Skip to main content
SpringerLink
Log in

Privacy requirements elicitation: a systematic literature review and perception analysis of IT practitioners

  • Original Article
  • Published:
Requirements Engineering Aims and scope Submit manuscript

Abstract

During the software development process and throughout the software lifecycle, organizations must guarantee users’ privacy by protecting personal data. There are several studies in the literature proposing methodologies, techniques, and tools for privacy requirements elicitation. These studies report that practitioners must use systematic approaches to specify these requirements during initial software development activities to avoid users’ data privacy breaches. The main goal of this study is to identify which methodologies, techniques, and tools are used in privacy requirements elicitation in the literature. We have also investigated Information Technology (IT) practitioners’ perceptions regarding the methodologies, techniques, and tools identified in the literature. We have carried out a systematic literature review (SLR) to identify the methodologies, techniques, and tools used for privacy requirements elicitation. Besides, we have surveyed IT practitioners to understand their perception of using these techniques and tools in the software development process. We have found several methodologies, techniques, and tools proposed in the literature to carry out privacy requirements elicitation. Out of 78 studies cataloged within the SLR, most of them did not verify their methodologies and techniques in a practical case study or illustrative contexts (38 studies), and less than 35% of them (26 studies) experimented with their propositions within an industry context. The Privacy Safeguard method (PriS) is the best known among the 198 practitioners in the industry who participated in the survey. Moreover, use cases and user story are their most-used techniques. This qualitative and quantitative study shows a perception of IT practitioners different from those presented in other research papers and suggests that methodologies, techniques, and tools play an important role in IT practitioners’ perceptions about privacy requirements elicitation.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13

Similar content being viewed by others

References

  1. Alkubaisy D (2017) A framework managing conflicts between security and privacy requirements. In: 11th International Conference on Research Challenges in Information Science, RCIS 2017, Brighton, United Kingdom, May 10-12, 2017, IEEE, 10.1109/RCIS.2017.7956571, pp 427–432, https://doi.org/10.1109/RCIS.2017.7956571

  2. Alkubaisy D, Cox K, Mouratidis H (2019) Towards detecting and mitigating conflicts for privacy and security requirements. In: RCIS, IEEE, 10.1109/RCIS.2019.8876999, pp 1–6

  3. Amorim JA, Åhlfeldt R, Gustavsson PM, Andler SF (2013) Privacy and security in cyberspace: Training perspectives on the personal data ecosystem. In: 2013 European Intelligence and Security Informatics Conference, Uppsala, Sweden, August 12-14, 2013, https://doi.org/10.1109/EISIC.2013.30, https://dblp.org/rec/conf/eisic/AmorimAGA13.bib, pp 139–142, 10.1109/EISIC.2013.30

  4. Argyropoulos N, Shei S, Kalloniatis C, Mouratidis H, Delaney AJ, Fish A, Gritzalis S (2017) A semi-automatic approach for eliciting cloud security and privacy requirements. In: HICSS, ScholarSpace / AIS Electronic Library (AISeL), http://hdl.handle.net/10125/41749, pp 1–10

  5. Bartolini C, Daoudagh S, Lenzini G, Marchetti E (2019) Gdpr-based user stories in the access control perspective. In: QUATIC, Springer, https://doi.org/10.1007/978-3-030-29238-6_1, Communications in Computer and Information Science, vol 1010, pp 3–17

  6. Bijwe A, Mead N (2010) Adapting the square process for privacy requirements engineering (cmu/sei-2010-tn-022)

  7. Breaux TD, Rao A (2013) Formal analysis of privacy requirements specifications for multi-tier applications. In: 21st IEEE International Requirements Engineering Conference, RE 2013, Rio de Janeiro-RJ, Brazil, July 15-19, 2013, IEEE, 10.1109/RE.2013.6636701, pp 14–20, https://doi.org/10.1109/RE.2013.6636701

  8. Calazans ATS, Cerqueira AJ, Canedo ED (2020) Empathy and creativity in privacy requirements elicitation: Systematic literature review. In: WER, Editora PUC-Rio

  9. Canedo ED, Calazans ATS, Cerqueira AJ, Costa PHT, Masson ETS (2020) Using the design thinking empathy phase as a facilitator in privacy requirements elicitation. In: AMCIS, Association for Information Systems

  10. Canedo ED, Calazans ATS, Masson ETS, Costa PHT, Lima F (2020) Perceptions of ICT practitioners regarding software privacy. Entropy 22(4):429

    Article  Google Scholar 

  11. Casillo F, Deufemia V, Gravino C (2022) Detecting privacy requirements from user stories with NLP transfer learning models. CoRR abs/2202.01035, https://arxiv.org/abs/2202.01035, 2202.01035

