Learn More
This paper discusses the lack of clarity of 40 online privacy statements from nine financial institutions that are covered by the Gramm-Leach-Bliley Act (GLBA), which states that policies must be " clear and conspicuous. " The study is novel in that it uses two complimentary approaches to analyze the clarity of policies: goal-driven requirements engineering(More)
As computing becomes more ubiquitous and Internet use continues to rise, it is increasingly important for organizations to construct accurate and effective privacy policies that document their information handling and usage practices. Most privacy policies are derived and specified in a somewhat ad-hoc manner, leading to policies that are of limited use to(More)
Access control is a mechanism for achieving confidentiality and integrity in software systems. Access control policies (ACPs) are security requirements that define how access is managed and the high-level rules of who, under what conditions, can access what information. Traditionally, access control policies are often specified after a system is designed(More)
This paper addresses the use of goals to extract non-functional requirements from policy statements. Goals are important precursors to software requirements, but the process of abstracting them from security and policy policies has not been thoroughly researched. We present a summary of a goal-based approach for extracting standard security and privacy(More)
This report examines the actions of JetBlue Airways Corporation (JetBlue), which violated its privacy policy when it gave the travel records of five million customers to Torch Concepts, a private Department of Defense contractor. JetBlue's actions have prompted at least two lawsuits, including a claim by the Electronic Privacy Information Center with the(More)
Access control is a mechanism for achieving confidentiality and integrity in software systems. Specifying access control policies (ACPs) is a complex process that can benefit from requirements engineering techniques. In this paper, we present a method for deriving access control policies from software requirements specifications (SRS) and database designs.(More)
In this short paper, we summarize an industrial project in which we developed and applied the Attribute Hierarchy-based Evaluation of Architectural Designs (AHEAD) method for selecting a software technology to form the basis for the next-generation architecture of a complex commercial software application. AHEAD leverages the Software Engineering(More)