Skip to main content

Advertisement

Springer Nature Link
Log in

Evaluating a privacy requirements specification method by using a mixed-method approach: results and lessons learned

  • Original Article
  • Published:
Requirements Engineering Aims and scope Submit manuscript

Abstract

Although agile software development (ASD) has been adopted in the industry, requirements approaches for ASD still neglect non-functional requirements. Privacy has become a concern due to new user demands and data protection laws. Hence, privacy needs to be properly specified, but agile requirements engineering techniques do not explicitly represent privacy requirements and, therefore, are not able to proper analyze such requirements. In this context, Privacy Criteria Method (PCM), an approach to specify privacy in requirements activities, was proposed to produce more complete and detailed privacy requirements. By considering PCM a promising approach to be used in ASD and the importance of empirical evaluation of new methods, we have as objectives: 1 evaluate the ability of PCM to support systems analysts in specifying privacy requirements when used in conjunction with some agile specification methods; and 2 show our lessons learned in conducting empirical research based on an mix-method approach defined to empirically evaluate the suitability of a requirements specification in specifying privacy requirements. Mixed-method approach is a controlled experiment as a quantitative evaluation and a feasibility study (questionnaire and task analysis based) study as a qualitative and quantitative evaluation. The requirements specifications following PCM allow to represent privacy aspects, such as user’s personal data and the privacy mechanism that can be used to mitigate a privacy risk scenario. We also observed that some extra time is necessary to specify privacy requirements with PCM, but it does not imply a greater perceived effort. Specifications produced with PCM are of good quality and more privacy detailed. Additionally, we attest to the importance of conducting empirical research to evaluate new methods. PCM assists in specifying more complete and detailed in relation to traditional techniques used in ASD, which facilitates communication between the requirements analysts and developers.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8

Similar content being viewed by others

Availability of data and material

More details about the materials produced, including questionnaires, can be found here: google/document.

References

  1. AbdElazim K, Moawad R, Elfakharany E (2020) A framework for requirements prioritization process in Agile software development. J Phys Conf Ser 1454:012001. https://doi.org/10.1088/1742-6596/1454/1/012001

    Article  Google Scholar 

  2. Alharbi S, Drew S (2014) Using the technology acceptance model in understanding academics’ behavioural intention to use learning management systems. Int J Adv Comput Sci Appl 5(1):143–155. https://doi.org/10.14569/IJACSA.2014.050120

    Article  Google Scholar 

  3. Altman I (1975) The environment and social behavior: privacy, personal space, territory, and crowding. ERIC

  4. Ambreen T, Ikram N, Usman M, Niazi M (2018) Empirical research in requirements engineering: trends and opportunities. Requirements Eng 23(1):63–95. https://doi.org/10.1007/s00766-016-0258-2

    Article  Google Scholar 

  5. Antón AI, Earp JB (2001) Strategies for developing policies and requirements for secure and private electronic commerce. In: E-commerce security and privacy. Springer, Boston, pp 67–86. https://doi.org/10.1007/978-1-4615-1467-1_5

  6. Assembly UG (1948) Universal declaration of human rights. UN General Assembly 302(2)

  7. Ayala-Rivera V, Pasquale L (2018) The grace period has ended: an approach to operationalize GDPR requirements. In: 2018 IEEE 26th international requirements engineering conference (RE). IEEE, pp 136–146. https://doi.org/10.1109/RE.2018.00023

  8. Ayed GB, Ghernaouti-Hélie S (2011) Privacy requirements specification for digital identity management systems implementation: towards a digital society of privacy. In: 2011 international conference for internet technology and secured transactions (ICITST). IEEE, pp 602–607. https://ieeexplore.ieee.org/abstract/document/6148406

  9. Bartolini C, Daoudagh S, Lenzini G, Marchetti E (2019) GDPR-based user stories in the access control perspective. In: Quality of information and communications technology. Springer, Cham, pp 3–17. https://doi.org/10.1007/978-3-030-29238-6_1

  10. Basso T, Montecchi L, Moraes R, Jino M, Bondavalli A (2015) Towards a UML profile for privacy-aware applications. In: 2015 IEEE international conference on computer and information technology; ubiquitous computing and communications; dependable, autonomic and secure computing; pervasive intelligence and computing, pp 371–378. https://doi.org/10.1109/CIT/IUCC/DASC/PICOM.2015.53

  11. Behutiye W, Karhapää P, Costal D, Oivo M, Franch X (2017) Non-functional requirements documentation in Agile software development: challenges and solution proposal. In: Product-focused software process improvement. Springer, Cham, pp 515–522. https://doi.org/10.1007/978-3-319-69926-4_41

  12. Bijwe A, Mead N (2010) Adapting the square process for privacy requirements engineering. Software Engineering Institute. Carnegie Mellon University, technical report, CMU/SEI-2010-TN-022. Technical report. https://resources.sei.cmu.edu/asset_files/technicalnote/2010_004_001_15185.pdf

  13. Bik N, Lucassen G, Brinkkemper S (2017) A reference method for user story requirements in Agile systems development. In: 2017 IEEE 25th international requirements engineering conference workshops (REW), pp 292–298. https://doi.org/10.1109/REW.2017.83

  14. Brandeis L, Warren S (1890) The right to privacy. Harv Law Rev 4(5):193–220

    Article  Google Scholar 

  15. Canedo ED, Bandeira IN, Calazans ATS, Costa PHT, Cançado ECR, Bonifácio R (2022) Privacy requirements elicitation: a systematic literature review and perception analysis of it practitioners. Requir Eng. https://doi.org/10.1007/s00766-022-00382-8

    Article  Google Scholar 

  16. Carver J, Jaccheri L, Morasca S, Shull F (2003) Issues in using students in empirical studies in software engineering education. In: Proceedings. 5th international workshop on enterprise networking and computing in healthcare industry (IEEE Cat. No.03EX717), pp 239–249. https://doi.org/10.1109/METRIC.2003.1232471

  17. Carver JC, Jaccheri L, Morasca S, Shull F (2010) A checklist for integrating student empirical studies with research and teaching goals. Empir Softw Eng 15(1):35–59. https://doi.org/10.1007/s10664-009-9109-9

    Article  Google Scholar 

  18. Cavoukian A (2009) Privacy by design: the 7 foundational principles. Information and Privacy Commissioner of Ontario, Canada 5. https://privacy.ucsc.edu/resources/privacy-by-design---foundational-principles.pdf

  19. Cavoukian A (2012) Operationalizing privacy by design: a guide to implementing. Commun ACM 55(Issue 9):7. https://doi.org/10.1145/2330667.2330669

    Article  Google Scholar 

  20. Chazette L, Schneider K (2020) Explainability as a non-functional requirement: challenges and recommendations. Requirements Eng 25(4):493–514. https://doi.org/10.1007/s00766-020-00333-1

    Article  Google Scholar 

  21. Cohn M (2004) User stories applied: for Agile software development. Addison-Wesley Professional, Reading

    Google Scholar 

  22. Creswell JW (2002) Educational research: planning, conducting, and evaluating quantitative. Prentice Hall, Upper Saddle River, NJ

    Google Scholar 

  23. Creswell JW, Creswell JD (2017) Research design: qualitative, quantitative, and mixed methods approaches. Sage Publications, Thousand Oaks

    MATH  Google Scholar 

  24. Curcio K, Navarro T, Malucelli A, Reinehr S (2018) Requirements engineering: a systematic mapping study in agile software development. J Syst Softw 139:32–50. https://doi.org/10.1016/j.jss.2018.01.036

    Article  Google Scholar 

  25. Davis FD (1989) Perceived usefulness, perceived ease of use, and user acceptance of information technology. MIS Q 13(3):319–340. https://doi.org/10.2307/249008

    Article  Google Scholar 

  26. DeCew J (2018) Privacy. In: Zalta EN (ed) The Stanford encyclopedia of philosophy, spring 2018. Metaphysics Research Lab, Stanford University, Stanford

    Google Scholar 

  27. Deng M, Wuyts K, Scandariato R, Preneel B, Joosen W (2011) A privacy threat analysis framework: supporting the elicitation and fulfillment of privacy requirements. Requir Eng 16(1):3–32. https://doi.org/10.1007/s00766-010-0115-7

