An official website of the United States government
This work-in-progress (WIP) research-to-practice paper describes a work in progress by the authors to integrate appreciation of privacy, ethics, regulatory compliance, and research into Senior Project capstone experiences for Electrical and Computer Engineering. The student work focused on data quality assurance and de-identification topics to enhance quality, accuracy, completeness, consistency, and timeliness. Real-world data protection regulations grounded projects to meet ABET EAC Criterion 3 requirements for Student Outcome 2. Students explored the topics in a Project-Based Learning (PBL) format as a part of their senior project. In addition to implementing PBL, our focus for the senior project capstone is securing as many industrially sponsored projects as possible. This paper focuses on a few senior projects that are PBL, sponsored by industry, and emphasize data quality assurance and privacy protection techniques. We present a framework that meets assessment needs and uses project-based learning on a current topic of interest. The student findings offer insights into the theoretical and practical challenges and opportunities of implementing data quality assurance and de-identification techniques across different domains.
more »
« less
Promoting Privacy Considerations in Real-World Projects in Capstone Courses with Ideation Cards
Nearly all software built today impinges upon end-user privacy and needs to comply with relevant regulations. Therefore, there have been increasing calls for integrating considerations of compliance with privacy regulations throughout the software engineering lifecycle. However, software engineers are typically trained in the technical fields and lack sufficient knowledge and support for sociotechnical considerations of privacy. Privacy ideation cards attempt to address this issue by making privacy compliance understandable and actionable for software developers. However, the application of privacy ideation cards in real-world software projects has not yet been systemically investigated. The effectiveness of ideation cards as a pedagogical tool has not yet been examined either. We address these gaps by studying how teams of undergraduate students applied privacy ideation cards in capstone projects that involved building real-world software for industry sponsors. We found that privacy ideation cards fostered greater consideration and understanding of the extent to which the projects aligned with privacy regulations. We identified three main themes from student discussions of privacy compliance: (i) defining personal data; (ii) assigning responsibility for privacy compliance; and (iii) determining and exercising autonomy. The results suggest that application of the cards for real-world projects requires careful consideration of intersecting factors such as the stage at which the cards are used and the autonomy available to the developers. Pedagogically, ideation cards can facilitate low-level cognitive engagement (especially the cognitive processes of meaning construction and interpretation) for specific components within a project. Higher-level cognitive processes were comparatively rare in ideation sessions. These findings provide important insight to help enhance capstone instruction and to improve privacy ideation cards to increase their impact on the privacy properties of the developed software.
more »
« less
- Award ID(s):
- 2221870
- PAR ID:
- 10357451
- Date Published:
- Journal Name:
- ACM Transactions on Computing Education
- Volume:
- 21
- Issue:
- 4
- ISSN:
- 1946-6226
- Page Range / eLocation ID:
- 1 to 28
- Format(s):
- Medium: X
- Sponsoring Org:
- National Science Foundation
More Like this
-
-
With the increase in the number of privacy regulations, small development teams are forced to make privacy decisions on their own. In this paper, we conduct a mixed-method survey study, including statistical and qualitative analysis, to evaluate the privacy perceptions, practices, and knowledge of members involved in various phases of the Software Development Life Cycle (SDLC). Our survey includes 362 participants from 23 countries, encompassing roles such as product managers, developers, and testers. Our results show diverse definitions of privacy across SDLC roles, emphasizing the need for a holistic privacy approach throughout SDLC. We find that software teams, regardless of their region, are less familiar with privacy concepts (such as anonymization), relying on self-teaching and forums. Most participants are more familiar with GDPR and HIPAA than other regulations, with multijurisdictional compliance being their primary concern. Our results advocate the need for role-dependent solutions to address the privacy challenges, and we highlight research directions and educational takeaways to help improve privacy-aware SDLC.more » « less
-
Privacy regimes are increasingly taking center stage for bringing up cases against violators or introducing new regulations to safeguard consumer rights. Health regulations mostly predate most of the generic privacy regulations. However, we still see how health entities fail to meet regulatory requirements. Prior work suggests that third-party code is responsible for a significant portion of these violations. Hence, we propose using Software Bills of Materials (SBOM) as an effective intervention for communicating compliance limitations and expectations surrounding third-party code to help developers make informed decisions.more » « less
-
Motivation: The increasing volume and frequency of cyberattacks have made it necessary that all computing professionals be proficient in security principles. Concurrently, modern technology poses greater threats to privacy, making it important that technological solutions be developed to respect end-user privacy preferences and comply with privacy-related laws and regulations. Just as considering security and privacy must be an integral part of developing any technological solution, teaching security and privacy ought to be a required aspect of computer science education. Objective: We set out to demonstrate that a project-based capstone experience provides an effective mechanism for teaching the foundations of security and privacy. Method: We developed ten learning modules designed to introduce and sensitize students to foundational sociotechnical concepts related to the security and privacy aspects of modern technology. We delivered the modules in the treatment sections of a two-term capstone course involving the development of software solutions for external clients. We asked the students in the course to apply the concepts covered in the modules to their projects. Control sections of the course were taught without the modules as usual. We evaluated the effectiveness of the modules by administering pre-treatment and post-treatment assessments of cybersecurity knowledge and collecting written student reflections after the delivery of each module. Results: We found that the students in the treatment condition exhibited statistically significant increases in their knowledge of foundational security and privacy concepts compared to those in the control condition without the modules. Further, student reflections indicate that they appreciated the content of the modules and were readily able to apply the concepts to their projects. Discussion: The modules we developed facilitate embedding the teaching of security and privacy within any project-based learning experience. Embedding cybersecurity instruction within capstone experiences can help create a software workforce that is more knowledgeable about sociotechnical cybersecurity principles.more » « less
-
With the rapid growth of technology, accessing digital health records has become increasingly easier. Especially mobile health technology like mHealth apps help users to manage their health information, as well as store, share and access medical records and treatment information. Along with this huge advancement, mHealth apps are increasingly at risk of exposing protected health information (PHI) when security measures are not adequately implemented. The Health Insurance Portability and Accountability Act (HIPAA) ensures the secure handling of PHI, and mHealth applications are required to comply with its standards. But it is unfortunate to note that many mobile and mHealth app developers, along with their security teams, lack sufficient awareness of HIPAA regulations, leading to inadequate implementation of compliance measures. Moreover, the implementation of HIPAA security should be integrated into applications from the earliest stages of development to ensure data security and regulatory adherence throughout the software lifecycle. This highlights the need for a comprehensive framework that supports developers from the initial stages of mHealth app development and fosters HIPAA compliance awareness among security teams and end users. An iOS framework has been designed for integration into the Integrated Development Environment(IDE), accompanied by a web application to visualize HIPAA security concerns in mHealth app development. The web application is intended to guide both developers and security teams on HIPAA compliance, offering insights on incorporating regulations into source code, with the IDE framework enabling the identification and resolution of compliance violations during development. The aim is to encourage the design of secure and compliant mHealth applications that effectively safeguard personal health information.more » « less
- Free Publicly Accessible Full Text
-
Accepted Manuscript1.0
- Journal Article:
- https://doi.org/10.1145/3458038
