Figure 3 - uploaded by Annie I. Antón
Content may be subject to copyright.
Source publication
Regulated software systems require a precise and unambiguous system specification that strictly conforms to the intent of policies and regulations. Formal methods for verification and validation can be used to show that specifications are consistent and complete. However, small and medium sized projects often lack access to the expertise and traini...
Contexts in source publication
Context 1
... assumption is that each frame in a partition is a candidate for membership in the same frame variable. The SORT results are reported in record sets (see Figure 3), one record for each partition. Each record contains a description of the partition frame and, for each candidate frame, the descriptions of both the candidate frame and the context frame that contains the candidate as one of its slots. ...
Context 2
... partition is sorted by context to assist participants in identifying shared variables by comparing context descriptions. Figure 3 shows a partial record from the HIPAA study in Section 5. The record describes the frame "to [0]" where the "0" represents the location of a required slot, shared between all candidate frames. ...
Context 3
... frames correspond to phrases, unifying two variables means that all phrases represented by the unified variable are valid alternatives or sub-phrases in any frame that contains either of the two variables. For example, in Figure 3, the slots in the first and fourth contexts "access [to [0]]" and "agrees [to [0]]" that contain the frame "to [0]" both describe the object of the access and the agreement, respectively. Unifying the two slot variables for these frames allows composing new statements, such as "access to the summary" and "agrees to the records." ...
Similar publications
Background
Information provided by high-throughput sequencing platforms allows the collection of content-rich data about biological sequences and their context. Sequence alignment is a bioinformatics approach to identifying regions of similarity in DNA, RNA, or protein sequences. However, there is no consensus about the specific common terminology...
The application of automated reasoning approaches to Description Logic (DL) ontologies may produce certain consequences that either are deemed to be wrong or should be hidden for privacy reasons. The question is then how to repair the ontology such that the unwanted consequences can no longer be deduced. An optimal repair is one where the least amo...
In the present work, we provide the basis for a tool that is both compatible with the most recent trends in agent technology and which is inspired from a particular design theory, namely, the C-K design theory (Hatchuel and Weil, 2003). We present a method, Design Tableau, which can be used as an automated reasoning engine for a local agent providi...
Improving agent capabilities and increasing availability of computing platforms and Internet connectivity allows for more effective and diverse collaboration between human users and automated agents. To increase the viability and effectiveness of human-agent collaborative teams, there is a pressing need for research enabling such teams to maximally...
Citations
... We prepare the policies for annotation by removing section headers and boilerplate language and itemizing the Next, we use the frame-based markup developed by Breaux and Antón to identify semantic roles associated with different data actions [11]. The tool can be used to extract requirements from natural language text. ...
... Bhatia and Breaux categorized the purpose role values for the same policies in a prior study [8]. We answer research question RQ3, "what are the different lexical and syntactic triggers that indicate semantic role values within and across website domains?" by extracting all lexical and syntactic patterns from the 15 annotated policies using the frame-based markup tool [11]. Next, we analyze the results to determine how the same pattern, when used with different data actions, indicates different semantic roles and how different patterns lead to the same semantic role. ...
Companies that collect personal information online often maintain privacy policies that are required to accurately reflect their data practices and privacy goals. To be comprehensive and flexible for future practices, policies contain ambiguity that summarizes practices over multiple types of products and business contexts. Ambiguity in data practice descriptions undermines policies as an effective way to communicate system design choices to users and as a reliable regulatory mechanism. In this paper, we report an investigation to identify incompleteness by representing data practice descriptions as semantic frames. The approach is a grounded analysis to discover which semantic roles corresponding to a data action are needed to construct complete data practice descriptions. Our results include 698 data action instances obtained from 949 manually annotated statements across 15 privacy policies and three domains: health, news and shopping. Therein, we identified 2316 instances of 17 types of semantic roles and found that the distribution of semantic roles across the three domains was similar. Incomplete data practice descriptions undermine user comprehension and can affect the user’s perceived privacy risk, which we measure using factorial vignette surveys. We observed that user risk perception decreases when two roles are present in a statement: the condition under which a data action is performed, and the purpose for which the user’s information is used.
... It is reasonable to expect that future studies would take less time because the refined methodology presented herein provides previously unavailable guidance to the engineer for identifying and extracting important elements, including rights, obligations, constraints, and priorities from regulatory texts. Although new phrases will inevitably be encountered, our experience with regulatory texts in other domains [14] shows that these phrases are often variations on the same elements that we report in this paper, suggesting that the methodology is generalizable to domains beyond healthcare. ...
Information practices that use personal, financial, and health-related information are governed by US laws and regulations to prevent unauthorized use and disclosure. To ensure compliance under the law, the security and privacy requirements of relevant software systems must properly be aligned with these regulations. However, these regulations describe stakeholder rules, called rights and obligations, in complex and sometimes ambiguous legal language. These "rules" are often precursors to software requirements that must undergo considerable refinement and analysis before they become implementable. To support the software engineering effort to derive security requirements from regulations, we present a methodology for directly extracting access rights and obligations from regulation texts. The methodology provides statement-level coverage for an entire regulatory document to consistently identify and infer six types of data access constraints, handle complex cross references, resolve ambiguities, and assign required priorities between access rights and obligations to avoid unlawful information disclosures. We present results from applying this methodology to the entire regulation text of the US Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.
... Upon discovery of the Definition concept, the lower ontology was realized and evidenced by the stakeholder hierarchy and product hierarchy derived from the Privacy and Accessibility studies, respectively. To reduce the effort in encoding rules, the Privacy study replaced the KTL with a tabular frame format [31], which was eventually supported by a machine-readable, context-free markup language during the Safety study [29]. Finally, the document model was developed late in the evolution of the method to support resolving cross-references and continuations. ...
U.S. federal and state regulations impose mandatory and discretionary requirements on industry-wide business practices to achieve non-functional, societal goals such as improved accessibility, privacy and safety. The structure and syntax of regulations affects how well software engineers identify and interpret legal requirements. Inconsistent interpretations can lead to noncompliance and violations of the law. To support software engineers who must comply with these regulations, I propose a Frame-Based Requirements Analysis Method (FBRAM) to acquire and specify legal requirements from U.S. federal regulatory documents. The legal requirements are systematically specified using a reusable, domain-independent upper ontology, natural language phrase heuristics, a regulatory document model and a frame-based markup language. The methodology maintains traceability from regulatory statements and phrases to formal properties in a frame-based model and supports the resolution of multiple types of legal ambiguity. The methodology is supported by a software prototype to assist engineers with applying the model and with analyzing legal requirements. This work is validated in three domains, information privacy, information accessibility and aviation safety, which are governed by the Health Insurance Portability and Accountability Act of 1996, the Rehabilitation Act Amendments of 1998, and the Federal Aviation Act of 1958, respectively.