    Article  Google Scholar 

  28. Easterbrook S, Singer J, Storey MA, Damian D (2008) Selecting empirical methods for software engineering research. In: Guide to advanced empirical SE. Springer, London, pp 285–311. https://doi.org/10.1007/978-1-84800-044-5_11

  29. Falessi D, Juristo N, Wohlin C, Turhan B, Münch J, Jedlitschka A, Oivo M (2018) Empirical software engineering experts on the use of students and professionals in experiments. Empir Softw Eng 23(1):452–489. https://doi.org/10.1007/s10664-017-9523-3

    Article  Google Scholar 

  30. Ferrari R, Miller JA, Madhavji NH (2010) A controlled experiment to assess the impact of system architectures on new system requirements. Requirements Eng 15(2):215–233. https://doi.org/10.1007/s00766-010-0099-3

    Article  Google Scholar 

  31. Gharib M, Giorgini P, Mylopoulos J (2017) Towards an ontology for privacy requirements via a systematic literature review. In: Conceptual modeling. Springer, Cham, pp 193–208. https://doi.org/10.1007/978-3-319-69904-2_16

  32. Gharib M, Mylopoulos J, Giorgini P (2020) COPri—a core ontology for privacy requirements engineering. In: International conference on research challenges in information science. Springer, Cham, pp 472–489. https://doi.org/10.1007/978-3-030-50316-1_28

  33. Hadar I, Hasson T, Ayalon O, Toch E, Birnhack M, Sherman S, Balissa A (2018) Privacy by designers: software developers’ privacy mindset. Empir Softw Eng 23(1):259–289. https://doi.org/10.1007/s10664-017-9517-1

    Article  Google Scholar 

  34. Hart SG, Staveland LE (1988) Development of NASA-TLX (Task Load Index): results of empirical and theoretical research. In: Human mental workload, advances in psychology, vol 52. North-Holland, pp 139–183. https://doi.org/10.1016/S0166-4115(08)62386-9

  35. Heaps J, Krishnan R, Huang Y, Niu J, Sandhu R (2021) Access control policy generation from user stories using machine learning. In: Data and applications security and privacy XXXV. Springer, Cham, pp 171–188. https://doi.org/10.1007/978-3-030-81242-3_10

  36. Höst M, Regnell B, Wohlin C (2000) Using students as subjects-a comparative study of students and professionals in lead-time impact assessment. Empir Softw Eng 5(3):201–214. https://doi.org/10.1023/A:1026586415054

    Article  MATH  Google Scholar 

  37. ISO I (2011) IEEE. 29148: 2011-systems and software engineering-requirements engineering. Technical report

  38. Izquierdo JLC, Salas J (2018) A uml profile for privacy enforcement. Software technologies: applications and foundations. Springer, Cham, pp 609–616

    Chapter  Google Scholar 

  39. Kalloniatis C, Kavakli E, Gritzalis S (2008) Addressing privacy requirements in system design: the PriS method. Requir Eng 13(3):241–255. https://doi.org/10.1007/s00766-008-0067-3

    Article  Google Scholar 

  40. Kalloniatis C, Kavakli E, Gritzalis S (2009) Methods for designing privacy aware information systems: a review. In: 2009 13th panhellenic conference on informatics. IEEE, pp 185–194. https://doi.org/10.1109/PCI.2009.45

  41. Kasauli R, Liebel G, Knauss E, Gopakumar S, Kanagwa B (2017) Requirements engineering challenges in large-scale agile system development. In: 2017 IEEE 25th international requirements engineering conference (RE). IEEE, pp 352–361. https://doi.org/10.1109/RE.2017.60

  42. Labda W, Mehandjiev N, Sampaio P (2014) Modeling of privacy-aware business processes in BPMN to protect personal data. In: Proceedings of the 29th annual ACM symposium on applied computing. Association for Computing Machinery, New York, NY, USA, SAC ’14, pp 1399–1405. https://doi.org/10.1145/2554850.2555014

  43. Lucassen G, Dalpiaz F, Van der Werf J, Brinkkemper S (2016) The use and effectiveness of user stories in practice. In: Requirements engineering: foundation for software quality. Springer, Cham, pp 205–222. https://doi.org/10.1007/978-3-319-30282-9_14

