[AE01] A.I. AntŪn and J.B. Earp. "Strategies for Developing Policies and Requirements for Secure Electronic Commerce Systems." Accepted to the 1st ACM Workshop on Security and Privacy in E-Commerce (CCS 2000), Athens, Greece, 1-4 November 2000.
Abstract: There is a need for a balance between security and information accessibility for business functionality. A well-developed security policy that is followed is very important in electronic commerce systems. There have been two approaches to security policy management, but both fall short when it comes to defining requirements. Privacy is seen in many realms including electronic commerce. Privacy is involved with all areas of an application including electronic commerce, database management, security techniques, telecommunications, collaborative systems and systems implementation. It is important to think of these issues before the system is complete. It is necessary for privacy policies to be developed properly and for the system to correspond to the policy. Goals are easier to use than requirements when communicating between analysts and stakeholders. GBRAM Goal-Based Requirements Analysis Method is a method for defining system and enterprise goals and requirements. It uses four principles: identification, classification, refinement, and elaboration. Risk assessment is important in creating goals.
When a risk has been identified, there is either goal refinement or a new goal or sub-goal is added to respond to the risk. There are six classes of goals in the GBRAM: user, system, communication, security, knowledge, and quality. The analysis of goals and scenarios is to help formulate policy goals and to make sure the system is consistent with the policies.
Notes:
This is a tool to help organizations develop policy goals and follow them.
Scenarios - descriptions of concrete system behaviors
?s:
[AEP01] A.I. AntŪn, J.B. Earp, C. Potts and T.A. Aslpaugh. "The Role of Policy Stakeholder Privacy Values in Requirements Engineering." IEEE 5th International Symposium on Requirements Engineering (RE'01), Toronto, Canada, August 2001.
Abstract: In electronic commerce applications, consumer values should be respected when developing requirements and privacy policy. IT professionals need to be able to develop proper privacy policies and then apply the corresponding system requirements. Policies and requirements both express desire and worth. However, they differ in three main ways: the scope of policies is broader, policies are inevitably more charged with societal values and more open-ended than requirements. Scenarios can be applied to both strategic (long-term) and tactical (short-term) goals. It is important to align IT requirements and privacy policy; first step is to articulate what strategic goals the policies actually support. Site's privacy policies are not always consistent of their practices. These things need to be more in alignment.
Notes:
Use-cases - narratives that illustrate actual or desired sequences of satisfactory events
?s: teleology - ?
[Far00] K. Farmer. "A Taxonomy for Internet Privacy Goal Mining." 2000.
Abstract: Goal mining - extraction of goals from data sources. Optative goals - goals related to the desired protection of consumer privacy rights; what they want to do. Indicative goals - goals related to existing threats to consumer privacy; what they want to keep out. An interesting trend is not all sites have a goal related to notice/awareness. This means in their privacy policy they are not fully informing people of their intent about privacy. Also, sites do not have goals about access/participation. They do not state whether disclosing PII is required to use their sight.
Notes:
This is a tool to help with security and privacy for e-commerce applications.
PII - personally identifiable information
?s: