Perceptions of ICT Practitioners Regarding Software Privacy
Abstract
:1. Introduction
2. Background and Related Works
2.1. Systems’ Privacy
2.2. Privacy Requirements
2.3. Privacy and Design
- Be proactive and preventive;
- Adopt privacy as a standard (defining specification purpose, collection limitation, data minimization, use limitation, retention, and disclosure);
- Incorporate privacy into design;
- Ensure full functionality (incorporation of privacy must be implemented without compromising functionality);
- Ensure security and protection throughout the whole data lifecycle;
- Give visibility and transparency (with accountability, openness and compliance);
- Respect user privacy.
- Privacy engineering methods that are approaches to systematically capture and address privacy issues during the development, management, and maintenance of information systems;
- Privacy engineering techniques that relate to procedures (a prescribed language or notation) for performing privacy engineering tasks or activities; and
- Privacy engineering tools (automated) to support privacy engineers during part of a privacy engineering process.
2.4. Brazilian General Data Protection Law (LGPD)
- Allows individuals to request the deletion of their personal information unless an exception applies;
- Requires controllers to provide people with a detailed privacy notice, presenting information about the processing of their personal data;
- Gives data subjects the right to object to the processing of their personal data;
- Explicitly recognizes the principle of non-discrimination as a fundamental principle of data protection;
- Recognizes the right to data portability for data subjects. This concerns personal data determined as information regarding an identified or identifiable individual.
3. Study Settings
3.1. Research Goal
3.2. Research Questions
- RQ.1. According to the literature, what are the methodologies and techniques used to conduct software privacy and privacy requirements elicitation?
- RQ.2. What is the perception of privacy among ICT practitioners involved in software development projects?
- RQ.3. How do ICT practitioners interpret and implement the concept of privacy in their daily activities? (That is, current privacy practices adopted by the organization.)
- RQ.4. How do ICT practitioners interpret the concept of privacy in the light of the LGPD to be implemented in 2020? (That is, future privacy practices.)
3.3. Systematic Literature Review
3.3.1. Search Strategy
3.3.2. Selection Criteria
3.3.3. Screening Process
3.3.4. Data Extraction
4. Results and Discussion
4.1. RQ.1. According to the Literature, What Are the Methodologies and Techniques Used to Conduct Software Privacy and Privacy Requirements’ Elicitation?
4.2. Survey Results
4.2.1. RQ.2. What Is the Perception of Privacy among ICT Practitioners Involved in Software Development Projects?
- proactive not reactive, which focuses on prevention;
- privacy as the default setting;
- privacy embedded into design;
- full functionality;
- end-to-end security;
- visibility and transparency;
- respect for user privacy.
4.2.2. RQ.3. How Do ICT Practitioners Interpret and Implement the Concept of Privacy in Their Daily Activities? (That Is, Current Privacy Practices Adopted by the Organization)
4.2.3. RQ.4. How Do ICT practitioners Interpret the Concept of Privacy in the Light of the LGPD to Be Implemented in 2020? (That is, Future Privacy Practices)
5. Threats to Validity
6. Conclusions
Author Contributions
Funding
Acknowledgments
Conflicts of Interest
References
- Kalloniatis, C. Incorporating privacy in the design of cloud-based systems: A conceptual meta-model. Inf. Comput. Secur. 2017, 25, 614–633. [Google Scholar] [CrossRef]
- Zlatolas, L.N.; Welzer, T.; Hölbl, M.; Hericko, M.; Kamisalic, A. A Model of Perception of Privacy, Trust, and Self-Disclosure on Online Social Networks. Entropy 2019, 21, 772. [Google Scholar] [CrossRef] [Green Version]
- Hadar, I.; Hasson, T.; Ayalon, O.; Toch, E.; Birnhack, M.; Sherman, S.; Balissa, A. Privacy by designers: Software developers’ privacy mindset. Empir. Softw. Eng. 2018, 23, 259–289. [Google Scholar] [CrossRef]
- He, Q.; Antón, A.I. A framework for modeling privacy requirements in role engineering. Proc. REFSQ 2003, 3, 37–146. [Google Scholar]
- Deng, M.; Wuyts, K.; Scandariato, R.; Preneel, B.; Joosen, W. A privacy threat analysis framework: Supporting the elicitation and fulfillment of privacy requirements. Requir. Eng. 2011, 16, 3–32. [Google Scholar] [CrossRef]
- Kalloniatis, C.; Kavakli, E.; Gritzalis, S. Addressing privacy requirements in system design: The PriS method. Requir. Eng. 2008, 13, 241–255. [Google Scholar] [CrossRef]
- Islam, S.; Mouratidis, H.; Kalloniatis, C.; Hudic, A.; Zechner, L. Model Based Process to Support Security and Privacy Requirements Engineering. IJSSE 2012, 3, 1–22. [Google Scholar] [CrossRef]
- Kalloniatis, C.; Kavakli, E.; Kontellis, E. Pris Tool: A Case Tool For Privacy-Oriented Requirements Engineering. In MCIS; AISeL: New York, NY, USA, 2009; p. 71. [Google Scholar]
- Liu, L.; Yu, E.S.K.; Mylopoulos, J. Security and Privacy Requirements Analysis within a Social Setting. In Proceedings of the 11th IEEE International Requirements Engineering Conference, Monterey Bay, CA, USA, 8–12 September 2003; pp. 151–161. [Google Scholar]
- Jensen, C.; Tullio, J.; Potts, C.; Mynatt, E.D. STRAP: A Structured Analysis Framework for Privacy; Technical Report; Georgia Institute of Technology: Atlanta, GA, USA, 2005. [Google Scholar]
- Pullonen, P.; Tom, J.; Matulevicius, R.; Toots, A. Privacy-enhanced BPMN: Enabling data privacy analysis in business processes models. Softw. Syst. Model. 2019, 18, 3235–3264. [Google Scholar] [CrossRef]
- Mouratidis, H.; Shei, S.; Delaney, A. A security requirements modelling language for cloud computing environments. Softw. Syst. Model. 2019. [Google Scholar] [CrossRef]
- Bednar, K.; Spiekermann, S.; Langheinrich, M. Engineering Privacy by Design: Are engineers ready to live up to the challenge? Inf. Soc. 2019, 35, 122–142. [Google Scholar] [CrossRef]
- Ayalon, O.; Toch, E.; Hadar, I.; Birnhack, M. How Developers Make Design Decisions about Users’ Privacy: The Place of Professional Communities and Organizational Climate. In Proceedings of the 20th ACM Conference on Computer-Supported Cooperative Work and Social Computing, Portland, OR, USA, 25 February–1 March 2017; pp. 135–138. [Google Scholar]
- Westin, A. Privacy and Freedom; Atheneum: New York, NY, USA, 1967. [Google Scholar]
- Finn, R.L.; Wright, D.; Friedewald, M. Seven Types of Privacy. In European Data Protection; Gutwirth, S., Leenes, R., de Hert, P., Poullet, Y., Eds.; Springer: Dordrecht, The Netherlands, 2013; pp. 3–32. [Google Scholar]
- Dennedy, M.F.; Fox, J.; Finneran, T. The Privace Engineer’S Manifest; Apress Open: New York, NY, USA, 2014. [Google Scholar]
- Da República, P. Lei Geral de Proteção de Dados Pessoais (LGPD). Available online: http://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/L13709.htm (accessed on 10 November 2019).
- Regulation, G.D.P. EU Data Protection Rules. Available online: https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en (accessed on 12 October 2019).
- ISO. IEC 29100, 2011. BS ISO/IEC29100: Information Technology—Security Techniques—Privacy Framework. Available online: https://www.iso.org/standard/45123.html (accessed on 14 November 2019).
- Spiekermann, S. The challenges of privacy by design. Commun. ACM 2012, 55, 38–40. [Google Scholar] [CrossRef] [Green Version]
- Danezis, G.; Domingo-Ferrer, J.; Hansen, M.; Hoepman, J.; Métayer, D.L.; Tirtea, R.; Schiffner, S. Privacy and Data Protection by Design - from policy to engineering. arXiv 2015, arXiv:1501.03726. [Google Scholar]
- Cavoukian, A.; Taylor, S.; Abrams, M.E. Privacy by Design: Essential for organizational accountability and strong business practices. Identity Inf. Soc. 2010, 3, 405–413. [Google Scholar] [CrossRef] [Green Version]
- Kim, S.; Chung, Y.D. An anonymization protocol for continuous and dynamic privacy-preserving data collection. Future Gener. Comp. Syst. 2019, 93, 1065–1073. [Google Scholar] [CrossRef]
- Webster, I.; Ivanova, V.; Cysneiros, L.M. Reusable Knowledge for Achieving Privacy: A Canadian Health Information Technologies Perspective. In Proceedings of the Anais do WER05—Workshop em Engenharia de Requisitos, Porto, Portugal, 13–14 June 2005; pp. 112–122. [Google Scholar]
- Beckers, K. Comparing Privacy Requirements Engineering Approaches. In Proceedings of the 7th International Conference on Availability, Reliability and Security, Prague, Czech Republic, 20–24 August 2012; pp. 574–581. [Google Scholar]
- Van Dijk, N.; Tanas, A.; Rommetveit, K.; Raab, C. Right engineering? The redesign of privacy and personal data protection. Int. Rev. Law Comput. Technol. 2018, 32, 230–256. [Google Scholar] [CrossRef]
- Rubenstein, I.S.; Good, N. Privacy by Design: A Counterfactual Analysis of Google and Facebook Privacy Incidents. Berkeley Tech. LJ 2013. [Google Scholar] [CrossRef] [Green Version]
- Gurses, S.; del Álamo, J.M. Privacy Engineering: Shaping an Emerging Field of Research and Practice. IEEE Secur. Priv. 2016, 14, 40–46. [Google Scholar] [CrossRef]
- OneTrust DataGuidance. Comparing Privacy Laws: GDPR versus LGPD. Available online: https://www.dataguidance.com/comparing-privacy-laws-gdpr-v-lgpd-2/ (accessed on 16 October 2019).
- Ayala-Rivera, V.; Pasquale, L. The Grace Period Has Ended: An Approach to Operationalize GDPR Requirements. In Proceedings of the 26th IEEE International Requirements Engineering Conference (RE 2018), Banff, AB, Canada, 20–24 August 2018; pp. 136–146. [Google Scholar] [CrossRef] [Green Version]
- Kitchenham, B.A.; Brereton, P.; Budgen, D.; Turner, M.; Bailey, J.; Linkman, S.G. Systematic literature reviews in software engineering—A systematic literature review. Inf. Softw. Technol. 2009, 51, 7–15. [Google Scholar] [CrossRef]
- Kitchenham, B.; Charters, S. Guidelines for performing systematic literature reviews in software engineering. Engineering 2007, 45, 1051. [Google Scholar]
- Kitchenham, B. Procedures for performing systematic reviews. Keele UK Keele Univ. 2004, 33, 1–26. [Google Scholar]
- Silva, F.S.; Soares, F.S.F.; Peres, A.L.; de Azevedo, I.M.; Vasconcelos, A.P.L.; Kamei, F.K.; de Lemos Meira, S.R. Using CMMI together with agile software development: A systematic review. Inf. Softw. Technol. 2015, 58, 20–43. [Google Scholar] [CrossRef]
- Bijwe, A.; Mead, N.R. Adapting the Square Process for Privacy Requirements Engineering; Software Engineering Institute: Pittsburgh, PA, USA, 2010. [Google Scholar]
- Peixoto, M.; Silva, C.; Lima, R.; Araújo, J.; Gorschek, T.; Silva, J. PCM Tool: Privacy Requirements Specification in Agile Software Development. In Anais Estendidos da Conferência Brasileira de Software: Teoria e Prática; Brazilian Computing Society: Porto Alegre, Brazil, 2019; pp. 108–113. [Google Scholar]
- Miyazaki, S.; Mead, N.R.; Zhan, J. Computer-Aided Privacy Requirements Elicitation Technique. In Proceedings of the 3rd IEEE Asia-Pacific Services Computing Conference, Yilan, Taiwan, 9–12 December 2008; pp. 367–372. [Google Scholar]
- Stach, C.; Steimle, F. Recommender-based privacy requirements elicitation—EPICUREAN: An approach to simplify privacy settings in IoT applications with respect to the GDPR. In Proceedings of the 34th ACM/SIGAPP Symposium on Applied Computing, Limassol, Cyprus, 8–12 April 2019; pp. 1500–1507. [Google Scholar]
- Cavoukian, A. Privacy by Design [Leading Edge]. IEEE Technol. Soc. Mag. 2012, 31, 18–19. [Google Scholar] [CrossRef]
- Alqassem, I. Privacy and security requirements framework for the internet of things (IoT). In Proceedings of the 36th International Conference on Software Engineering, Hyderabad, India, 31 May–7 June 2014; pp. 739–741. [Google Scholar]
- Alqassem, I.; Svetinovic, D. A taxonomy of security and privacy requirements for the Internet of Things (IoT). In Proceedings of the 2014 IEEE International Conference on Industrial Engineering and Engineering Management, Petaling Jaya, Malaysia, 9–12 December 2014; pp. 1244–1248. [Google Scholar]
- Mohammadi, N.G.; Leicht, J.; Ulfat-Bunyadi, N.; Heisel, M. Privacy Policy Specification Framework for Addressing End-Users’ Privacy Requirements. In Proceedings of the 16th International Conference on Trust, Privacy and Security in Digital Business, Linz, Austria, 26–29 August 2019; pp. 46–62. [Google Scholar]
- Rudolph, M.; Polst, S.; Dörr, J. Enabling Users to Specify Correct Privacy Requirements. In Proceedings of the 25th International Working Conference on Requirements Engineering: Foundation for Software Quality, Essen, Germany, 18–21 March 2019; pp. 39–54. [Google Scholar]
- Farhadi, M.; Haddad, H.; Shahriar, H. Compliance Checking of Open Source EHR Applications for HIPAA and ONC Security and Privacy Requirements. In Proceedings of the 43rd IEEE Annual Computer Software and Applications Conference (COMPSAC 2019), Milwaukee, WI, USA, 15–19 July 2019; pp. 704–713. [Google Scholar]
- Ermakova, T.; Fabian, B.; Zarnekow, R. Security and Privacy System Requirements for Adopting Cloud Computing in Healthcare Data Sharing Scenarios. In Proceedings of the 19th Americas Conference on Information Systems, Chicago, IL, USA, 15–17 August 2013; pp. 1–10. [Google Scholar]
- Argyropoulos, N.; Shei, S.; Kalloniatis, C.; Mouratidis, H.; Delaney, A.; Fish, A.; Gritzalis, S. A Semi-Automatic Approach for Eliciting Cloud Security and Privacy Requirements. In Proceedings of the 50th hawaii international conference on system sciences, Hilton Waikoloa Village, HI, USA, 4–7 January 2017; pp. 1–10. [Google Scholar]
- Peixoto, M.M.; Silva, C. Specifying privacy requirements with goal-oriented modeling languages. In Proceedings of the XXXII Brazilian Symposium on Software Engineering, Sao Carlos, Brazil, 17–21 September 2018; pp. 112–121. [Google Scholar]
- Mai, P.X.; Goknil, A.; Shar, L.K.; Pastore, F.; Briand, L.C.; Shaame, S. Modeling Security and Privacy Requirements: A Use Case-Driven Approach. Inf. Softw. Technol. 2018, 100, 165–182. [Google Scholar] [CrossRef]
- Salnitri, M.; Angelopoulos, K.; Pavlidis, M.; Diamantopoulou, V.; Mouratidis, H.; Giorgini, P. Modelling the interplay of security, privacy and trust in sociotechnical systems: A computer-aided design approach. Softw. Syst. Model. 2020, 19, 467–491. [Google Scholar] [CrossRef]
- Peixoto, M.M.; Ferreira, D.; Cavalcanti, M.; Silva, C.; Vilela, J.; Araújo, J.; Gorschek, T. On Understanding How Developers Perceive and Interpret Privacy Requirements Research Preview. In Proceedings of the International Working Conference on Requirements Engineering: Foundation for Software Quality, Pisa, Italy, 24–27 March 2020; pp. 116–123. [Google Scholar]
- Alkubaisy, D.; Cox, K.; Mouratidis, H. Towards Detecting and Mitigating Conflicts for Privacy and Security Requirements. In Proceedings of the 13th International Conference on Research Challenges in Information Science, Brussels, Belgium, 29–31 May 2019; pp. 1–6. [Google Scholar]
- Mavroeidi, A.G.; Kitsiou, A.; Kalloniatis, C. The Role of Gamification in Privacy Protection and User Engagement. Available online: https://www.intechopen.com/online-first/the-role-of-gamification-in-privacy-protection-and-user-engagement (accessed on 8 November 2019).