  44. Lucassen G, Dalpiaz F, Van der Werf JME, Brinkkemper S (2016) Improving agile requirements: the quality user story framework and tool. Requir Eng 21(3):383–403. https://doi.org/10.1007/s00766-016-0250-x

    Article  Google Scholar 

  45. Lucassen G, Dalpiaz F, van der Werf J, Brinkkemper S (2017) Improving user story practice with the grimm method: a multiple case study in the software industry. In: Requirements engineering: foundation for software quality. Springer, Cham, pp 235–252. https://doi.org/10.1007/978-3-319-54045-0_18

  46. Mai PX, Goknil A, Shar LK, Pastore F, Briand LC, Shaame S (2018) Modeling security and privacy requirements: a use case-driven approach. Inf Softw Technol 100:165–182. https://doi.org/10.1016/j.infsof.2018.04.007

    Article  Google Scholar 

  47. Mouratidis H, Giorgini P, Manson G (2005) When security meets software engineering: a case of modelling secure information systems. Inf Syst 30(8):609–629. https://doi.org/10.1016/j.is.2004.06.002

    Article  Google Scholar 

  48. Mouratidis H, Islam S, Kalloniatis C, Gritzalis S (2013) A framework to support selection of cloud providers based on security and privacy requirements. J Syst Softw 86(9):2276–2293. https://doi.org/10.1016/j.jss.2013.03.011

    Article  Google Scholar 

  49. Nachar N (2008) The Mann–Whitney u: a test for assessing whether two independent samples come from the same distribution. Tutor Quant Methods Psychol 4(1):13–20. https://doi.org/10.20982/tqmp.04.1.p013

    Article  Google Scholar 

  50. Nguyen M (2010) Empirical evaluation of a universal requirements engineering process maturity model

  51. Nissenbaum H (2009) Privacy in context: technology, policy, and the integrity of social life. Stanford University Press, California

    Book  Google Scholar 

  52. Olsson T, Sentilles S, Papatheocharous E (2022) A systematic literature review of empirical research on quality requirements. Requir Eng 27:249–271. https://doi.org/10.1007/s00766-022-00373-9

    Article  Google Scholar 

  53. Pachidi S (2009) Goal-oriented requirements engineering with KAOS. Utrecht University, Utrecht

    Google Scholar 

  54. Pullonen P, Matulevičius R, Bogdanov D (2017) PE-BPMN: privacy-enhanced business process model and notation. In: International conference on business process management. Springer, Cham, pp 40–56. https://doi.org/10.1007/978-3-319-65000-5_3

  55. Rygge H, Jøsang A (2018) Threat poker: solving security and privacy threats in agile software development. In: Nordic conference on secure IT systems. Springer, pp 468–483

  56. Salman I, Misirli AT, Juristo N (2015) Are students representatives of professionals in software engineering experiments? In: 2015 IEEE/ACM 37th IEEE international conference on software engineering, vol 1. IEEE, pp 666–676

  57. Santos PO, de Carvalho MM (2022) Exploring the challenges and benefits for scaling agile project management to large projects: a review. Requir Eng 27:117–134. https://doi.org/10.1007/s00766-021-00363-3

    Article  Google Scholar 

  58. Spafford EH, Antón AI (2007) The balance of privacy and security. In: Science and technology in society: from biotechnology to the internet

  59. Spiekermann S, Cranor LF (2009) Engineering privacy. IEEE Trans Softw Eng 35(1):67–82. https://doi.org/10.1109/TSE.2008.88

    Article  Google Scholar 

  60. Suleiman H, Svetinovic D (2013) Evaluating the effectiveness of the security quality requirements engineering (square) method: a case study using smart grid advanced metering infrastructure. Requir Eng 18(3):251–279. https://doi.org/10.1007/s00766-012-0153-4

    Article  Google Scholar 

  61. Svahnberg M, Aurum A, Wohlin C (2008) Using students as subjects-an empirical evaluation. In: Proceedings of the second ACM-IEEE international symposium on Empirical software engineering and measurement, pp 288–290

  62. Thomas K, Bandara AK, Price BA, Nuseibeh B (2014) Distilling privacy requirements for mobile applications. In: Proceedings of the 36th international conference on software engineering. Association for Computing Machinery, New York, NY, USA, ICSE 2014, pp 871–882. https://doi.org/10.1145/2568225.2568240