  12. Cavoukian A (2012) Operationalizing Privacy by Design: A Guide to Implementing. Information and Privacy Commissioner, https://gpsbydesign.org/operationalizing-privacy-by-design-a-guide-to-implementing-strong-privacy-practices/

  13. Cavoukian A (2012) Privacy by design [leading edge]. IEEE Technol Soc Mag 31(4):18–19 10.1109/MTS.2012.2225459, https://doi.org/10.1109/MTS.2012.2225459

  14. Cavoukian A et al (2009) Privacy by design: The 7 foundational principles. Information and privacy commissioner of Ontario, Canada 5:1–12

    Google Scholar 

  15. Christel MG, Kang KC (1992) Issues in requirements elicitation. Technical Report CMU/SEI-92-TR-012–Carnegie Mellon University Pittsburgh Pa Software Engineering Institute https://apps.dtic.mil/sti/pdfs/ADA258932.pdf

  16. Ciolkowski M, Laitenberger O, Vegas S, Biffl S (2003) Practical experiences in the design and conduct of surveys in empirical software engineering. ESERNET, Springer, Lecture Notes in Computer Science 2765:104–128

    Article  Google Scholar 

  17. Deng M, Wuyts K, Scandariato R, Preneel B, Joosen W (2011) A privacy threat analysis framework: supporting the elicitation and fulfillment of privacy requirements. Requir Eng 16(1):3–32

    Article  Google Scholar 

  18. DJSolove, (2008) Understanding Privacy. Harvard University Press, Harvard

  19. Ehécatl Morales-Trujillo M, García-Mireles GA, Matla-Cruz EO, Piattini M (2019) A systematic mapping study on privacy by design in software engineering. Clei Electronic Journal

  20. García-Mireles GA, Ehécatl Morales-Trujillo M, Piattini M, Matla-Cruz EO (2019) A systematic mapping study on privacy by design in software engineering. Clei Electronic Journal 22(1):1–20

    Google Scholar 

  21. Gharib M, Mylopoulos J (2018) A core ontology for privacy requirements engineering. CoRR abs/1811.12621:1–44, http://arxiv.org/abs/1811.12621, 1811.12621

  22. Gharib M, Salnitri M, Paja E, Giorgini P, Mouratidis H, Pavlidis M, Ruiz JF, Fernandez S, Siria AD (2016) Privacy requirements: Findings and lessons learned in developing a privacy platform. In: RE, IEEE Computer Society, 10.1109/RE.2016.13, pp 256–265

  23. Gharib M, Giorgini P, Mylopoulos J (2017) Towards an ontology for privacy requirements via a systematic literature review. In: Conceptual Modeling - 36th International Conference, ER 2017, Valencia, Spain, November 6-9, 2017, Proceedings, IEEE, https://dblp.org/rec/conf/er/GharibGM17.bib, pp 193–208, 10.1007/978-3-319-69904-2_16, https://doi.org/10.1007/978-3-319-69904-2_16

  24. Gharib M, Giorgini P, Mylopoulos J (2021) Copri vol 2 - A core ontology for privacy requirements. Data Knowl Eng 133:101888

    Article  Google Scholar 

  25. He Q, Antón AI, et al. (2003) A framework for modeling privacy requirements in role engineering. In: Procedures of REFSQ, REFSQ, https://core.ac.uk/display/21027630, vol 3, pp 137–146

  26. Kalloniatis C, Kavakli E, Gritzalis S (2007) Using privacy process patterns for incorporating privacy requirements into the system design process. In: Proceedings of the The Second International Conference on Availability, Reliability and Security, ARES 2007, The International Dependability Conference - Bridging Theory and Practice, April 10-13 2007, Vienna, Austria, IEEE, https://dblp.org/rec/conf/IEEEares/KalloniatisKG07.bib, pp 1009–1017, 10.1109/ARES.2007.156, https://doi.org/10.1109/ARES.2007.156

  27. Kalloniatis C, Kavakli E, Kontellis E (2009) Pris tool: A case tool for privacy-oriented requirements engineering. In: MCIS, Athens University of Economics and Business / AISeL, https://aisel.aisnet.org/mcis2009/71/, p 71

  28. Kalloniatis C, Mouratidis H, Islam S (2013) Evaluating cloud deployment scenarios based on security and privacy requirements. Requir Eng 18(4):299–319

    Article  Google Scholar 

  29. Kitchenham B, Charters S (2007) Guidelines for performing systematic literature reviews in software engineering ebse technical report ebse-2007-01. Keele University, Keele, UK 1:1–65

