| 1. |
- Peixoto, Mariana, et al.
(author)
-
Evaluating a privacy requirements specification method by using a mixed-method approach : results and lessons learned
- 2023
-
In: Requirements Engineering. - : Springer Science+Business Media B.V.. - 0947-3602 .- 1432-010X. ; 28:2, s. 229-255
-
Journal article (peer-reviewed)abstract
- Although agile software development (ASD) has been adopted in the industry, requirements approaches for ASD still neglect non-functional requirements. Privacy has become a concern due to new user demands and data protection laws. Hence, privacy needs to be properly specified, but agile requirements engineering techniques do not explicitly represent privacy requirements and, therefore, are not able to proper analyze such requirements. In this context, Privacy Criteria Method (PCM), an approach to specify privacy in requirements activities, was proposed to produce more complete and detailed privacy requirements. By considering PCM a promising approach to be used in ASD and the importance of empirical evaluation of new methods, we have as objectives: 1 evaluate the ability of PCM to support systems analysts in specifying privacy requirements when used in conjunction with some agile specification methods; and 2 show our lessons learned in conducting empirical research based on an mix-method approach defined to empirically evaluate the suitability of a requirements specification in specifying privacy requirements. Mixed-method approach is a controlled experiment as a quantitative evaluation and a feasibility study (questionnaire and task analysis based) study as a qualitative and quantitative evaluation. The requirements specifications following PCM allow to represent privacy aspects, such as user’s personal data and the privacy mechanism that can be used to mitigate a privacy risk scenario. We also observed that some extra time is necessary to specify privacy requirements with PCM, but it does not imply a greater perceived effort. Specifications produced with PCM are of good quality and more privacy detailed. Additionally, we attest to the importance of conducting empirical research to evaluate new methods. PCM assists in specifying more complete and detailed in relation to traditional techniques used in ASD, which facilitates communication between the requirements analysts and developers. © 2022, The Author(s), under exclusive licence to Springer-Verlag London Ltd., part of Springer Nature.
|
|
| 2. |
- Peixoto, Mariana, et al.
(author)
-
On Understanding How Developers Perceive and Interpret Privacy Requirements Research Preview
- 2020
-
In: Lecture Notes in Computer Science. - Cham : Springer. - 9783030444280 ; , s. 116-123
-
Conference paper (peer-reviewed)abstract
- [Context and motivation] Ensuring privacy of users’ data has become a top concern in software development, either to satisfy users’ needs or to comply with privacy laws. The problem may increase by the time a new law is in the vacancy period, and companies are working to understand how to comply with it. In addition, research has shown that many developers do not have sufficient knowledge about how to develop privacy-sensitive software. [Question/problem] Motivated by this scenario, this research investigates the personal factors affecting the developers’ understanding of privacy requirements during the vacancy period of a data protection law. [Principal ideas/results] We conducted thirteen interviews in six different private companies. As a result, we found nine personal factors affecting how software developers perceive and interpret privacy requirements. [Contribution] The identification of the personal factors contributes to the elaboration of effective methods for promoting proper privacy-sensitive software development. © 2020, Springer Nature Switzerland AG.
|
|
| 3. |
- Peixoto, Mariana, et al.
(author)
-
Privacy Requirements Specification in Agile Software Development
- 2021
-
In: Proceedings of the IEEE International Conference on Requirements Engineering. - : IEEE Computer Society. - 9781665428569 ; , s. 512-513
-
Conference paper (peer-reviewed)abstract
- Privacy has become a concern in Agile Software Development (ASD), either to satisfy users' needs or to comply with privacy laws. However, recent studies have shown that ASD approaches still neglect non-functional requirements (NFRs), as is the privacy case. This concern and new data protection laws that came into force recently led companies to face the challenges to understand the laws and to comply with them. In addition, research has shown that many developers do not have sufficient knowledge about how to develop privacy-sensitive software. Motivated by this scenario, this tutorial aims to draw attention to the need to understand privacy from the beginning of the software development lifecycle. Initially, we will present an overview of privacy, as well as several privacy principles. Later, we will show the main data protection laws (In-depth detailing of the General Data Protection Regulation - GDPR). Then, we will discuss how to read and evaluate privacy policies. Finally, we will present an approach for specifying privacy requirements in ASD called Privacy Criteria Method (PCM). At the end of the tutorial, participants will be able to have a critical and technical view of privacy when performing the requirements specification activity. © 2021 IEEE.
|
|
| 4. |
- Peixoto, Mariana, et al.
(author)
-
The perspective of Brazilian software developers on data privacy
- 2023
-
In: Journal of Systems and Software. - : Elsevier. - 0164-1212 .- 1873-1228. ; 195
-
Journal article (peer-reviewed)abstract
- Context: Maintaining the privacy of user data is a concern in software development to satisfy customer needs or to comply with privacy laws. Recent studies have shown that software development approaches still neglect non-functional requirements, including privacy. Concern about privacy may increase in the period between when a privacy law is initially announced and when it is passed into law. During this period, companies will be challenged to comply with the new law. Research has shown that many developers do not have sufficient knowledge to develop privacy-preserving software systems.Objective: We investigate the level of knowledge and understanding that developers possess regarding privacy. We explore the personal, behavioural, and external environmental factors affecting a developer's decision-making regarding privacy requirements.Methods: We replicated a study by means of in-depth, semi-structured interviews with thirteen practitioners at six companies. Our data analysis is based on the principles of ‘grounded theory codification’.Results: We identified nine personal factors, five behavioural factors, and seven external environment factors that are relevant to how software developers make decisions regarding.Conclusion: Our identification of factors that influence the development of privacy-preserving software systems can be seen as a contribution to the specification of effective methods for securing privacy. © 2022 Elsevier Inc.
|
|
| 5. |
- Vilela, Jéssyka, et al.
(author)
-
Assessment of safety processes in requirements engineering
- 2018
-
In: Proceedings - 2018 IEEE 26th International Requirements Engineering Conference, RE 2018. - : Institute of Electrical and Electronics Engineers Inc.. - 9781538674185 ; , s. 358-363
-
Conference paper (peer-reviewed)abstract
- Context: Requirements issues tend to be mitigated in organizations with high process maturity levels since they do their business in a systematic, consistent and proactive approach. In a Safety-Critical System (SCS), requirements problems have been associated with accidents and safety incidents. Objective: This work investigates which safety practices/actions are suitable to be used in the Requirements Engineering (RE) process of SCS and how to design a safety maturity model for this area. Method: we adopted different empirical techniques to propose Uni-REPM SCS, which consists of a safety module to be included in the Unified Requirements Engineering Process Maturity Model (Uni-REPM). Results: The safety module has seven main processes, 14 sub-processes and 148 safety actions describing principles and practices that form the basis of safety processes maturity. Conclusions: Preliminary validation with two practitioners and nine academic experts indicates that the safety module can help organizations to evaluate their current safety practices with respect to their RE process. Moreover, it also offers a step-wise improvement strategy to raise their safety maturity level. © 2018 IEEE.
|
|
| 6. |
- Vilela, Jéssyka Flavyanne Ferreira, et al.
(author)
-
Safety Practices in Requirements Engineering : The Uni-REPM Safety Module
- 2020
-
In: IEEE Transactions on Software Engineering. - : Institute of Electrical and Electronics Engineers Inc.. - 0098-5589 .- 1939-3520. ; 46:3, s. 222-250
-
Journal article (peer-reviewed)abstract
- Context: Software is an important part in safety- critical system (SCS) development since it is becoming a major source of hazards. Requirements-related hazards have been as- sociated with many accidents and safety incidents. Requirements issues tend to be mitigated in companies with high processes maturity levels since they do their business in a systematic, consistent and proactive approach. However, requirements en- gineers need systematic guidance to consider safety concerns early in the development process. Goal: the paper investigates which safety practices are suitable to be used in the Requirements Engineering (RE) process for SCS and how to design a safety maturity model for this area. Method: we followed the design science methodology to propose Uni-REPM SCS, a safety module for Unified Requirements Engineering Process Maturity Model (Uni-REPM). We also conducted a static validation with two practitioners and nine academic experts to evaluate its coverage, correctness, usefulness and applicability. Results: The module has seven main processes, fourteen sub-processes and 148 practices that form the basis of safety processes maturity. Moreover, we describe its usage through a tool. Conclusions: The validation indicates a good coverage of practices and well receptivity by the experts. Finally, the module can help companies in evaluating their current practices. IEEE
|
|
| 7. |
- Vilela, Jéssyka, et al.
(author)
-
Integration between requirements engineering and safety analysis : A systematic literature review
- 2017
-
In: Journal of Systems and Software. - : Elsevier. - 0164-1212 .- 1873-1228. ; 125, s. 68-92
-
Journal article (peer-reviewed)abstract
- Context: Safety-Critical Systems (SCS) require more sophisticated requirements engineering (RE) approaches as inadequate, incomplete or misunderstood requirements have been recognized as a major cause in many accidents and safety-related catastrophes. Objective: In order to cope with the complexity of specifying SCS by RE, we investigate the approaches proposed to improve the communication or integration between RE and safety engineering in SCS development. We analyze the activities that should be performed by RE during safety analysis, the hazard/safety techniques it could use, the relationships between safety information that it should specify, the tools to support safety analysis as well as integration benefits between these areas. Method: We use a Systematic Literature Review (SLR) as the basis for our work. Results: We developed four taxonomies to help RE during specification of SCS that classify: techniques used in (1) hazard analysis; (2) safety analysis; (3) safety-related information and (4) a detailed set of information regarding hazards specification. Conclusions: This paper is a step towards developing a body of knowledge in safety concerns necessary to RE in the specification of SCS that is derived from a large-scale SLR. We believe the results will benefit both researchers and practitioners.
|
|
| 8. |
- Vilela, Jéssyka, et al.