  63. Venkatesh V, Davis FD (2000) A theoretical extension of the technology acceptance model: four longitudinal field studies. Manag Sci 46(2):186–204

    Article  Google Scholar 

  64. Viitaniemi M (2017) Privacy by design in agile software development. Master’s thesis, Tampere University of Technology

  65. Vilela J, Castro J, Martins LEG, Gorschek T (2020) Safety practices in requirements engineering: the Uni-REPM safety module. IEEE Trans Softw Eng 46(3):222–250. https://doi.org/10.1109/TSE.2018.2846576

    Article  Google Scholar 

  66. Villamizar H, Kalinowski M, Garcia A, Mendez D (2020) An efficient approach for reviewing security-related aspects in agile requirements specifications of web applications. Requir Eng 25(4):439–468. https://doi.org/10.1007/s00766-020-00338-w

    Article  Google Scholar 

  67. Wagner S, Méndez-Fernández D, Kalinowski M, Felderer M (2018) Agile requirements engineering in practice: status quo and critical problems. CLEI Electron J 21(1):15. https://doi.org/10.19153/cleiej.21.1.6

    Article  Google Scholar 

  68. Wagner S, Fernández DM, Felderer M, Vetrò A, Kalinowski M, Wieringa R, Pfahl D, Conte T, Christiansson MT, Greer D, Lassenius C, Männistö T, Nayebi M, Oivo M, Penzenstadler B, Prikladnicki R, Ruhe G, Schekelmann A, Sen S, Spínola R, Tuzcu A, De La Vara JL, Winkler D (2019) Status quo in requirements engineering: a theory and a global family of surveys. ACM Trans Softw Eng Methodol (TOSEM) 28(2):9. https://doi.org/10.1145/3306607

    Article  Google Scholar 

  69. Westin AF, Ruebhausen OM (1967) Privacy and freedom, vol 1. Atheneum, New York

    Google Scholar 

  70. Wohlin C, Höst M, Henningsson K (2003) Empirical research methods in software engineering. In: Empirical methods and studies in software engineering. Springer, pp 7–23

  71. Wohlin C, Runeson P, Höst M, Ohlsson MC, Regnell B, Wesslén A (2012) Experimentation in software engineering. Springer, Berlin. https://doi.org/10.1007/978-3-642-29044-2

    Book  MATH  Google Scholar 

  72. Peixoto M, Silva C, Lima R, Ara ́ujo J, Gorschek T, Silva J (2019) PCM Tool: Privacy Requirements Specification in Agile Software Development. In: 10th Brazilian Software Conference: Theory and Practice (CBSoft’19), Extended Annals of the, SBC, Porto Alegre, RS, Brasil, pp 108–113. https://doi.org/10.5753/cbsoft_estendido.2019.7666

  73. Peixoto MM, Silva C (2018) Specifying privacy requirements with goal-oriented modeling lanuages. In: Proceedings of the XXXII Brazilian Symposium on Software Engineering, Association for Computing Machinery, New York, NY, USA, SBES’18, pp 112–121. https://doi.org/10.1145/3266237.3266270

  74. Peixoto M, Ferreira D, Cavalcanti M, Silva C, Vilela J, Araújo J, Gorschek T (2020) On undertanding how developers perceive and interpret privacy requirements research preview. In: Requirements Engineering: Foundation for Software Quality: 26th International Working Conference, REFSQ 2020, Pisa, Italy, March 24–27, 2020, Proceedings, Springer-Verlag, Berlin, Heidelberg, pp 116–123. https://doi.org/10.1007/978-3-030-44429-7_8

  75. Medeiros J, Vasconcelos A, Silva C, Goulão M (2018) Quality of software requirements specification in agile projects: A cross-case analysis of six companies. J Syst Softw 142:171–194. https://doi.org/10.1016/j.jss.2018.04.064

  76. Zhang L, Tian JH, Jiang J, Liu YJ, Pu MY, Yue T (2018) Empirical research in software engineering—a literature survey. J Comput Sci Technol 33:876–899. https://doi.org/10.1007/s11390-018-1864-x

    Article  Google Scholar 

Download references

Acknowledgements

The authors would like to thank the study participants.

