.11.00330:4(178-193)Online publication date: 1-Jun-2011
https://dl.acm.org/doi/10.1016/j.cose.2010.11.003
Otto PAntón A(2009)Managing Legal Texts in Requirements EngineeringDesign Requirements Engineering: A Ten-Year Perspective10.1007/978-3-540-92966-6_21(374-393)Online publication date: 2009
https://doi.org/10.1007/978-3-540-92966-6_21

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents