The UMBC Cyber Defense Lab presents
Regulatory Compliance Software Engineering:
Understanding Ambiguity in Privacy and Security Requirements
Aaron Massey
Department of Information Systems
University of Maryland, Baltimore County
11:15am-12:30pm Friday, 4 November 2016, ITE 229
Software engineers building software systems in regulated environments must ensure that software requirements accurately represent obligations described in laws and regulations. Ambiguities in legal texts can make the difference between compliance and non-compliance. Ensuring alignment and compatibility is challenging because policy analysts who write laws and regulations approach ambiguity differently than the software engineers who implement software in regulated environments. Although software regulation continues to increase in visibility, prevalence, and importance–particularly for security and privacy, few software processes address challenge of identifying, classifying, and understanding regulatory ambiguity. Herein, we develop an ambiguity taxonomy based on software engineering, legal, and linguistic approaches to ambiguity. We also present two case studies of policy analysts and technologists identifying and classifying ambiguities in a portion of the Health Insurance Portability and Accountability Act (HIPAA) using this taxonomy. Results of this work suggest that the taxonomy developed can serve as a guide for identifying and classifying ambiguity but participants were not able to consistently agree on a rationale defending their ambiguity classification. These results suggest a strategy for addressing ambiguities in regulatory text—software engineers are likely to be successful at identifying elements of a legal text that then require supplemental expertise to resolve. The contributions of this work include the ambiguity taxonomy developed as well as mechanism for reporting identified ambiguities in a legal text which we call Ambiguity Intensity Maps.
Aaron Massey is an Assistant Professor of Software Engineering at UMBC and the Co-Director of ThePrivacyPlace.org. His research interests include computer security, privacy, software engineering, and regulatory compliance in software systems. Aaron is a recipient of the Walter H. Wilkinson Graduate Research Ethics Fellowship and a recipient of a Google Policy Fellowship. Before coming to UMBC, he was a Postdoctoral Fellow at Georgia Tech’s School of Interactive Computing. Aaron earned a PhD and MS in Computer Science from North Carolina State University and a BS in Computer Engineering from Purdue University. He is a member of the ACM, IEEE, IAPP, and the USACM Public Policy Council.