Funding

Part of this study was funded by the Coordenação de Aperfeiçoamento de Pessoal de Nível Superior - Brasil (CAPES) (Finance Code 001) and the KKS foundation Profile Project ReThought.se. It was also supported by NOVA LINCS Research Laboratory (Ref. UID/CEC/04516/2019).

Author information

Authors and Affiliations

  1. Universidade Federal de Pernambuco (UFPE), Recife, PE, Brazil

    Mariana Peixoto, Carla Silva, Alexandre Vasconcelos & Jéssyka Vilela

  2. Universidade Nova de Lisboa (UNL), Lisbon, Portugal

    João Araújo

  3. Blekinge Institute of Technology (BTH), Karlskrona, Sweden

    Tony Gorschek

Authors
  1. Mariana Peixoto
    View author publications

    You can also search for this author inPubMed Google Scholar

  2. Carla Silva
    View author publications

    You can also search for this author inPubMed Google Scholar

  3. João Araújo
    View author publications

    You can also search for this author inPubMed Google Scholar

  4. Tony Gorschek
    View author publications

    You can also search for this author inPubMed Google Scholar

  5. Alexandre Vasconcelos
    View author publications

    You can also search for this author inPubMed Google Scholar

  6. Jéssyka Vilela
    View author publications

    You can also search for this author inPubMed Google Scholar

Corresponding author

Correspondence to Mariana Peixoto.

Ethics declarations

Conflict of interest

The authors declare that they have no conflict of interest.

Code availability

Not applicable.

Ethics approval

Ethical considerations need to be addressed when research involves humans. Therefore, when the studies were scheduled, the participants were informed of the research objectives. In addition, the participants were informed that their identities would be kept confidential. Also they answered a informed consent document. Students in the experiment participated voluntarily. Students in the feasibility study received a partial grade. However, the partial grade had not enough weight in the student’s total grade, if he did not perform the specification satisfactorily.

Consent to participate

Study participants agreed through informed consent.

Consent for publication

Study participants agreed through informed consent.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Appendix

Appendix

1.1 Appendix A: task of both studies

Students were asked to complete the task below.

Scenario

Virtual Movie Rental System The video store Imperial is undergoing a restructuring, that is, it will become a virtual movie rental company. Therefore, they need an information system to support the rental of movies. For their activities to be supported, it is necessary to control information about movies and customers. In addition, consultation facilities must be provided to the virtual collection of the rental company, allowing consultations for various information about the movies.

Imperial also decided to include some new features in the system. They are: Customized customer registration; Registration and monitoring of rental habits; Promotion presentation according to rental habits; and Sale of rental habits to third parties.

The system specification process has started, and the features in bold have already been specified:

  • 1. Control of movie information

    • a. Record movies.

  • 2. Control of customer information

    • a. Register customer;

    • b. Monitor rental habits;

    • c. Present promotion according to rental habits;

    • d. Selling rental habits to third parties.

  • 3.Movie consultation

    • a. Presentation of the catalog of movies and releases, with respective prices.

  • 4. Movie rental

    • a. Information for rental availability;

    • b. Devolution;

    • c. Register rent.

Below is further detail of each feature.

1. Control of movie information(Specification already made)

The system should allow making all movies available in the following formats: High Definition (HD) or Standard Definition (SD). The movies are also classified in the following genres: action, animation, adventure, comedy, documentary, drama, fiction, war, musical, police, romance, suspense, and terror. Also, the rental company distinguishes between movies in the catalog and release.

One wants to know about a movie: original title, country, year, direction, cast, synopsis, trailer, duration, IMDB rating, format, and genre.

2. Control of customer information (Specification not made)

a. Register customer (Specification not made)

To perform the registration, it is necessary to request the following registration information: name *, password *, e-mail *, address (name, number, neighborhood, city and zip code), education level *, workplace, telephone (cell phone and home), gender *, date of birth *, personal ID.

- Note 1: * Mandatory information.

- Note 2: The customer must be over 18 years old.

- Note 3: The customer must have the autonomy to delete the registration in the system at any time.

- Note 4: The data of customers who choose to delete the registration must be completely removed from the system.

- Note 5: It is necessary to inform the intention and ask for consent to monitor rental habits.

