Abstract
Privacy has been frequently identified as a main concern for systems that deal with personal information. However, much of existing work on privacy requirements deals with them as a special case of security requirements, thereby overlooking key aspects of privacy. In this paper, we address this problem by proposing an ontology for privacy requirements. The ontology is mined from the literature through a systematic literature review whose main purpose is to identify key concepts/relationships for capturing privacy requirements. In addition, identified concepts/relations are further analyzed to identify redundancies and semantic overlaps.
Keywords
This is a preview of subscription content, log in via an institution.
Notes
- 1.
A detailed version of the systematic literature review can be found at [12].
- 2.
Secondary studies can be found in the related work section.
- 3.
In the case of multiple synonyms, some were omitted.
- 4.
The frequency of appearance for each concept/relation can be found in [12].
- 5.
The percentage of the concepts/relations covered by each study can be found in [12].
References
Gharib, M., Salnitri, M., Paja, E., Giorgini, P., Mouratidis, H., Pavlidis, M., Ruiz, J.F., Fernandez, S., Della Siria, A.: Privacy requirements: findings and lessons learned in developing a privacy platform. In: The 24th International Requirements Engineering Conference (RE), pp. 256–265. IEEE (2016)
Hong, J.I., Ng, J.D., Lederer, S., Landay, J.A.: Privacy risk models for designing privacy-sensitive ubiquitous computing systems. In: Proceedings of the 5th Conference on Designing Interactive Systems: Processes, Practices, Methods, and Techniques, pp. 91–100. ACM (2004)
Labda, W., Mehandjiev, N., Sampaio, P.: Modeling of privacy-aware business processes in BPMN to protect personal data. In: Proceedings of the 29th Annual ACM Symposium on Applied Computing, pp. 1399–1405. ACM (2014)
Kalloniatis, C., Kavakli, E., Gritzalis, S.: Addressing privacy requirements in system design: the PriS method. Requirements Eng. 13(3), 241–255 (2008)
Mouratidis, H., Giorgini, P.: Secure tropos: a security-oriented extension of the tropos methodology. J. Softw. Eng. Knowl. Eng. 17(2), 285–309 (2007)
Zannone, N.: A requirements engineering methodology for trust, security, and privacy. Ph.D. thesis, University of Trento (2006)
Solove, D.J.: A taxonomy of privacy. Univ. Pa. Law Rev. 154, 477–564 (2006)
Souag, A., Salinesi, C., Mazo, R., Comyn-Wattiau, I.: A security ontology for security requirements elicitation. In: Piessens, F., Caballero, J., Bielova, N. (eds.) ESSoS 2015. LNCS, vol. 8978, pp. 157–177. Springer, Cham (2015). doi:10.1007/978-3-319-15618-7_13
Liu, L., Yu, E., Mylopoulos, J.: Security and privacy requirements analysis within a social setting. In: 11th International RE Conference, pp. 151–161. IEEE (2003)
Kitchenham, B.: Procedures for performing systematic reviews. UK Keele Univ. 33, 1–26 (2004)
Kitchenham, B., Charters, S.: Guidelines for performing systematic literature reviews in software engineering. Technical report, Keele University (2007)
Gharib, M., Giorgini, P., Mylopoulos, J.: Ontologies for privacy requirements engineering: a systematic literature review. arXiv preprint arXiv:1611.10097 (2016)
Van Lamsweerde, A.: Elaborating security requirements by construction of intentional anti-models. In: Proceedings of the 26th International Conference on Software Engineering, pp. 148–157. IEEE Computer Society (2004)
Braghin, S., Coen-Porisini, A., Colombo, P., Sicari, S., Trombetta, A.: Introducing privacy in a hospital information system. In: Proceedings of the Fourth International Workshop on Software Engineering for Secure Systems, pp. 9–16. ACM (2008)
Singhal, A., Wijesekera, D.: Ontologies for modeling enterprise level security metrics. In: Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research, p. 58. ACM (2010)
Wang, J.A., Guo, M.: OVM: an ontology for vulnerability management. In: Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research, p. 34. ACM (2009)
Velasco, J.L., Valencia-García, R., Fernández-Breis, J.T., Toval, A., et al.: Modelling reusable security requirements based on an ontology framework. J. Res. Pract. Inf. Technol. 41(2), 119 (2009)
Souag, A., Salinesi, C., Wattiau, I., Mouratidis, H.: Using security and domain ontologies for security requirements analysis. In: Computer Software and Applications Conference Workshops (COMPSACW), pp. 101–107. IEEE (2013)
Tsoumas, B., Gritzalis, D.: Towards an ontology-based security management. In: 20th International Conference on Advanced Information Networking and Applications (AINA), vol. 1, pp. 985–992. IEEE (2006)
Giorgini, P., Massacci, F., Mylopoulos, J., Zannone, N.: Modeling security requirements through ownership, permission and delegation. In: 13th International Conference on Requirements Engineering, pp. 167–176. IEEE (2005)
Kang, W., Liang, Y.: A security ontology with MDA for software development. In: 2013 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery (CyberC), pp. 67–74. IEEE (2013)
Massacci, F., Mylopoulos, J., Paci, F., Tun, T.T., Yu, Y.: An extended ontology for security requirements. In: Salinesi, C., Pastor, O. (eds.) CAiSE 2011. LNBIP, vol. 83, pp. 622–636. Springer, Heidelberg (2011). doi:10.1007/978-3-642-22056-2_64
