skip to main content
US FlagAn official website of the United States government
dot gov icon
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
https lock icon
Secure .gov websites use HTTPS
A lock ( lock ) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Explore Research Products in the PAR
It may take a few hours for recently added research products to appear in PAR search results.


Title: Modeling, Analyzing and Communicating Regulatory Ambiguity: An Empirical study
Regulations outline high-level guidance or expectations for a profession or industry. Analyzing laws or regulations is one way a software developer would derive and document regulatory compliance requirements within their software design. However, ambiguities within regulations can make it challenging to define technical software design specifications for regulatory requirements. Further, due to the subjective nature of ambiguous phrasing within a law or regulation, the interpretation of the legal text can differ based on the interpreter’s perspective. Our study examines whether software developers can analyze regulatory ambiguities as a group using our modeling process and our online Ambiguity Heuristics Analysis Builder (AHAB) tool. Eleven participants formed three groups and modeled ambiguities within a regulation using our process and tool. Modeling regulatory ambiguity, while difficult for our participants, allowed them to communicate potential issues, ask meaningful questions, and deepen their knowledge of the regulation. Ambiguity modeling allows developers to articulate interpretation and compliance issues with the laws to other parties (i.e., lawyers) and document this requirement analysis step for future use. Documenting these intermediate steps is rarely highlighted in requirement analysis. However, it is useful to negotiate with regulators, avoid negligence, and show due diligence toward regulatory compliance. It can also lead to clarifying guidance software developers need to make better, more compliant choices during software design.  more » « less
Award ID(s):
1938121
PAR ID:
10521634
Author(s) / Creator(s):
; ; ; ;
Publisher / Repository:
Workshop on Multi-disciplinary, Open, and RElevant Requirements Engineering, co-located with International Conference on Software Engineering (ICSE 2024). IEEE/ACM
Date Published:
Format(s):
Medium: X
Sponsoring Org:
National Science Foundation
More Like this
  1. ; ; (, 31st {IEEE} International Requirements Engineering Conference, {RE} 2023, Hannover, Germany, September 4-8, 2023)
    Software systems are increasingly expected to address a broad range of stakeholder values representing both personal and societal values as well as values ensconced as laws and regulations. Whereas laws and regulations must be fully addressed, other human values need to be carefully analyzed and prioritized within the context of candidate architectural designs. The majority of prior work has investigated requirements engineering techniques for either regulatory compliance or for human-values, we take an integrated approach which simultaneously considers laws and regulations as well as societal and personal human values throughout the system analysis, specification, and design process. We illustrate our approach through detailed examples drawn from a multi-drone system regulated by the USA Federal Aviation Authority (FAA) and operating in a domain rich with human and societal values. We then discuss requirements engineering challenges and solutions unique to identifying analyzing, and prioritizing human, societal, and regulatory requirements, and ultimately for designing accountable software systems. 
    more » « less
  2. ; (, 2021 IEEE 29th International Requirements Engineering Conference (RE))
    Compliance reviews within a software organization are internal attempts to verify regulatory and security requirements during product development before its release. However, these reviews are not enough to adequately assess and address regulatory and security requirements throughout a software’s development lifecycle. We believe requirements engineers can benefit from an improved understanding of how software practitioners treat and perceive compliance requirements. This paper describes an interview study seeking to understand how regulatory and security standard requirements are addressed, how burdensome they may be for businesses, and how our participants perceived them in the software development lifecycle. We interviewed 15 software practitioners from 13 organizations with different roles in the software development process and working in various industry domains, including big tech, healthcare, data analysis, finance, and small businesses. Our findings suggest that, for our participants, the software release process is the ultimate focus for regulatory and security compliance reviews. Also, most participants suggested that having a defined process for addressing compliance requirements was freeing rather than burdensome. Finally, participants generally saw compliance requirements as an investment for both employees and customers. These findings may be unintuitive, and we discuss seven lessons this work may hold for requirements engineering. 
    more » « less
  3. ; ; (, IEEE)
    Software systems, particularly those in safety-critical domains or those handling personal data and financial transactions, must navigate a complex landscape of legal regulations while also aligning with societal values. Prior research has largely focused on either regulatory compliance or human values, but rarely on their integration. This paper introduces the Accountable Design Process (ADP), supported by the Accountable Design Assistant (ADA)—an LLM-driven tool that identifies relevant laws, maps them to societal values, and evaluates candidate design solutions from both legal and ethical perspectives. We demonstrate ADP’s ecological validity through two case studies: a Wireless Baby Monitor and multi-vehicle autonomous Uncrewed Aerial Systems. Additionally, a focus group of domain experts reviewed the outcomes of the second case study, providing initial validation of the approach. The results illustrate how ADP’s dual emphasis on legal compliance and societal values can effectively support the development of accountable, regulation-aligned systems. 
    more » « less
  4. (, IEEE Workshop on Technology and Consumer Protection (ConPro ’24))
    Privacy regimes are increasingly taking center stage for bringing up cases against violators or introducing new regulations to safeguard consumer rights. Health regulations mostly predate most of the generic privacy regulations. However, we still see how health entities fail to meet regulatory requirements. Prior work suggests that third-party code is responsible for a significant portion of these violations. Hence, we propose using Software Bills of Materials (SBOM) as an effective intervention for communicating compliance limitations and expectations surrounding third-party code to help developers make informed decisions. 
    more » « less
  5. ; ; ; ; ; (, IEEE)
    Regulatory documents are complex and lengthy, making full compliance a challenging task for businesses. Similarly, privacy policies provided by vendors frequently fall short of the necessary legal standards due to insufficient detail. To address these issues, we propose a solution that leverages a Large Language Model (LLM) in combination with Semantic Web technology. This approach aims to clarify regulatory requirements and ensure that organizations’ privacy policies align with the relevant legal frameworks, ultimately simplifying the compliance process, reducing privacy risks, and improving efficiency. In this paper, we introduce a novel tool, the Privacy Policy Compliance Verification Knowledge Graph, referred to as PrivComp-KG. PrivComp-KG is designed to efficiently store and retrieve comprehensive information related to privacy policies, regulatory frameworks, and domain-specific legal knowledge. By utilizing LLM and Retrieval Augmented Generation (RAG), we can accurately identify relevant sections in privacy policies and map them to the corresponding regulatory rules. Our LLM-based retrieval system has demonstrated a high level of accuracy, achieving a correctness score of 0.9, outperforming other models in privacy policy analysis. The extracted information from individual privacy policies is then integrated into the PrivComp-KG. By combining this data with contextual domain knowledge and regulatory rules, PrivComp-KG can be queried to assess each vendor’s compliance with applicable regulations. We demonstrate the practical utility of PrivComp-KG by verifying the compliance of privacy policies across various organizations. This approach not only helps policy writers better understand legal requirements but also enables them to identify gaps in existing policies and update them in response to evolving regulations. 
    more » « less
  • Citation Formats
  • MLA
  • APA
  • Chicago
  • BibTeX
  • Text Encoded Conversion
  • XML
  • Save / Share this Record
  • Send to Email