Alberto Siena

Designing Law-Compliant Software Requirements

New laws, such as HIPAA and SOX, are increasingly impacting the design of software systems, as business organisations strive to comply. This paper studies the problem of generating a set of requirements for a new system which comply with a given law. Specifically, the paper proposes a systematic process for generating law-compliant requirements by using a taxonomy of legal concepts and a set of primitives to describe stakeholders and their strategic goals. Given a model of law and a model of stakeholders goals, legal alternatives are identified and explored. Strategic goals that can realise legal prescriptions are systematically analysed, and alternative ways of fulfilling a law are evaluated. The approach is demonstrated by means of a case study. This work is part of the Nomos framework, intended to support the design of law-compliant requirements models.

From Laws to Requirements

Legal prescriptions are increasingly impacting on information systems and on organisations that must comply with them in order to avoid to be prosecuted or fined. Addressing law compliance in early phases of the requirements analysis helps in improving the alignment of information systems with the law. In this paper, we point out ontological differences between legal concepts and requirements and set the basis for a systematic process able to support decision making about requirements for law compliant systems.

Capturing variability of law with nómos 2

Regulatory compliance is increasingly viewed as an essential element of requirements engineering. Laws, but also regulations and policies, frame their provisions through complex structures made of conditions, derogations, exceptions, which together generate a high number of alternative compliance solutions. This paper addresses the problem of modeling, exploring and selecting among alternatives in a variability space defined by laws. Our proposal includes a conceptual modeling framework for laws and reasoning techniques, called Nomos 2. The proposal is evaluated with a fragment of the Health Insurance Portability and Accountability Act (HIPAA).

Tool-supported development with Tropos: the conference management system case study

The agent-oriented software engineering methodology Troposoffers a structured development process and supporting tools fordeveloping complex, distributed systems. The objective of this paper is twofold: first, to illustrate the use ofTropos to develop a Multi-Agent System, performing basic analysis anddesign activities, code generation and testing, with the support of a setof tools; second, to enable the comparison with other, tool-supported,agent-oriented software engineering methodologies through a descriptionof the main steps of these activities and of excerpts of the resultingartefacts, with reference to a common case study, namely, the ConferenceManagement System case study.

A Meta-Model for Modelling Law-Compliant Requirements

While new laws and regulations address organisations, with their processes and information systems, the problem of defining suitable methods and techniques to support the design of law-compliant systems is getting increasing attention. We proposed a novel requirements engineering framework that includes a systematic process to derive law-compliant system requirements taking into account laws and strategic goals of stakeholders of a given domain. In this paper, we focus on the conceptual meta-model this framework rests on, defining it and discussing its use.

Managing risk in open source software adoption

By 2016 an estimated 95% of all commercial software packages will include Open Source Software (OSS). This extended adoption is yet not avoiding failure rates in OSS projects to be as high as 50%. Inadequate risk management has been identified among the top mistakes to avoid when implementing OSS-based solutions. Understanding, managing and mitigating OSS adoption risks is therefore crucial to avoid potentially significant adverse impact on the business. In this position paper we portray a short report of work in progress on risk management in OSS adoption processes. We present a risk-aware technical decision-making management platform integrated in a business-oriented decision-making framework, which together support placing technical OSS adoption decisions into organizational, business strategy as well as the broader OSS community context. The platform will be validated against a collection of use cases coming from different types of organizations: big companies, SMEs, public administration, consolidated OSS communities and emergent small OSS products.

Nòmos 3: Legal Compliance of Roles and Requirements

The problem of regulatory compliance for a software system consists of ensuring through a systematic, tool-supported process that the system complies with all elements of a relevant law. To deal with the problem, we build a model of the law and contrast it with a model of the requirements of the system. In earlier work, we proposed a modelling language for law (Nomos 2) along with a reasoning mechanism that answers questions about compliance. In this paper we extend Nomos 2 to include the concepts of role and requirement so that we can reason about compliance in specific domains. Also, Nomos 3 represents the distribution of responsibilities to roles, distinguishing social from legal roles. Nomos 3 models allow us to reason about compliance of requirements and roles with the norms that constitute a law. A small case study is used to illustrate the elements of Nomos 3 and the kinds of reasoning it supports.

Arguing regulatory compliance of software requirements

A software system complies with a regulation if its operation is consistent with the regulation under all circumstances. The importance of regulatory compliance for software systems has been growing, as regulations are increasingly impacting both the functional and non-functional requirements of legacy and new systems. HIPAA and SOX are recent examples of laws with broad impact on software systems, as attested by the billions of dollars spent in the US alone on compliance. In this paper we propose a framework for establishing regulatory compliance for a given set of software requirements. The framework assumes as inputs models of the requirements (expressed in i*) and the regulations (expressed in Nomos). In addition, we adopt and integrate with i* and Nomos a modeling technique for capturing arguments and establishing their acceptability. Given these, the framework proposes a systematic process for revising the requirements, and arguing through a discussion among stakeholders that the revisions make the requirements compliant. A pilot industrial case study involving fragments of the Italian regulation on privacy for Electronic Health Records provides preliminary evidence of the frameworks adequacy and indicates directions for further improvements.

Exploring the Effectiveness of Normative i* Modelling: Results from a Case Study on Food Chain Traceability

This paper evaluates the effectiveness of an extension to i*modelling --- normative i*modelling --- during the requirements analysis for new socio-technical systems for food traceability. The i*focus on modelling systems as networks of heterogeneous, inter-dependent actors provides limited support for modelling system-wide properties and norms, such as laws and regulations, that also influence the specification of socio-technical systems. In this paper we introduce an extension to i*to model and analyse norms, then apply it to model laws and regulations applicable to European food traceability systems. We report an analysis of the relative strengths and weaknesses of this extended form of i*with its traditional forms, and use results to answer two research questions about the usefulness and usability of the i*modelling extension.

Establishing regulatory compliance for software requirements

A software system complies with a regulation if its operation is consistent with the regulation under all circumstances. The importance of regulatory compliance for software systems has been growing, as regulations are increasingly impacting both the functional and nonfunctional requirements of legacy and new systems. HIPAA and SOX are recent examples of laws with broad impact on software systems, as attested by the billions of dollars spent in the US alone on compliance. In this paper we propose a framework for establishing regulatory compliance for a given set of software requirements. The framework assumes as inputs models of the requirements (expressed in i*) and the regulations (expressed in Nomos). In addition, we adopt and integrate with i* and Nomos a modeling technique for capturing arguments and establishing their acceptability. Given these, the framework proposes a systematic process for revising the requirements, and arguing through a discussion among stakeholders that the revisions make the requirements compliant. Our proposed framework is illustrated through a case study involving fragments of the HIPAA regulation.