skip to main content
US FlagAn official website of the United States government
dot gov icon
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
https lock icon
Secure .gov websites use HTTPS
A lock ( lock ) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Explore Research Products in the PAR
It may take a few hours for recently added research products to appear in PAR search results.


Title: Modeling, Analyzing and Communicating Regulatory Ambiguity: An Empirical study
Regulations outline high-level guidance or expectations for a profession or industry. Analyzing laws or regulations is one way a software developer would derive and document regulatory compliance requirements within their software design. However, ambiguities within regulations can make it challenging to define technical software design specifications for regulatory requirements. Further, due to the subjective nature of ambiguous phrasing within a law or regulation, the interpretation of the legal text can differ based on the interpreter’s perspective. Our study examines whether software developers can analyze regulatory ambiguities as a group using our modeling process and our online Ambiguity Heuristics Analysis Builder (AHAB) tool. Eleven participants formed three groups and modeled ambiguities within a regulation using our process and tool. Modeling regulatory ambiguity, while difficult for our participants, allowed them to communicate potential issues, ask meaningful questions, and deepen their knowledge of the regulation. Ambiguity modeling allows developers to articulate interpretation and compliance issues with the laws to other parties (i.e., lawyers) and document this requirement analysis step for future use. Documenting these intermediate steps is rarely highlighted in requirement analysis. However, it is useful to negotiate with regulators, avoid negligence, and show due diligence toward regulatory compliance. It can also lead to clarifying guidance software developers need to make better, more compliant choices during software design.  more » « less
Award ID(s):
1938121
PAR ID:
10521634
Author(s) / Creator(s):
; ; ; ;
Publisher / Repository:
Workshop on Multi-disciplinary, Open, and RElevant Requirements Engineering, co-located with International Conference on Software Engineering (ICSE 2024). IEEE/ACM
Date Published:
Format(s):
Medium: X
Sponsoring Org:
National Science Foundation
More Like this
  1. ; ; (, 31st {IEEE} International Requirements Engineering Conference, {RE} 2023, Hannover, Germany, September 4-8, 2023)
    Software systems are increasingly expected to address a broad range of stakeholder values representing both personal and societal values as well as values ensconced as laws and regulations. Whereas laws and regulations must be fully addressed, other human values need to be carefully analyzed and prioritized within the context of candidate architectural designs. The majority of prior work has investigated requirements engineering techniques for either regulatory compliance or for human-values, we take an integrated approach which simultaneously considers laws and regulations as well as societal and personal human values throughout the system analysis, specification, and design process. We illustrate our approach through detailed examples drawn from a multi-drone system regulated by the USA Federal Aviation Authority (FAA) and operating in a domain rich with human and societal values. We then discuss requirements engineering challenges and solutions unique to identifying analyzing, and prioritizing human, societal, and regulatory requirements, and ultimately for designing accountable software systems. 
    more » « less
  2. ; (, 2021 IEEE 29th International Requirements Engineering Conference (RE))
    Compliance reviews within a software organization are internal attempts to verify regulatory and security requirements during product development before its release. However, these reviews are not enough to adequately assess and address regulatory and security requirements throughout a software’s development lifecycle. We believe requirements engineers can benefit from an improved understanding of how software practitioners treat and perceive compliance requirements. This paper describes an interview study seeking to understand how regulatory and security standard requirements are addressed, how burdensome they may be for businesses, and how our participants perceived them in the software development lifecycle. We interviewed 15 software practitioners from 13 organizations with different roles in the software development process and working in various industry domains, including big tech, healthcare, data analysis, finance, and small businesses. Our findings suggest that, for our participants, the software release process is the ultimate focus for regulatory and security compliance reviews. Also, most participants suggested that having a defined process for addressing compliance requirements was freeing rather than burdensome. Finally, participants generally saw compliance requirements as an investment for both employees and customers. These findings may be unintuitive, and we discuss seven lessons this work may hold for requirements engineering. 
    more » « less
  3. (, IEEE Workshop on Technology and Consumer Protection (ConPro ’24))
    Privacy regimes are increasingly taking center stage for bringing up cases against violators or introducing new regulations to safeguard consumer rights. Health regulations mostly predate most of the generic privacy regulations. However, we still see how health entities fail to meet regulatory requirements. Prior work suggests that third-party code is responsible for a significant portion of these violations. Hence, we propose using Software Bills of Materials (SBOM) as an effective intervention for communicating compliance limitations and expectations surrounding third-party code to help developers make informed decisions. 
    more » « less
  4. ; ; ; ; ; (, IEEE)
    Regulatory documents are complex and lengthy, making full compliance a challenging task for businesses. Similarly, privacy policies provided by vendors frequently fall short of the necessary legal standards due to insufficient detail. To address these issues, we propose a solution that leverages a Large Language Model (LLM) in combination with Semantic Web technology. This approach aims to clarify regulatory requirements and ensure that organizations’ privacy policies align with the relevant legal frameworks, ultimately simplifying the compliance process, reducing privacy risks, and improving efficiency. In this paper, we introduce a novel tool, the Privacy Policy Compliance Verification Knowledge Graph, referred to as PrivComp-KG. PrivComp-KG is designed to efficiently store and retrieve comprehensive information related to privacy policies, regulatory frameworks, and domain-specific legal knowledge. By utilizing LLM and Retrieval Augmented Generation (RAG), we can accurately identify relevant sections in privacy policies and map them to the corresponding regulatory rules. Our LLM-based retrieval system has demonstrated a high level of accuracy, achieving a correctness score of 0.9, outperforming other models in privacy policy analysis. The extracted information from individual privacy policies is then integrated into the PrivComp-KG. By combining this data with contextual domain knowledge and regulatory rules, PrivComp-KG can be queried to assess each vendor’s compliance with applicable regulations. We demonstrate the practical utility of PrivComp-KG by verifying the compliance of privacy policies across various organizations. This approach not only helps policy writers better understand legal requirements but also enables them to identify gaps in existing policies and update them in response to evolving regulations. 
    more » « less
  5. ; ; (, ACM Transactions on Computing Education)
    Nearly all software built today impinges upon end-user privacy and needs to comply with relevant regulations. Therefore, there have been increasing calls for integrating considerations of compliance with privacy regulations throughout the software engineering lifecycle. However, software engineers are typically trained in the technical fields and lack sufficient knowledge and support for sociotechnical considerations of privacy. Privacy ideation cards attempt to address this issue by making privacy compliance understandable and actionable for software developers. However, the application of privacy ideation cards in real-world software projects has not yet been systemically investigated. The effectiveness of ideation cards as a pedagogical tool has not yet been examined either. We address these gaps by studying how teams of undergraduate students applied privacy ideation cards in capstone projects that involved building real-world software for industry sponsors. We found that privacy ideation cards fostered greater consideration and understanding of the extent to which the projects aligned with privacy regulations. We identified three main themes from student discussions of privacy compliance: (i) defining personal data; (ii) assigning responsibility for privacy compliance; and (iii) determining and exercising autonomy. The results suggest that application of the cards for real-world projects requires careful consideration of intersecting factors such as the stage at which the cards are used and the autonomy available to the developers. Pedagogically, ideation cards can facilitate low-level cognitive engagement (especially the cognitive processes of meaning construction and interpretation) for specific components within a project. Higher-level cognitive processes were comparatively rare in ideation sessions. These findings provide important insight to help enhance capstone instruction and to improve privacy ideation cards to increase their impact on the privacy properties of the developed software. 
    more » « less
  • Citation Formats
  • MLA
  • APA
  • Chicago
  • BibTeX
  • Save / Share this Record
  • Send to Email