    Google Scholar 

  30. Kitchenham BA, Pfleeger SL (2008) Personal opinion surveys. In: Guide to Advanced Empirical Software Engineering, Springer, pp 63–92

  31. Kumar R, Schivo S, Ruijters E, Yildiz BM, Huistra D, Brandt J, Rensink A, Stoelinga M (2018) Effective analysis of attack trees: A model-driven approach. FASE, Springer, Lecture Notes in Computer Science 10802:56–73

    Article  Google Scholar 

  32. Levy M, Hadar I (2018) The importance of empathy for analyzing privacy requirements. In: ESPRE@RE, IEEE, 10.1109/ESPRE.2018.00008, pp 9–13

  33. Lim T, Chua F, Tajuddin BB (2018) Elicitation techniques for internet of things applications requirements: A systematic review. In: ICNCC, ACM, https://doi.org/10.1145/3301326.3301360, pp 182–188

  34. Macedo PN (2018) Brazilian general data protection law (lgpd). Brazilian National, accessed on October 18, 2019 1(1):1–16, https://www.pnm.adv.br/wp-content/uploads/2018/08/Brazilian-General-Data-Protection-Law.pdf

  35. Mead NR, Abu-Nimeh S (2019) Security and privacy requirements engineering. In: Cyber Law, Privacy, and Security: Concepts, Methodologies, Tools, and Applications, IGI Global, pp 1711–1729

  36. Mead NR, Miyazaki S, Zhan J (2011) Integrating privacy requirements considerations into a security requirements engineering method and tool. IJIPSI 1(1):106–12610.1504/IJIPSI.2011.043733,https://doi.org/10.1504/IJIPSI.2011.043733

  37. Miyazaki S, Mead NR, Zhan J (2008) Computer-aided privacy requirements elicitation technique. In: APSCC, IEEE Computer Society, 10.1109/APSCC.2008.263, pp 367–372

  38. Monfared YA, Benslimane Y, Yang Z (2018) Information privacy practices in organizations: Activities, knowledge and skill requirements for information technology professionals. In: 2018 IEEE International Conference on Industrial Engineering and Engineering Management, IEEM 2018, Bangkok, Thailand, December 16-19, 2018, IEEE, 10.1109/IEEM.2018.8607336, pp 1001–1005, https://doi.org/10.1109/IEEM.2018.8607336

  39. Netto D, Peixoto MM, Silva C (2019) Privacy and security in requirements engineering: Results from a systematic literature mapping. In: WER, Editora PUC-Rio, http://wer.inf.puc-rio.br/WERpapers/artigos/artigos_WER19/WER_2019_paper_14.pdf, pp 1–15

  40. Neureiter C, Eibl G, Veichtlbauer A, Engel D (2013) Towards a framework for engineering smart-grid-specific privacy requirements. In: IECON 2013 - 39th Annual Conference of the IEEE Industrial Electronics Society, Vienna, Austria, November 10-13, 2013, IEEE, https://dblp.org/rec/conf/iecon/NeureiterEVE13.bib, pp 4803–4808, 10.1109/IECON.2013.6699912, https://doi.org/10.1109/IECON.2013.6699912

  41. Pacheco CL, García IA, Reyes M (2018) Requirements elicitation techniques: a systematic literature review based on the maturity of the techniques. IET Softw 12(4):365–378

    Article  Google Scholar 

  42. Patil S, Kobsa A (2004) Preserving privacy in awareness systems. In: Wissen in Aktion, pp 119–130

  43. Pattakou A, Mavroeidi AG, Diamantopoulou V, Kalloniatis C, Gritzalis S, (2018) Towards the design of usable privacy by design methodologies. In, (2018) IEEE 5th International Workshop on Evolving Security & Privacy Requirements Engineering (ESPRE). IEEE. https://doi.org/10.1109/ESPRE.2018.00007, pp 1-8

  44. Peixoto MM (2020) Privacy requirements engineering in agile software development: a specification method. In: Joint Proceedings of REFSQ-2020 Workshops, Doctoral Symposium, Live Studies Track, and Poster Track co-located with the 26th International Conference on Requirements Engineering: Foundation for Software Quality (REFSQ 2020), Pisa, Italy, March 24, 2020, IEEE, https://dblp.org/rec/conf/refsq/Peixoto20.bib, pp 1–7, http://ceur-ws.org/Vol-2584/DS-paper1.pdf

  45. Peixoto MM, Ferreira D, Cavalcanti M, Silva C, Vilela J, Araújo J, Gorschek T (2020) On understanding how developers perceive and interpret privacy requirements research preview. REFSQ, Springer, Lecture Notes in Computer Science 12045:116–123