- Perera, C.; Barhamgi, M.; Bandara, A.K.; Azad, M.A.; Price, B.A.; Nuseibeh, B. Designing privacy-aware internet of things applications. Inf. Sci. 2020, 512, 238–257. [Google Scholar] [CrossRef] [Green Version]
- Allen, I.E.; Seaman, C.A. Likert scales and data analyses. Qual. Prog. 2007, 40, 64–65. [Google Scholar]
- Sindre, G.; Opdahl, A.L. Eliciting security requirements with misuse cases. Requir. Eng. 2005, 10, 34–44. [Google Scholar] [CrossRef]
- Ghazi, P.; Abad, Z.S.H.; Glinz, M. Choosing Requirements for Experimentation with User Interfaces of Requirements Modeling Tools. In Proceedings of the 2017 IEEE 25th International Requirements Engineering Conference, Lisbon, Portugal, 4–8 September 2017; pp. 462–463. [Google Scholar]
- Levy, M.; Hadar, I. The Importance of Empathy for Analyzing Privacy Requirements. In Proceedings of the 5th International Workshop on Evolving Security and Privacy Requirements Engineering, Banff, AB, Canada, 20 August 2018; pp. 9–13. [Google Scholar]
- Islam, S.; Ouedraogo, M.; Kalloniatis, C.; Mouratidis, H.; Gritzalis, S. Assurance of Security and Privacy Requirements for Cloud Deployment Models. IEEE Trans. Cloud Comput. 2018, 6, 387–400. [Google Scholar] [CrossRef] [Green Version]
- Kammüller, F.; Augusto, J.C.; Jones, S. Security and privacy requirements engineering for human centric IoT systems using eFRIEND and Isabelle. In Proceedings of the 15th International Conference on Software Engineering Research, Management and Applications (SERA 2017), London, UK, 7–9 June 2017; pp. 401–406. [Google Scholar]
- Logrippo, L.; Stambouli, A. Configuring Data Flows in the Internet of Things for Security and Privacy Requirements. In Proceedings of the 12th International Symposium on Foundations and Practice of Security, Montreal, QC, Canada, 13–15 November 2018; pp. 115–130. [Google Scholar]
- Mehri, V.A.; Ilie, D.; Tutschku, K. Privacy and DRM Requirements for Collaborative Development of AI Applications. In Proceedings of the 13th International Conference on Availability, Reliability and Security, Hamburg, Germany, 27–30 August 2018; pp. 1–8. [Google Scholar]
- Spiekermann, S.; Korunovska, J.; Langheinrich, M. Inside the Organization: Why Privacy and Security Engineering Is a Challenge for Engineers. Proc. IEEE 2019, 107, 600–615. [Google Scholar] [CrossRef]
- Cavoukian, A. Understanding How to Implement Privacy by Design, One Step at a Time. IEEE Consum. Electron. Mag. 2020, 9, 78–82. [Google Scholar] [CrossRef]
- Amorim, J.A.; Åhlfeldt, R.; Gustavsson, P.M.; Andler, S.F. Privacy and Security in Cyberspace: Training Perspectives on the Personal Data Ecosystem. In Proceedings of the 2013 European Intelligence and Security Informatics Conference, Uppsala, Sweden, 12–14 August 2013; pp. 139–142. [Google Scholar] [CrossRef]
- Otto, P.N.; Antón, A.I. Addressing Legal Requirements in Requirements Engineering. In Proceedings of the 15th IEEE International Requirements Engineering Conference (RE 2007), New Delhi, India, 15–19 October 2007; pp. 5–14. [Google Scholar] [CrossRef]
LGPD | GDPR |
---|---|
Purpose: execution of the processing for legitimate, specific, explicit and informed purposes to the data subject, with no possibility of further processing in a manner incompatible with those purposes. | Purpose limitation—“collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes”. |
Adequacy: Agreement of processing with the purposes reported to the data holder, being consistent with the context of the processing. | Storage limitation—“kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organizational measures required by the GDPR in order to safeguard the rights and freedoms of individuals”. |
Needs: Limitation of the treatment to the minimum necessary to achieve its ends, with coverage of relevant data, proportional and not excessive concerning the data processing purposes; | Data Minimization—“adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”. |
Open Access: Assurance to data subjects, free and accessible information about the form and duration of data processing, as well as the completeness of their sensitive data. | *Individuals have the right to access their personal data. *Not considered a principle, but a right. |
