Travis D. Breaux Carnegie Mellon University Travis D. Breaux
Associate Professor of Computer Science
Institute for Software Research
School of Computer Science
5000 Forbes Avenue, Pittsburgh, PA 15213
5103 Wean Hall

Links: Home | Research | Teaching | Publications | Biography | Vitae

Research Overview

Keywords: Privacy, Security, Requirements and Software Engineering; Risk and Legal Compliance

How do we ensure that information systems comply with policies, laws and social norms?

As computers and information sharing increasingly pervade our everyday lives, we need greater assurance that software can and will conform to our social and personal expectations. Policies and law serve to document expectations among multiple parties and we can use these artifacts as a blueprint to discover software requirements. This is especially true in privacy, where corporate privacy policies and privacy regulations govern a range of software applications. To improve software quality and reliability, my research addresses the challenges to aligning regulations and policies with software specifications. This includes studying:

  1. Formal languages to express policies and system requirements, and tools to reason about conflicts, inconsistencies and ambiguities within and among policies and software specifications;
  2. Methods to enable requirements engineers, business analysts and software developers to analyze and refine policy into measurable system specifications that can be monitored over time; and
  3. Communities of practice that include diverse backgrounds, viewpoints and expertise, including law, computer science, government, industry and the public.

To learn more, read about my ongoing research projects or contact me.

Recent Events
11 May 2017 Hibshi had her paper, entitled "Reinforcing Security Requirements with Multifactor Quality Measurement," and Evans, Bhatia and Wadkar had their paper, entitled "An Evaluation of Constituency-based Hyponymy Extraction from Privacy Policies," both accepted to IEEE RE'17.
10 Feb 2017 Bhatia had her ACM TOSEM paper, entitled Privacy Goal Mining through Hybridized Task Re-composition, invited for presentation at ICSE 2017 in Buenos Aires, Argentina.
27 Sep 2016 Hibshi, Breaux and Wagner had their paper, entitled "Improving Security Requirements Adequacy," accepted to the IEEE SSCI'16 symposium.
19 May 2016 Bhatia, Breaux, Reidenberg and Norton had their paper, entitled "A Theory of Vagueness and Privacy Risk Perception," accepted to the IEEE RE'16 conference, and nominated for best paper! The law version of this paper received an Honorable Mention for the Privacy Papers for Policy Makers Award, and the draft journal version was presented at the 2017 Privacy Law Scholars Conference.
15 Sep 2016 Breaux, Vail and Antón's 2006 RE paper, entitled "Towards Regulatory Compliance: Extracting Rights and Obligations to Align Requirements with Regulations," receives Honorable Mention for 2016 IEEE RE Most Influential Paper Award (Press Release).
15 Dec 2015 Breaux and UT San Antonio collaborators Rocky Slavin et al. had their paper on checking mobile apps for privacy policy violations accepted to ICSE 2016. Check out their tool online, here.
27 Jul 2015 Breaux invited to be IEEE 2016 RE:Next! PC co-chair with Anna Perini (see the Call for Papers).
10 Mar 2015 Breaux receives the prestiguous NSF CAREER award to study privacy requirements envolution across geo-political boundaries (see press release, and NSF website). See our research website for more information on our current projects.
Paper Highlights

Formal Analysis of Privacy Requirements Specifications for Multi-Tier Applications [ PDF ]
(Breaux, Rao)
In proceedings of IEEE RE'13, presents a formal language for expressing and checking privacy requirements specifications for conflicts; findings include techniques to model privacy policies and demonstration of potential conflicts among Facebook, Zynga and AOL Advertising. This conference publication was nominated for best paper.

A Cross-Domain Empirical Study and Legal Evaluation of the Requirements Water Marking Method
(Gordon, Breaux)
In Requirements Engineering J. presents an empirical method for comparing legal requirements from across multiple jurisdictions; findings include analysis of data breach notificaiton laws and requirements water marks to denote high and low standards of care. This extended journal paper is based on a prior IEEE RE'12 conference publication that was nominated for best paper (DOI).

Legally "Reasonable" Security Requirements: A 10-year FTC Retrospective [ PDF ]
(Breaux, Baumer)
In Computers and Security, 30(4): 178-193. Presents empirical results expressing a definition of legally reasonable security derived from FTC regulatory enforcement actions conducted in response to privacy violations.

Analyzing Regulatory Rules for Privacy and Security Requirements [ PDF ]
(Breaux, Antón)
In IEEE TSE, 34(1): 5-20. Presents a method to extract access rights and obligations from regulations to reduce unwanted and unlawful uses and disclosures of protected information in electronic information systems.

Legal Requirements, Compliance and Practice: An Industry Case Study in Accessibility [ PDF ]
(Breaux, Antón, Boucher, Dorfman)
In IEEE RE'08. We present preliminary results from a gap analysis on CISCO product requirements using U.S. Section 508 accessibility law; the findings include five "best practice" refinement patterns to improve regulatory harmony.

Semantic Parameterization: A Process for Modeling Domain Descriptions [ PDF ]
(Breaux, Antón, Doyle)
In ACM TOSEM, 18(2): 5. Presents a method for mapping descriptions of a domain (e.g., actors, actions, goals) to Description Logic formula. The resulting logical theory can be used to formally compare and reason about software requirements.

In the News

NIST publishes new Privacy Control Catalog in SP 800-53
(July 19, 2011)
The National Institute of Standards and Technology (NIST) proposed Appendix J to Special Publication 800-53 to aid federal information systems with satisfying critical privacy requirements. (see NIST Website).

FTC promotes Privacy by Design in new framework
(December 1, 2010)
Federal Trade Commission (FTC) proposes new privacy framework, including Do Not Track and Privacy by Design to address increasing advances in technology and complex, often invisible, data practices (see FTC Website).

SEC proposes Python as cash-flow e-file language
(April 7, 2010)
Securities Exchange Commission (SEC) proposes to require providers of asset-backed securities to file "a computer program of the contractual cash flow provisions of the securities in the form of downloadable source code in Python" (see SEC Website).

U.S. Bill S.773 proposes common security configuration language
(April 1, 2009)
Early draft of the Cybersecurity Act of 2009 proposes a "standard computer-readable language for completely specifying the configuration of software" and a standard language "to communicate vulnerability data to software users in real time," similar to the FDCC, CVE and related standards.

Calls for Papers

36th ACM/IEEE International Conference on Software Engineering (ICSE'14)
Dates: Jun 1-7, 2014, Hyderabad, India
Submissions: Sep 13, 2013 (research papers)

20th International Working Conference on Requirements Engineering: Foundations of Software Quality (REFSQ)
Dates: Apr 7-10, 2014, Essen, Germany
Submissions: Oct 9, 2013 (abstracts), Oct 16 (papers)

22nd IEEE International Requirements Engineering Conference (RE'14)
Dates: Aug 25-29, 2014, Karlskrona, Sweden
Submissions: Mar 3/ Mar 10 (abstracts/research papers)

Archives of the International Workshop on Requirements Engineering and Law (RELAW)