    Article  Google Scholar 

  46. Pfleeger CP, Pfleeger SL (2002) Security in computing. Prentice Hall, Prentice Hall Professional Technical Reference

    MATH  Google Scholar 

  47. Rzepka WE (1989) A requirements engineering testbed: concept, status and first results. In: Proceedings of the Twenty-Second Annual Hawaii International Conference on System Sciences. Volume II: Software Track, IEEE Computer Society, vol 2, pp 339–340

  48. Sindre G, Opdahl AL (2005) Eliciting security requirements with misuse cases. Requir Eng 10(1):34–44, http://www.springerlink.com/index/10.1007/s00766-004-0194-4

  49. Skinner G, Chang E (2005) Pp-sdlc the privacy protecting systems development life cycle. Proceedings of the IPSI-2005 France

  50. Stach C, Steimle F (2019) Recommender-based privacy requirements elicitation - EPICUREAN: an approach to simplify privacy settings in iot applications with respect to the GDPR. In: SAC, ACM, https://doi.org/10.1145/3297280.3297432, pp 1500–1507

  51. Strauss A, Corbin J (1998) Basics of qualitative research techniques. Sage Publications, Citeseer

    Google Scholar 

  52. Thomas K, Bandara AK, Price BA, Nuseibeh B (2014) Distilling privacy requirements for mobile applications. In: 36th International Conference on Software Engineering, ICSE ’14, Hyderabad, India - May 31 - June 07, 2014, ACM, 10.1145/2568225.2568240, pp 871–882, https://doi.org/10.1145/2568225.2568240

  53. Tøndel IA, Jaatun MG, Meland PH (2008) Security requirements for the rest of us: A survey. IEEE Software 25(1):20–27 10.1109/MS.2008.19, https://doi.org/10.1109/MS.2008.19

  54. Union E (2018) General data protection regulation (gdpr). Intersoft Consulting, Accessed on October 24, 2019 1(1):1–100, https://gdpr-info.eu/

  55. Veseli F, Serna-Olvera J, Pulls T, Rannenberg K (2019) Engineering privacy by design: lessons from the design and implementation of an identity wallet platform. In: Proceedings of the 34th ACM/SIGAPP Symposium on Applied Computing, SAC 2019, Limassol, Cyprus, April 8-12, 2019, ACM, https://dblp.org/rec/conf/sac/VeseliSPR19.bib, pp 1475–1483, 10.1145/3297280.3297429, https://doi.org/10.1145/3297280.3297429

  56. Yu E, Cysneiros L (2002) Designing for privacy and other competing requirements. In: 2nd Symposium on Requirements Engineering for Information Security (SREIS’02), Raleigh, North Carolina, Citeseer, http://citeseerx.ist.psu.edu/, pp 15–16

  57. Yu E, Giorgini P, Maiden N, Mylopoulos J (2011) Social modeling for requirements engineering: An introduction. Social Modeling for Requirements Engineering 1:3–10

    Google Scholar 

  58. Zowghi D, Coulin C (2005) Requirements elicitation: A survey of techniques, approaches, and tools. Engineering and Managing Software Requirements pp 19–46, https://doi.org/10.1007/3-540-28244-0_2, https://link.springer.com/chapter/10.1007/3-540-28244-0_2#citeas

Download references

Acknowledgments

We want to thank all survey participants and the National Council of Justice for supporting this research. This work has been partially supported by FAP-DF (the Brazilian Federal District Research Foundation).

Author information

Authors and Affiliations

  1. Department of Computer Science, University of Brasília (UnB), P.O. Box 4466, Brasília, DF, CEP 70910-900, Brazil

    Edna Dias Canedo, Ian Nery Bandeira, Pedro Henrique Teixeira Costa, Emille Catarine Rodrigues Cançado & Rodrigo Bonifácio

  2. University Center – UniCEUB, Brasília–DF, Brazil

    Angelica Toffano Seidel Calazans

Authors
  1. Edna Dias Canedo
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ian Nery Bandeira
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Angelica Toffano Seidel Calazans
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Pedro Henrique Teixeira Costa
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Emille Catarine Rodrigues Cançado
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Rodrigo Bonifácio
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Edna Dias Canedo.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Supplementary Information

Below is the link to the electronic supplementary material.

Supplementary material 1 (PDF 161 kb)

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Canedo, E.D., Bandeira, I.N., Calazans, A.T. et al. Privacy requirements elicitation: a systematic literature review and perception analysis of IT practitioners. Requirements Eng 28, 177–194 (2023). https://doi.org/10.1007/s00766-022-00382-8

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s00766-022-00382-8

Keywords

Search

Navigation