Data Quality: Ensure data holders the accuracy, clarity, relevance, and updating of the data, as necessary, and the purposes of its processing. | Accuracy (Accurate, up to date, erased or rectified)—“accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay”. |
Transparency: Guarantee, to the data holders, of precise, reliable and readily available information on the execution of the processing and its corresponding processing agents, subject to commercial and industrial secrets. | Lawfulness, fairness, and transparency—“Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject “. |
Security: Use of administrative and technical standards to protect personal data from unauthorized access and unexpected or unlawful situations of destruction, loss, alteration, communication, or dissemination. | Integrity and confidentiality—“processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures”. |
Prevention: Adoption of means to prevent the appearance of damages due to the personal data processing. | *Right to be informed *Not considered a principle, but a right. |
Non-discrimination: Inability to perform data processing for illicit or abusive discriminatory purposes. The data subject has the right to request a review of the decision, and the supervisory authority may examine it to check discriminatory aspects in the automated processing of personal data. | *Not considered a principle, but a right. |
Accountability and Legal reporting: The agent demonstrates the adoption of effective measures, capable of proving the observance and compliance with personal data protection rules, including the effectiveness of such measures. | Accountability the controller will be responsible and will be able to demonstrate compliance with the GDPR. |
ID | Title | Reference |
---|---|---|
E1 | A privacy threat analysis framework: supporting the elicitation and fulfillment of privacy requirements | [5] |
E2 | Adapting the square process for privacy requirements engineering | [36] |
E3 | Pris Tool: A Case Tool For Privacy-Oriented Requirements Engineering | [8] |
E4 | A framework for modeling privacy requirements in role engineering | [4] |
E5 | STRAP: a structured analysis framework for privacy | [10] |
E6 | Security and Privacy Requirements Analysis within a Social Setting | [9] |
E7 | PCM Tool: Privacy Requirements Specification in Agile Software Development | [37] |
E8 | Computer-Aided Privacy Requirements Elicitation Technique | [38] |
E9 | Recommender-based privacy requirements elicitation – EPICUREAN:an approach to simplify privacy settings in IoT applications with respect to the GDPR | [39] |
E10 | Engineering Privacy by Design: Are engineers ready to live up to the challenge? | [13] |
E11 | Privacy by designers: software developers’ privacy mindset | [3] |
E12 | Privacy by Design Leading Edge | [40] |
E13 | How Developers Make Design Decisions about Users’ Privacy: The Place of Professional Communities and Organizational Climate | [14] |
E14 | Privacy and Data Protection by Design – from policy to engineering | [22] |
E15 | The challenges of privacy by design | [21] |
E16 | Comparing Privacy Requirements Engineering Approaches | [26] |
E17 | Addressing privacy requirements in system design: the PriS method | [6] |
E18 | Incorporating privacy in the design of cloud-based systems: a conceptual meta-model | [1] |
E19 | The Grace Period Has Ended: An Approach to Operationalize GDPR Requirements | [31] |
E20 | Security and Privacy Requirements Analysis within a Social Setting | [9] |
E21 | Model Based Process to Support Security and Privacy Requirements Engineering | [7] |
E22 | A framework for modeling privacy requirements in role engineering | [4] |
E23 | Privacy and security requirements framework for the internet of things (IoT) | [41] |
E24 | A taxonomy of security and privacy requirements for the Internet of Things (IoT) | [42] |
E25 | Privacy Policy Specification Framework for Addressing End-Users’ Privacy Requirements | [43] |
E26 | Enabling Users to Specify Correct Privacy Requirements | [44] |
E27 | Compliance Checking of Open Source EHR Applications for HIPAA and ONC Security and Privacy Requirements | [45] |
