Keywords: Privacy, Security, Requirements and Software Engineering;
Risk and Legal Compliance
Dr. Breaux is the Director of the CMU Requirements Engineering Lab, where his research program investigates how to specify and design software to comply with policy and law in a trustworthy, reliable manner. His work historically concerned the empirical extraction of legal requirements from policies and law, and has recently studied how to use formal specifications to reason about privacy policy compliance, how to measure and reason over ambiguous and vague policies, and how security and privacy experts and novices estimate the risk of system designs.
To learn more, read about his ongoing research projects or contact him.
19 Oct 2022 |
Breaux and Norton published paper on Legal Accountability as Software Quality in IEEE RE 2022, which informs their new joint NSF-funded project.
|
29 Jun 2022 |
Breaux's joint paper Consent Verification Monitoring, in collaboration with Marco Robol, Elda Paja and Paolo Giogini, appears in ACM TOSEM. The paper provides a provable guarantee that data colleciton and use does not violate GDPR consent under multiple, overlapping and changing privacy policies.
|
1 Apr 2019 |
Breaux appointed Director of the Masters of Software Engineering (MSE) Professional Programs. The MSE programs have a 30-year history and were the first masters degrees offered in the CMU School of Computer Science.
|
8 Jan 2019 |
Breaux and Bhatia introduce their new course 17-649 Artificial Intelligence for Software Engineering offered in Spring and Fall 2019
|
23 Aug 2018 |
Bhatia and Breaux received the RE 2018 Distinguished Paper Award for their paper, entitled Semantic Incompleteness in Privacy Goals
|
1 Aug 2018 |
Bhatia and Breaux had their paper, entitled Empirical Measurement of Privacy Risk, accepted to ACM Transactions on Human Computer Interaction (TOCHI). A pre-publication version of this work was presented at the 2018 Federal Trade Commission (FTC) PrivacyCon
|
30 May 2018 |
Breaux receives Distinguished Reviewer Award for his service to ICSE 2018.
|
7 May 2018 |
Breaux joined the Editorial Board of the ACM Transactions on Software Engineering Methology (TOSEM) |
15 Sep 2016 |
Breaux, Vail and Antón's 2006 RE paper, entitled "Towards Regulatory Compliance: Extracting Rights and Obligations to Align Requirements with Regulations," receives Honorable Mention for 2016 IEEE RE Most Influential Paper Award (Press Release).
|
Formal Analysis of Privacy Requirements Specifications for Multi-Tier Applications [ PDF ]
(Breaux, Rao)
In proceedings of IEEE RE'13,
presents a formal language for expressing and checking privacy requirements specifications for conflicts;
findings include techniques to model privacy policies and demonstration of potential conflicts among Facebook, Zynga and AOL Advertising. This conference publication was nominated for best paper.
A Cross-Domain Empirical Study and Legal Evaluation of the Requirements Water Marking Method
(Gordon, Breaux)
In Requirements Engineering J.
presents an empirical method for comparing legal requirements from across multiple jurisdictions;
findings include analysis of data breach notificaiton laws and requirements water marks to denote high and low standards of care. This extended journal paper is based on a prior IEEE RE'12 conference publication that was nominated for best paper (DOI).
Legally "Reasonable" Security Requirements: A 10-year FTC Retrospective
[ PDF ]
(Breaux, Baumer)
In Computers and Security,
30(4): 178-193. Presents empirical results expressing a definition of legally reasonable security
derived from FTC regulatory enforcement actions conducted in response to privacy violations.
Analyzing Regulatory Rules for Privacy and Security Requirements
[ PDF ]
(Breaux, Antón)
In IEEE TSE,
34(1): 5-20. Presents a method to extract access rights and obligations from
regulations to reduce unwanted and unlawful uses and disclosures of protected
information in electronic information systems.
Legal Requirements, Compliance and Practice: An Industry Case Study in Accessibility
[ PDF ]
(Breaux, Antón, Boucher, Dorfman)
In IEEE RE'08.
We present preliminary results from a gap analysis on CISCO product requirements
using U.S. Section 508 accessibility law; the findings include five "best
practice" refinement patterns to improve regulatory harmony.
Semantic Parameterization: A Process for Modeling Domain Descriptions
[ PDF ]
(Breaux, Antón, Doyle)
In ACM TOSEM, 18(2): 5.
Presents a method for mapping descriptions of a domain (e.g., actors, actions, goals)
to Description Logic formula. The resulting logical theory can be used to formally
compare and reason about software requirements.
NIST publishes new Privacy Control Catalog in SP 800-53
The National Institute of Standards and Technology (NIST) proposed Appendix J to Special
Publication 800-53 to aid federal information systems with satisfying critical
privacy requirements. (see
NIST Website).
FTC promotes Privacy by Design in new framework
Federal Trade Commission (FTC) proposes new privacy framework, including Do Not Track
and Privacy by Design to address increasing advances in technology and complex, often
invisible, data practices (see
FTC Website).
SEC proposes Python as cash-flow e-file language
Securities Exchange Commission (SEC) proposes to require providers of asset-backed
securities to file "a computer program of the contractual cash flow provisions of
the securities in the form of downloadable source code in Python" (see
SEC Website).
U.S. Bill S.773 proposes common security configuration language
Early draft of the Cybersecurity Act of 2009 proposes a "standard computer-readable
language for completely specifying the configuration of software" and a standard language
"to communicate vulnerability data to software users in real time," similar to the
FDCC,
CVE and related
standards.
36th ACM/IEEE International Conference on Software Engineering (ICSE'14)
Dates: Jun 1-7, 2014, Hyderabad, India
Submissions: Sep 13, 2013 (research papers)
20th International Working Conference on Requirements Engineering: Foundations of Software Quality (REFSQ)
Dates: Apr 7-10, 2014, Essen, Germany
Submissions: Oct 9, 2013 (abstracts), Oct 16 (papers)
22nd IEEE International Requirements Engineering Conference (RE'14)
Dates: Aug 25-29, 2014, Karlskrona, Sweden
Submissions: Mar 3/ Mar 10 (abstracts/research papers)
Archives of the International Workshop on Requirements Engineering and Law (RELAW)
|