Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Establishing Regulatory Compliance in Goal-Oriented Requirements Analysis

7.408 visualizaciones

Publicado el

Presented at CBI 2017
http://doi.org/10.1109/CBI.2017.49

Publicado en: Software
  • Sé el primero en comentar

Establishing Regulatory Compliance in Goal-Oriented Requirements Analysis

  1. 1. Establishing Regulatory Compliance in Goal-Oriented RequirementsAnalysis Tokyo Institute of Technology, Japan Yu Negishi, Shinpei Hayashi, and Motoshi Saeki 1
  2. 2. Motivation l Regulatory compliance in IS development – Eliciting regulatory compliant requirements in an early stage is important for reducing total cost l Goal-oriented requirements analysis (GORA) is beneficial – Goal decomposition can be useful to trace rationale 2 Necessity to elicit regulatory compliant requirements Derivation of regulatory compliant goals
  3. 3. Purpose l To derive this kind of fixes, we need ... 1. Detecting regulatory incompliant (violated) goals 2. Adding goals to avoid regulatory violations 3 A supplier mails a product Get the address from a customer Deliver a product to a carrier A supplier notifies a customer of the purpose of utilization Article 18,Act on the Protection of Personal Information When having acquired personal information, a business operator shall promptly notify the person of the purpose of utilization. A supplier mails a product Get the address from a customer Deliver a product to a carrier
  4. 4. Goal model Regulation 1. Detecting regulatory incompliant goals Problem 4 How can we match these sentences? Get = Acquire Address = Personal Information A supplier mails a product Get the address from a customer Article 18,Act on the Protection of Personal Information When having acquired personal information, a business operator shall promptly notify the person of the purpose of utilization.
  5. 5. 2.Adding goals to avoid violations Problem 5 How can we generate the description and modify the goal structure? Article 18,Act on the Protection of Personal Information When having acquired personal information, a business operator shall promptly notify the person of the purpose of utilization. Regulatory compliant goal model A supplier mails a product Get the address from a customer Notify the customer of the purpose of utilization
  6. 6. Goal Model Regulation 1. Detecting regulatory incompliant goals Our Solution 6 A supplier mails a product Get the address from a customer Article 18,Act on the Protection of Personal Information When having acquired personal information, a business operator shall promptly notify the person of the purpose of utilization. Situation case frame Usage of case frames (CTs) for the matching to detect the candidates verb subject direct object indirect object Get Supplier Address Customer verb actor object source Acquire Business operator Personal information ✔
  7. 7. 2.Adding goals to avoid violations Our Solution 7 Article 18,Act on the Protection of Personal Information When having acquired personal information, a business operator shall promptly notify the person of the purpose of utilization. Get = Acquire Address = Personal Info. Customer = Person Generate goal description from the prepared template patterns and substitute the words in it Regulatory compliant goal model A supplier mails a product Get the address from a customer Notify the customer of the purpose of utilization Matching result Word substitution Notifies (y: person) of the purpose of utilization Goal template
  8. 8. 8 ProposedTechnique l Matching using CFs (1, 2, 3, 4) l Goal generation for compliance (5, 6, 7) Goal model 7.Adding new goals to the goal model 4. Matching goals and regulations Case frames of goals Case frames of regulationsRegulation 5. Generating goals by patterns Identifying regulatory violation Term matching information x = □□ 6. Generating goal descriptions Goals to be added 1. Developing case frames of regulations 2. Supplementing goal descriptions 3.Translating goals into case frames Modified goal model Dict.