- Note 6: It is necessary for the customer to authorize the monitoring of rental habits according to the registration information (Personal ID).

- Note 7: It is necessary for the customer to authorize the sending of promotions according to rental habits and registration information (Personal ID).

- Note 8: It is necessary to inform the intention and ask for consent for the sale of rental habits.

- Note 9: It is necessary for the customer to authorize the sale of rental habits according to the registration information (Personal ID).

- Note 10: It is necessary for the system to provide security via one notification that personal information is being kept private.

b. Monitor rental habits (Specification not made)

In order to monitor rental habits, the system should allow making the following relationships:

  1. 1.

    Personal ID: Informational report on the number of rented items by movie genre.

  2. 2.

    Gender: Informative report on the number of rented items by movie genre.

  3. 3.

    Age: Information report on the number of rented items by movie genre.

  4. 4.

    Degree of instruction: Informative report on the number of items rented by movie genre.

- Note 9: It is necessary for the customer to be aware and present consent for the monitoring of rental habits (That is, note 5 must be satisfied).

- Note 11: It is necessary for the customer to authorize the monitoring of rental habits according to the Personal ID (That is, note 6 must be satisfied).

c. Present promotion according to rental habits (Specification not made)

The discount must occur according to: For every 5 items of the same genre of the movie: 15

The system must still send an automatic email with promotions to customers according to: Personal ID.

- Note 12: Promotions must be sent by email to customers who have authorized the sending of promotions (i.e., Note 7 must be satisfied).

d. Selling rental habits to third parties (Specification not made)

The sale of information to third parties will take place as follows:

1. Personal ID: Information report on the number of rented items by movie genre.

2. Gender: Informative report on the number of rented items by movie genre.

3. Age: Information report on the number of rented items by movie genre.

4. Education level: Information report on the number of leased items by gender.

- Note 13: The sale of shopping habits to third parties must occur to customers who have consented (That is, note 8 must be satisfied).

- Note 14: The sale of purchasing habits, according to the CPF, to third parties must take place for customers who have authorized (That is, note 9 must be satisfied).

- Note 15: Customers must be aware of the names of the third parties to whom their data is being sold (send information by e-mail).

3. Movie consultation (Specification already made)

The system should allow users to access the list of movies and releases, according to: original title, title in Portuguese, country of origin, year, direction, cast, synopsis, trailer, duration, IMDB rating format, genre, and price.

- Note 16: The user must be logged into the system with an access control system.

4. Movie rental (Specification partially made)

a. Information for rental availability (Specification already made)

The system should allow the renting of movies. The default rental values are given by the type of media being rented. Currently, the following amounts are charged: SD (5.00), HD (7.50), and launches have an increase of 50

b. Devolution (Specification already made)

The return of the rented movie must occur automatically, that is, the system must end the presentation of the rent. The deadline for return is one day for releases and three days for movies in the catalog.

c. Register rent (Specification not made)

To register the rent, it is necessary to register each item rented by title and associate them with the client’s personal ID.

- Note 16: The user must be logged into the system with an access control system.

- Note 17: It is necessary for the customer to authorize the registration of each rental item according to the personal ID.

Group 1 Task. Please carry out the specification of system requirements that have not yet been specified. Use User Story, Acceptance Criteria and Privacy Criteria to make the specification. Use the following formatting for User Story (US), Acceptance Criteria (CA) and Privacy Criteria (PC):

[US01] As a type of user, I want role, so<some reason/benefit

[CA01-01]

[CA01-02]

[CA01-03

.....

[PC-01]

Group 2 Task. Please carry out the specification of system requirements that have not yet been specified. Use User Story, Acceptance Criteria and Privacy Criteria to make the specification. Use the following formatting for User Story (US) and Acceptance Criteria (CA):

[US01] As a type of user, I want role, so<some reason/benefit

[CA01-01]

[CA01-02]

[CA01-03]

.....

[PC-01]

Rights and permissions

Springer Nature or its licensor holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Peixoto, M., Silva, C., Araújo, J. et al. Evaluating a privacy requirements specification method by using a mixed-method approach: results and lessons learned. Requirements Eng 28, 229–255 (2023). https://doi.org/10.1007/s00766-022-00388-2

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s00766-022-00388-2

Keywords