@inproceedings{BLO_SAC09,
 author = {Travis D. Breaux and Jonathan D. Lewis and Paul N.H. Otto and Annie I. Anton},
 affiliation = {North Carolina State University},
 title = {Identifying Vulnerabilities and Critical Requirements Using Criminal Court Proceedings},
 year = {2009},
 month = {March},
 pages={355-359},
 publisher={ACM Press},
 address = {New York, NY, USA},
 booktitle={Proc. 24th ACM/SIGAPP Symposium on Applied Computing (ACM SAC'09)},
 location={Honolulu, HI, USA},
 abstract = {Information systems governed by laws and
regulations are subject to both civil and criminal
violations. In the United States, these violations are
documented in court records, such as complaints,
indictments, plea agreements, and verdicts, which
constitute a source of real-world software
vulnerabilities. This paper reports on an exploratory
case study to identify legal vulnerabilities and provides
guidance to practitioners in the analysis of court
documents. As legal violations occur after system
deployment, court records reveal vulnerabilities that
were likely overlooked during software development.
We evaluate the effectiveness of established
requirements engineering techniques, including
sequence and misuse case diagrams and goal models,
as applied to criminal court records to identify
mitigating requirements. In a sustainable world, these
techniques, when properly applied, can help
organizations focus their risk-management efforts on
emerging vulnerabilities. We illustrate our analysis
using criminal indictments involving two separate
systems governed by the U.S., Health Insurance
Portability and Accountability Act (HIPAA) and U.S.
Sarbanes-Oxley Act (SOX).},
 keywords = {sequence diagram, misuse case,KAOS,goals,vulnerability,security,privacy},
 }