  9. 9. Developing Regulation CFs l Converts regulations into CFs 9 Article 18,Act on the Protection of Personal Information Situation CF Act CF (Modality: Obligation) verb actor object source Acquire x Personal information y verb actor object target Notify x Purpose of utilization y When having acquired personal information, a business operator shall promptly notify the person of the purpose of utilization. Words of the same meaning are modeled using variables
  10. 10. Supplementing Descriptions l Goal descriptions are often omitted – Hampers the matching process l Supplements them from ancestors 10 A supplier mails a product Get the address from a customer A supplier gets the address from a customer Goals and goal descriptions Surface structures Lexicalanalyzer verb subject direct object indirect object Mail Supplier Product − verb subject direct object indirect object Get − Address Customer verb subject direct object indirect object Get Supplier Address Customer
  11. 11. Goal-to-CFTranslation 11[1] Nakamura et al.: Terminology Matching of Requirements Specification Documents and Regulations for Compliance Checking. In Proc. RELAW 2015. Dictionary of case frames Candidates of case frame close to Get ... 1st 10th Dictionary of hierarchical concepts Thing Address Human Customer, Supplier “A supplier gets the address from a customer” Surface structure Ranked CFs ... ... verb actor object source Acquire Supplier Address Customer Learn − Address − verb actor object source Acquire Human Thing Human Learn − Thing − verb subject direct object indirect object Get Supplier Address Customer CF matching [1]
  12. 12. Goal-Regulation Matching 12 Regulation in CFs Dictionary of hierarchical concepts Personal information Address Thing Telephone number Situation Obligation of Act x = Supplier Personal information = Address y = Customer A supplier notifies a customer of the purpose of utilization New goal to be added A supplier gets the address from a customer ✔ ✔ Get the address from a customer Supplement verb actor object source Acquire x Personal information y verb actor object target Notify x Purpose of utilization y Acquire Supplier Address Customer ✔ Similar! x notifies y of the purpose of utilization
  13. 13. Goal Generation Patterns 13 Obligation Prohibition Exemption (+Obligation) Permission (+Prohibition) G1: Or G2: Oa G1: Pr G2: Check ¬Pa G1: Or G2: If ¬Er, Oa G3: Er G1: Pr G2: If ¬Fr , check ¬Pa G3: If Fr , Pa
  14. 14. Obligation and Exemption l Generate a goal to force the act part 14 G1: Or G2: Oa Situation part act part Obligation Exemption + Obligation G1: Or G2: If ¬Er, Oa G3: Er If exemption condition doesn’t hold, follow the obligation Exemption condition holds
  15. 15. Prohibition and Permission l Generate a goal to check whether prohibition happens 15 Prohibition Permission + Prohibition 15 G1: Pr G2: Check ¬Pa Situation part Checking whether the prohibited act does not happen G1: Pr G2: If ¬Fr , check ¬Pa G3: If Fr , Pa If permission doesn’t hold, check the prohibited act If permission holds, allow the prohibited act
  16. 16. Adding Generated Goal l Preserving the logical meaning 17 A supplier notifies a customer of the purpose of utilization New goal A supplier mails a Product Get the address from a customer Deliver a product to a carrier By telephone By E-mail OR decomposition A supplier mails a Product Get the address from a customer Deliver a product to a carrier By telephone By E-mail A supplier notifies a customer of the purpose of utilizationIntermediate goal AND OR
  17. 17. Implementation l Architecture – Extension of a GORA editor [1] – Target language: Japanese • Language resource: EDR dictionary [2] • Lexical analyzer: Cabocha [3] l Features – Automated application of the matching process – Automated generation of goals to avoid incompliance 18 [1] Saeki et al.:A tool for attributed goal-oriented requirements analysis. In Proc.ASE 2009. [2] EDR electronic dictionary,http://www2.nict.go.jp/out-promotion/techtransfer/EDR/J_index.html [3] Cabocha, http://taku910.github.io/cabocha/
  18. 18. Evaluation l Q1 (Detection Accuracy): How many occurrences of regulatory violation can be identified? l Q2 (Solution Acceptance): Can regulatory violations be resolved by the suggested sub-goals? 19 Creators of ground truths -------- -------- -------- -------- Regulations Examples Proposed modifications Supporting tool Correct answer of the violation goals Identification results by tool Modified goal model Comparison results Experiment enforcer Q2 Precision, recall Creators of Ground truths (the same persons) Q1
