Corba: Crowdsourcing to Obtain Requirements from Regulations and BreachesJ1
Context: Modern software systems are deployed in sociotechnical settings, combining social entities (humans and organizations) with technical entities (software and devices). In such settings, on top of technical controls that implement security features of software, regulations specify how users should behave in security-critical situations. No matter how carefully the software is designed and how well regulations are enforced, such systems are subject to breaches due to social (user misuse) and technical (vulnerabilities in software) factors. Breach reports, often legally mandated, describe what went wrong during a breach and how the breach was remedied. However, breach reports are not formally investigated in current practice, leading to valuable lessons being lost regarding past failures.
Objective: Our research aim is to aid security analysts and software developers in obtaining a set of legal, security, and privacy requirements, by developing a crowdsourcing methodology to extract knowledge from regulations and breach reports.
Method: We present Corba, a methodology that leverages human intelligence via crowdsourcing, and extracts requirements from textual artifacts in the form of regulatory norms. We evaluate Corba on the US healthcare regulations from the Health Insurance Portability and Accountability Act (HIPAA) and breach reports published by the US Department of Health and Human Services (HHS). Following this methodology, we have conducted a pilot and a final study on the Amazon Mechanical Turk crowdsourcing platform.
Results: Corba yields high quality responses from crowd workers, which we analyze to identify requirements for the purpose of complementing HIPAA regulations. We publish a curated dataset of the worker responses and identified requirements.
Conclusions: The results show that the instructions and question formats presented to the crowd workers significantly affect the response quality regarding the identification of requirements. We have observed significant improvement from the pilot to the final study by revising the instructions and question formats. Other factors, such as worker types, breach types, or length of reports, do not have notable effect on the workers’ performance. Moreover, we discuss other potential improvements such as breach report restructuring and text highlighting with automated methods.
Fri 10 JulDisplayed time zone: (UTC) Coordinated Universal Time change
16:05 - 17:05 | A23-RequirementsJournal First / Technical Papers / New Ideas and Emerging Results at Goguryeo Chair(s): Dalal Alrajeh Imperial College London | ||
16:05 12mTalk | Caspar: Extracting and Synthesizing User Stories of Problems from App ReviewsTechnical Technical Papers | ||
16:17 8mTalk | Dealing with Non-Functional Requirements in Model-Driven Development: A SurveyJ1 Journal First David Ameller Universitat Politècnica de Catalunya, Xavier Franch Universitat Politècnica de Catalunya, Cristina Gómez Universitat Politècnica de Catalunya, Silverio Martínez-Fernández UPC-BarcelonaTech, João Araújo Universidade Nova de Lisboa, Stefan Biffl Vienna University of Technology, Jordi Cabot ICREA - UOC, Vittorio Cortellesa University of L’Aquila, Daniel Mendez Technische Universität München, Ana Moreira FCT / Universidade Nova de Lisboa, Henry Muccini University of L'Aquila, Italy, Antonio Vallecillo University of Málaga, Spain, Manuel Wimmer Johannes Kepler University Linz, Vasco Amaral Universidade Nova de Lisboa, Wolfang Böhm Technische Universität München, Hugo Brunelière Inria, Mines Nantes & LINA, Lola Burgueño Universidad de Malaga, Miguel Goulao NOVA-LINCS, FCT/UNL, Sabine Teufl Fortiss GmbH, Luca Berardinelli Johannes Kepler University Linz | ||
16:25 8mTalk | Locating Latent Design Information in Developer Discussions: A Study on Pull RequestsJ1 Journal First Giovanni Viviani University of British Columbia, Michalis Famelis Université de Montréal, Xin Xia Monash University, Calahan Janik-Jones University of Toronto, Gail Murphy University of British Columbia | ||
16:33 8mTalk | Status Quo in Requirements Engineering: A Theory and a Global Family of SurveysJ1 Journal First Stefan Wagner University of Stuttgart Link to publication DOI Pre-print | ||
16:41 8mTalk | Corba: Crowdsourcing to Obtain Requirements from Regulations and BreachesJ1 Journal First Hui Guo North Carolina State University, Ozgur Kafali University of Kent, Anne-Liz Jeukeng University of Florida, Laurie Williams North Carolina State University, Munindar P. Singh North Carolina State University | ||
16:49 6mTalk | With Registered Reports Towards Large Scale Data CurationNIER New Ideas and Emerging Results Steffen Herbold University of Göttingen Pre-print |