Aaron K. Massey

Learn More
Software engineers build software systems in increasingly regulated environments, and must therefore ensure that software requirements accurately represent obligations described in laws and regulations. Prior research has shown that graduate-level software engineering students are not able to reliably determine whether software requirements meet or exceed(More)
Governments enact laws and regulations to safeguard the security and privacy of their citizens. In response, requirements engineers must specify compliant system requirements to satisfy applicable legal security and privacy obligations. Specifying legally compliant requirements is challenging because legal texts are complex and ambiguous by nature. In this(More)
Software engineers regularly build systems that are required to comply with laws and regulations. To this end, software engineers must determine which requirements have met or exceeded their legal obligations and which requirements have not. Requirements that have met or exceeded their legal obligations are legally implementation ready, whereas requirements(More)
Businesses and organizations in jurisdictions around the world are required by law to provide their customers and users with information about their business practices in the form of policy documents. Requirements engineers analyze these documents as sources of requirements, but this analysis is a time-consuming and mostly manual process. Moreover, policy(More)
Understanding the nature of privacy regulation is a challenge that requirements engineers face when building software systems in financial, healthcare, government, or other sensitive industries. Requirements engineers have begun to model privacy requirements based on taxonomic classifications of privacy. Independently, legal research has modeled privacy(More)
Requirements prioritization is used in the early phases of software development to determine the order in which requirements should be implemented. Requirements are not all equally important to the final software system because time constraints, expense, and design can each raise the urgency of implementing some requirements before others. Laws and(More)
The risks associated with the misuse and abuse of genetic information are high, as the exploitation of an individual’s genetic information represents the ultimate example of identity theft. Hence, as the frontline of defense, information assurance and security (IAS) practitioners must be intimately familiar with the multidimensional aspects surrounding the(More)
The high cost of non-compliance with laws and regulations that govern software systems makes legal requirements prioritization crucial. In addition, software design, expense, and time constraints all influence how requirements are prioritized. Prioritizing requirements derived from laws and regulations can be untenable using traditional pairwise(More)
We describe a case study in which we evaluated an open-source electronic health record (EHR) systempsilas requirements for compliance with the U.S. Health Insurance Portability and Accountability Act (HIPAA). Our findings suggest that legal compliance must be requirements-driven, while establishing due diligence under the law must be test-driven.
Changes to software requirements occur throughout the software life cycle. Requirements engineers who maintain software systems in regulated environments must identify the affected artifacts when requirements change. This identification is critical to: (a) ensure continued compliance with regulations, and (b) accurately estimate budget requests. Previously,(More)