  19. 19. Systems and Acts l Case 1: Online shopping (like Amazon) – # goals: 31, max depth: 4 – Related acts (7 articles): • Act on Protection of Personal Information • Act on Specified Commercial Transactions • Act against Unjustifiable Premiums and Misleading Representations l Case 2: Pet shopping – # goals: 19, max depth: 4 – Related acts (7 articles): • Act on Welfare and Management of Animals
  20. 20. Q1: Detection Accuracy Results l ~Half of violations were correctly detected – Precision 47%, Recall 50% – The existing technique [1] missed these all violations 21 0% 20% 40% 60% 80% 100% Online Pet Total Precision Recall 75% 75% 30%27% 50%47% 6/8 6/8 3/10 3/11 9/18 9/19 [1]Nakamura et al.: Terminology Matching of Requirements Specification Documents and Regulations for Compliance Checking. In Proc. RELAW 2015.
  21. 21. Q2: Solution Acceptance Results l Solutions were accepted in most cases – 73% of violations were resolved – 93% of violations were (at least partially) resolved l Negative results were mainly due to inappropriate patterns 22 Resolved Resolved alternatively Resolved partially Not resolved Unknown 43% 20% 3%30% 3%
  22. 22. Related Work l Extension of existing requirements model – URN framework extension for regulatory compliance [1] – KAOS extension for regulatory compliance [2] → Although they can confirm incompliance, they did not support the derivation of requirements to avoid incompliance l i* extension using NOMOS model – It can deduce requirements to avoid incompliance [3] – It requires to learn the extended model [1] Ghanavati et al.: Goal-oriented compliance with multiple regulations. In Proc. RE 2014. [2] Ishikawa et al.: Modeling,Analyzing and Weaving Legal Interpretations in Goal-Oriented Requirements Engineering. In Proc. RELAW 2009. [3] Siena et al.:A meta-model for modelling law-compliant requirements. In Prco. RELAW 2009. 23
  23. 23. ConclusionPurpose l To derive this kind of fixes, we need ... 1. Detecting regulatory incompliant (violated) goals 2. Adding goals to avoid regulatory violations 3 A supplier mails a product Get the address from a customer Deliver a product to a carrier A supplier notifies a customer of the purpose of utilization Article 18,Act on the Protection of Personal Information When having acquired personal information, a business operator shall promptly notify the person of the purpose of utilization. A supplier mails a product Get the address from a customer Deliver a product to a carrier Goal-Regulation Matching 12 Regulation in CFs Dictionary of hierarchical concepts Personal information Address Thing Telephone number Situation Obligation of Act x = Supplier Personal information = Address y = Customer A supplier notifies a customer of the purpose of utilization New goal to be added A supplier gets the address from a customer Get the address from a customer Supplement verb actor object source Acquire x Personal information y verb actor object target Notify x Purpose of utilization y Acquire Supplier Address Customer Similar! x notifies y of the purpose of utilization Goal Generation Patterns 13 Obligation Prohibition Exemption (+Obligation) Permission (+Prohibition) G1: Or G2: Oa G1: Pr G2: Check ¬Pa G1: Or G2: If ¬Er, Oa G3: Er G1: Pr G2: If ¬Fr , check ¬Pa G3: If Fr , Pa Q1: Detection Accuracy Results l ~Half of violations were correctly detected – Precision 47%, Recall 50% – The existing technique [1] missed these all violations 21 0% 20% 40% 60% 80% 100% Online Pet Total Precision Recall 75% 75% 30% 27% 50% 47% 6/8 6/8 3/10 3/11 9/18 9/19 [1]Nakamura et al.: Terminology Matching of Requirements Specification Documents and Regulations for Compliance Checking. In Proc. RELAW 2015. Q2: Solution Acceptance Results l Solutions were accepted in most cases – 73% of violations were resolved – 93% of violations were (at least partially) resolved l Negative results were mainly due to inappropriate patterns Resolved Resolved alternatively Resolved partially Not resolved Unknown 43% 20% 3% 30% 3%
  24. 24. Credits l Judge hammer | ssalonso | Flickr – https://www.flickr.com/photos/ssalonso/3989418655

×