E28 | Security and Privacy System Requirements for Adopting Cloud Computing in Healthcare Data Sharing Scenarios | [46] |
E29 | A Semi-Automatic Approach for Eliciting Cloud Security and Privacy Requirements | [47] |
E30 | Specifying privacy requirements with goal-oriented modeling languages | [48] |
E31 | Modeling Security and Privacy Requirements: a Use Case-Driven Approach | [49] |
E32 | Modelling the interplay of security, privacy and trust in sociotechnical systems: a computer-aided design approach | [50] |
E33 | On Understanding How Developers Perceive and Interpret Privacy Requirements Research Preview | [51] |
E34 | Towards Detecting and Mitigating Conflicts for Privacy and Security Requirements | [52] |
E35 | The Role of Gamification in Privacy Protection and User Engagement | [53] |
E36 | Designing privacy-aware internet of things applications | [54] |
Methodology | Description | Tool | Reference |
---|---|---|---|
LINDDUN | LINDDUN aims to support the elicitation and fulfillment of privacy requirements in software based systems through a privacy threat analysis framework. | Design of a data flow diagram (DFD) of the system | [5] |
SQUARE for Privacy | SQUARE for privacy follows the same steps as the original SQUARE method in conjunction with the Privacy Requirements Elicitation Technique (PRET). | PRET tool | [36] |
PriS | PriS is referred as a goal-oriented approach that considers privacy requirements as organizational goals that have to be achieved by the system. | Pris | [8] |
Role-Based Access Control (RBAC) | RBAC framework is an agent-oriented framework that aims to model privacy requirements and to map user’s roles and permissions with a structured way. | Not supported | [4] |
STRAP | STRAP is referred as a goal-oriented approach and it is based on a structured analysis of privacy vulnerabilities, as well as on an iterative process of four steps (Analysis, Refinement, Evaluation and Iteration) for the integration of preferences. | Not supported | [10] |
Secure Tropos with PriS | A model-based process that takes into consideration security and privacy concepts in parallel at the early stages of system analysis and design. | Not supported | [7] |
i* method | Agent-oriented method that focuses on system agents and their interdependencies and aims to analyze, model, and design the organization’s processes at the early stages of system design. | Organization Modelling Environment (OME) | [9] |
Privacy Criteria Method | Privacy Criteria Method (PCM)—an approach designed to guide the specification of privacy requirements in agile software development. | PCM Tool | [37] |
Pret | Computer-Aided Privacy Requirements Elicitation Technique that helps software developers elicit privacy requirements more efficiently in the early stages of software development. | PRET tool | [38] |
EPICUREAN | EPICUREAN is a recommender-based privacy requirements elicitation approach. EPICUREAN uses modeling and data mining techniques to determine and recommend appropriate privacy settings to the user. | EPICUREAN Knowledge Model | [39] |
© 2020 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).
Share and Cite
Dias Canedo, E.; Toffano Seidel Calazans, A.; Toffano Seidel Masson, E.; Teixeira Costa, P.H.; Lima, F. Perceptions of ICT Practitioners Regarding Software Privacy. Entropy 2020, 22, 429. https://doi.org/10.3390/e22040429
Dias Canedo E, Toffano Seidel Calazans A, Toffano Seidel Masson E, Teixeira Costa PH, Lima F. Perceptions of ICT Practitioners Regarding Software Privacy. Entropy. 2020; 22(4):429. https://doi.org/10.3390/e22040429
Chicago/Turabian StyleDias Canedo, Edna, Angelica Toffano Seidel Calazans, Eloisa Toffano Seidel Masson, Pedro Henrique Teixeira Costa, and Fernanda Lima. 2020. "Perceptions of ICT Practitioners Regarding Software Privacy" Entropy 22, no. 4: 429. https://doi.org/10.3390/e22040429
APA StyleDias Canedo, E., Toffano Seidel Calazans, A., Toffano Seidel Masson, E., Teixeira Costa, P. H., & Lima, F. (2020). Perceptions of ICT Practitioners Regarding Software Privacy. Entropy, 22(4), 429. https://doi.org/10.3390/e22040429