ABSTRACT
Information systems governed by laws and regulations are subject to civil and criminal violations. In the United States, these violations are documented in court records, such as complaints, indictments, plea agreements, and verdicts, which thus constitute a source of real-world software vulnerabilities. This paper reports on an exploratory case study to identify legal vulnerabilities and provides guidance to practitioners in the analysis of court documents. As legal violations occur after system deployment, court records reveal vulnerabilities that were likely overlooked during software development. We evaluate established requirements engineering techniques, including sequence and misuse case diagrams and goal models, as applied to criminal court records to identify mitigating requirements that improve privacy protections. These techniques, when properly applied, can help organizations focus their risk-management efforts on emerging legal vulnerabilities. We illustrate our analysis using criminal indictments involving the U.S. Health Insurance Portability and Accountability Act (HIPAA).
- I. Alexander, "Initial industrial experience of misuse cases in trade-off analysis," IEEE Joint Int'l Conf. Req'ts Engr., pp. 61--68, 2002. Google ScholarDigital Library
- A. I. Antón. Goal-based Requirements Analysis Method, PhD Thesis, Georgia Tech, 1996.Google Scholar
- T. D. Breaux, M. W. Vail, A. I. Antón. "Towards compliance: extracting rights and obligations to align requirements with regulations," IEEE Int'l Conf. Req'ts Engr., pp. 49--58, 2006. Google ScholarDigital Library
- T. D. Breaux, A. I. Antón. "Analyzing regulatory rules for privacy and security requirements," IEEE Trans. Soft. Engr., Special Issue on Soft. Engr. for Secure Sys., 34(1): 5--20, 2008. Google ScholarDigital Library
- F. Dardenne, A. van Lamsweerde, S. Fickas. "Goal-directed requirements acquisition", Science of Computer Programming. 20: 3--50, 1993. Google ScholarDigital Library
- United States v. Ferrer, et al. Case No. 0:06-CR-60261-JIC, S. D. FI., Dec. 7, 2006.Google Scholar
- B. A. Garner, Ed., Black's Law Dictionary, 8th ed., Thompson West, 2004.Google Scholar
- Y. Kamisar et al. Modern Criminal Procedure: Cases, Comments, and Questions, 11th ed., St. Paul, Minn.: Thomson/West, 2005, pp. 2--20.Google Scholar
- A. van Lamsweerde, "Elaborating security requirements by construction of intentional anti-models," IEEE 26th Int'l Conf. Soft. Engr., pp. 148--157, 2004. Google ScholarDigital Library
- J. McDermott, C. Fox, "Using abuse case models for security requirements analysis", 15th Computer Security Applications Conf., pp. 55--64, 1999. Google ScholarDigital Library
- P. N. Otto, A. I. Antón, "Addressing legal requirements in requirements engineering," 15th IEEE Int'l Req'ts Engr. Conf., pp. 5--14, 2007.Google Scholar
- B. Regnell, M. Andersson, J. Bersrand. "A hierarchical use case model with graphical representation", IEEE Int'l Symp. and Workshop on Engr. of Computer-based Sys., pp. 270--277, 1996. Google ScholarDigital Library
- G. Sindre, A. L. Opdahl. "Eliciting security requirements with misuse cases", Req'ts Engr. 10: 34--44, 2005. Google ScholarDigital Library
- D. Verdon, G. McGraw, "Risk analysis in software design," IEEE Security & Privacy, 2(4): 79--84, 2004. Google ScholarDigital Library
- P. Winn, "Confronting the threats of medical identity theft," Health Information Privacy/Security Alert, July 24, 2007.Google Scholar
- S. Yanovitch, K. Kimberland, "2007 E-crime watch survey shows security incidents, electronic crimes and their impact steady versus last year," CSO Magazine, Sep. 2007.Google Scholar
- R. K. Y in. Case Study Research, 3rd ed. Applied Social Research Methods Series, v. 5, Sage Pubs., 2003.Google Scholar
Index Terms
- Identifying vulnerabilities and critical requirements using criminal court proceedings
Comments