Keywords: Requirements and Software Engineering; Risk and Legal Compliance; Accessibility, Privacy and Security

As computers and information sharing increasingly pervade our everyday lives, we need greater assurances that software can and will conform to the rules and expectations by which we live and govern ourselves. My research addresses the challenges to aligning laws, regulations and policies with software specifications. This includes the study of:

1. Formal languages to express policies and system requirements and tools to reason about conflicts, inconsistencies and ambiguities within and among different policies;
2. Methods to enable business analysts and software developers to deconstruct and refine policy into measurable system specifications that can be monitored over time; and
3. Communities of practice that include diverse backgrounds, viewpoints and expertise, including law, computer science, government, industry and the public.

To learn more, read about my ongoing research projects or contact me.

NIST updates SP 800-53 with new Privacy Control Catalog
(July 19, 2011)
The National Institute of Standards and Technology (NIST) proposed Appendix J to Special Publication 800-53 to aid federal information systems with satisfying critical privacy requirements. (see NIST Website).

FTC promotes Privacy by Design in new framework
(December 1, 2010)
Federal Trade Commission (FTC) proposes new privacy framework, including Do Not Track and Privacy by Design to address increasing advances in technology and complex, often invisible, data practices (see FTC Website).

SEC proposes Python as cash-flow e-file language
(April 7, 2010)
Securities Exchange Commission (SEC) proposes to require providers of asset-backed securities to file "a computer program of the contractual cash flow provisions of the securities in the form of downloadable source code in Python" (see SEC Website).

U.S. Bill S.773 proposes common security configuration language
(April 1, 2009)
Early draft of the Cybersecurity Act of 2009 proposes a "standard computer-readable language for completely specifying the configuration of software" and a standard language "to communicate vulnerability data to software users in real time," similar to the FDCC, CVE and related standards.

33rd IEEE Symposium on Security and Privacy (IEEE S&P)
Dates: May 18-25, 2012, Oakland, California
Submissions: Nov 16 (research papers)

20th IEEE International Requirements Engineering Conference (RE'12)
Dates: Sep 24-28, 2012, Chicago, Illinois
Submissions: Mar 5 (research papers)

Archives of the International Workshop on Requirements Engineering and Law (RELAW)

Legally "Reasonable" Security Requirements: A 10-year FTC Retrospective [ PDF ]
(Breaux, Baumer)
In Computers and Security, 30(4): 178-193. Presents empirical results expressing a definition of legally reasonable security derived from FTC regulatory enforcement actions conducted in response to privacy violations.

Analyzing Regulatory Rules for Privacy and Security Requirements [ PDF ]
(Breaux, Antón)
In IEEE TSE, 34(1): 5-20. Presents a method to extract access rights and obligations from regulations to reduce unwanted and unlawful uses and disclosures of protected information in electronic information systems.

Legal Requirements, Compliance and Practice: An Industry Case Study in Accessibility [ PDF ]
(Breaux, Antón, Boucher, Dorfman)
Accepted to the IEEE RE-08. We present preliminary results from a gap analysis on CISCO product requirements using U.S. Section 508 accessibility law; the findings include five "best practice" refinement patterns to improve regulatory harmony.

Semantic Parameterization: A Process for Modeling Domain Descriptions [ PDF ]
(Breaux, Antón, Doyle)
In ACM TOSEM, 18(2): 5. Presents a method for mapping descriptions of a domain (e.g., actors, actions, goals) to Description Logic formula. The resulting logical theory can be used to formally compare and reason about software requirements.