Elahi, G., Yu, E., Zannone, N.: A modeling ontology for integrating vulnerabilities into security requirements conceptual foundations. In: Laender, A.H.F., Castano, S., Dayal, U., Casati, F., de Oliveira, J.P.M. (eds.) ER 2009. LNCS, vol. 5829, pp. 99–114. Springer, Heidelberg (2009). doi:10.1007/978-3-642-04840-1_10
Sindre, G., Opdahl, A.L.: Eliciting security requirements with misuse cases. Requirements Eng. 10(1), 34–44 (2005)
Fenz, S., Ekelhart, A.: Formalizing information security knowledge. In: Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, pp. 183–194. ACM (2009)
Asnar, Y., Moretti, R., Sebastianis, M., Zannone, N.: Risk as dependability metrics for the evaluation of business solutions: a model-driven approach. In: Third Conference on Availability, Reliability and Security, ARES 2008, pp. 1240–1247. IEEE (2008)
den Braber, F., Dimitrakos, T., Gran, B.A., Lund, M.S., Stølen, K., Aagedal, J.: The CORAS methodology: model-based risk assessment using UML and up. UML Unified Process 332–357 (2003)
Elahi, G., Yu, E., Zannone, N.: A vulnerability-centric requirements engineering framework: analyzing security attacks, countermeasures, and requirements based on vulnerabilities. Requirements Eng. 15(1), 41–62 (2010)
Jürjens, J.: UMLsec: extending UML for secure systems development. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 412–425. Springer, Heidelberg (2002). doi:10.1007/3-540-45800-X_32
Matulevičius, R., Mayer, N., Mouratidis, H., Dubois, E., Heymans, P., Genon, N.: Adapting secure tropos for security risk management in the early phases of information systems development. In: Bellahsène, Z., Léonard, M. (eds.) CAiSE 2008. LNCS, vol. 5074, pp. 541–555. Springer, Heidelberg (2008). doi:10.1007/978-3-540-69534-9_40
Røstad, L.: An extended misuse case notation: including vulnerabilities and the insider threat. In: International Working Conference on Requirements Engineering: Foundation for Software Quality, pp. 33–34. Springer (2006). doi:10.1.1.106.8353
Mayer, N.: Model-based management of information system security risk. Ph.D. thesis, University of Namur (2009)
Dritsas, S., Gymnopoulos, L., Karyda, M., Balopoulos, T., Kokolakis, S., Lambrinoudakis, C., Katsikas, S.: A knowledge-based approach to security requirements for e-health applications. J. E-Commer. Tools Appl. 2, 1–24 (2006)
Lin, L., Nuseibeh, B., Ince, D., Jackson, M., Moffett, J.: Introducing abuse frames for analysing security requirements. In: 11th Requirements Engineering International Conference, pp. 371–372. IEEE (2003)
Avizienis, A., Laprie, J.C., Randell, B., Landwehr, C.: Basic concepts and taxonomy of dependable and secure computing. IEEE Trans. Dependable Secure Comput. 1(1), 11–33 (2004)
Asnar, Y., Giorgini, P., Massacci, F., Zannone, N.: From trust to dependability through risk analysis. In: The Second International Conference on Availability, Reliability and Security, ARES 2007, pp. 19–26. IEEE (2007)
Asnar, Y., Giorgini, P., Mylopoulos, J.: Risk modelling and reasoning in goal models, DIT-06-008. Technical report, Universitá degli studi di Trento (2006)
Paja, E., Dalpiaz, F., Giorgini, P.: STS-tool: security requirements engineering for socio-technical systems. In: Heisel, M., Joosen, W., Lopez, J., Martinelli, F. (eds.) Engineering Secure Future Internet Services and Systems. LNCS, vol. 8431, pp. 65–96. Springer, Cham (2014). doi:10.1007/978-3-319-07452-8_3
Van Blarkom, G., Borking, J., Olk, J.: Handbook of privacy and privacy-enhancing technologies. Privacy Incorporated Software Agent Consortium, The Hague (2003)
Gharib, M., Giorgini, P.: Analyzing trust requirements in socio-technical systems: a belief-based approach. In: Ralyté, J., España, S., Pastor, Ó. (eds.) PoEM 2015. LNBIP, vol. 235, pp. 254–270. Springer, Cham (2015). doi:10.1007/978-3-319-25897-3_17
Runeson, P., Höst, M.: Guidelines for conducting and reporting case study research in software engineering. Empir. Softw. Eng. 14(2), 131–164 (2009)
Souag, A., Salinesi, C., Comyn-Wattiau, I.: Ontologies for security requirements: a literature survey and classification. In: Bajec, M., Eder, J. (eds.) CAiSE 2012. LNBIP, vol. 112, pp. 61–69. Springer, Heidelberg (2012). doi:10.1007/978-3-642-31069-0_5
Blanco, C., Lasheras, J., Valencia-García, R., Fernández-Medina, E., Toval, A., Piattini, M.: A systematic review and comparison of security ontologies. In: 3rd Conference on Availability, Reliability and Security, pp. 813–820. IEEE (2008)
Fabian, B., Gürses, S., Heisel, M., Santen, T., Schmidt, H.: A comparison of security requirements engineering methods. Requirements Eng. 15(1), 7–40 (2010)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Gharib, M., Giorgini, P., Mylopoulos, J. (2017). Towards an Ontology for Privacy Requirements via a Systematic Literature Review. In: Mayr, H., Guizzardi, G., Ma, H., Pastor, O. (eds) Conceptual Modeling. ER 2017. Lecture Notes in Computer Science(), vol 10650. Springer, Cham. https://doi.org/10.1007/978-3-319-69904-2_16
Download citation
DOI: https://doi.org/10.1007/978-3-319-69904-2_16
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-69903-5
Online ISBN: 978-3-319-69904-2
eBook Packages: Computer ScienceComputer Science (R0)