(author)
-
Requirements communication in safety-critical systems
- 2019
-
In: Anais do WER 2019 - Workshop em Engenharia de Requisitos. - : PUC-Rio, Pontificia Universidade Catolica do Rio de Janeiro. - 9788590717126
-
Conference paper (peer-reviewed)abstract
- Context: Safety-critical systems (SCS) are mainly controlled by software. Accordingly, the development of these systems must be carefully planned since inadequate or misunderstood requirements have been recognized as the major cause of a significant proportion of accidents and safety-related catastrophes. Objective: We investigate the integration and requirements communication in the requirements engineering (RE) process among different parties when developing SCS. Method: We used a Systematic Mapping Study as the basis for our work. Results: We analyze the challenges and needs involved, application context, research type, evaluation methods, type of contribution, domain, requirements activity as well as languages and tools used to specify safety requirements. Furthermore, we also analyze stakeholders involved, communication format, and for what safety standards have the approaches been proposed. Conclusions: We believe the results of such a study will benefit both researchers and practitioners. This information contributes to setting up possible collaborative networks and as a reference when developing new research projects. © 2019 Anais do WER 2019 - Workshop em Engenharia de Requisitos. All rights reserved.
|
|
| 9. |
- Vilela, Jéssyka, et al.
(author)
-
Safe-RE : A safety requirements metamodel based on industry safety standards
- 2018
-
In: ACM International Conference Proceeding Series. - New York, NY, USA : Association for Computing Machinery. - 9781450365031 ; , s. 196-201
-
Conference paper (peer-reviewed)abstract
- Context: The development of Safety-Critical Systems (SCS) requires an adequate understanding of safety terms to avoid the specification of poor, incomplete or unclear safety requirements. However, there are some misunderstandings, mostly by requirements engineers, about the definition of such concepts. Hence, integration of safety concerns in the Requirements Engineering (RE) and a common nomenclature is necessary to improve the specification of these systems. Objective: To fill this gap, this paper presents Safe-RE, a safety requirements metamodel based on industry safety standards whose aim is to support the specification of safety-related concepts in the RE process. Method: We rely on safety standards as a basis for our work since companies must follow them to have their systems certified. Results: To illustrate the Safe-RE metamodel usage, we applied its concepts in an insulin infusion pump system. Conclusions: We hope that Safe-RE can contribute to improving the elicitation and specifications of such systems and therefore, reducing accidents and safety-related catastrophes. We also discuss some benefits we envision of using the metamodel, its limitations, and open issues. © 2018 Association for Computing Machinery.
|
|
| 10. |
- Vilela, Jessyka, et al.
(author)
-
Specifying Safety Requirements with GORE languages
- 2017
-
In: XXXI BRAZILIAN SYMPOSIUM ON SOFTWARE ENGINEERING (SBES 2017). - New York, NY, USA : Association for Computing Machinery (ACM). - 9781450353267 ; , s. 154-163
-
Conference paper (peer-reviewed)abstract
- Context: A suitable representation of Safety-Critical Systems (SCS) requirements is crucial to avoid misunderstandings in safety requirements and issues in safety specification. However, current general requirements specification languages do not fully support the particularities of specifying SCS. Objective: In this paper, our goal is to identify and propose a set of important features that should be provided by requirements languages to support an early safety requirements specification. Moreover, we aim to compare the ability of the four most used Goal-Oriented Requirements Engineering (GORE) languages (i*, KAOS, GRL, NFR-Framework) in supporting the proposed features. Method: We first established a conceptual foundation and a conceptual model based on the literature, challenges elicited in previous works, and demands of safety standards at the requirements level that practitioners must satisfy in order to certify their systems. Results: We proposed a set of 15 features that requirements languages should provide to an early safety requirements specification. Regarding the comparison of GORE languages, in summary, all surveyed languages lacks explicit modeling constructs to express how hazards can occur in the system, the accidents, their impact and how they can mitigated. Conclusions: The conceptual foundation, conceptual model, and the set of features is a novelty. Finally, the features can be used to propose new requirements languages for SCS or to define extensions for the ones already available.
|
|
