Journal of KIISE (정보과학회 논문지)

Korean Institute of Information Scientists and Engineers (한국정보과학회)
권호 표지
DOI QR코드

DOI QR Code

A Method to Elicit Privacy Requirements and Build Privacy Assurance Cases for Privacy Friendly System

프라이버시 친화 시스템 개발을 위한 프라이버시 요구사항 도출 및 보증 사례 작성

  • 조주혜 (아주대학교 소프트웨어특성화학과) ;
  • 이석원 (아주대학교 소프트웨어학과)
  • Received : 2017.04.03
  • Accepted : 2017.07.11
  • Published : 2017.09.15
⟨ Previous Next ⟩

Abstract

Recently, the spread of smartphones and various wearable devices has led to increases in the accumulation and usage of personal information. As a result, privacy protection has become an issue. Even though there have been studies and efforts to improve legal and technological security measures for protecting privacy, personal information leakage accidents still occur. Rather than privacy requirements, analysts mostly focus on the implementation of security technology within software development. Previous studies of security requirements strongly focused on supplementing the basic principles and laws for privacy protection and securing privacy requirements without understanding the relationship between privacy and security. As a result, personal information infringement occurs continuously despite the development of security technologies and the revision of the Personal Information Protection Act. Therefore, we need a method for eliciting privacy requirements based on related privacy protection laws that are applicable to software development. We also should clearly specify the relationship between privacy and security. This study aims to elicit privacy requirements and create privacy assurances cases for Privacy Friendly System development.

스마트폰과 웨어러블 기기의 확산으로 개인정보의 축적 및 사용이 증가하여 프라이버시 보호가 이슈화되고 있다. 이에 따라 개인정보 보호를 위한 다양한 보안 기술이 연구 및 발전되고 관련 법률이 개정되고 있지만, 여전히 개인정보 유출 사고가 발생하고 있다. 이는 요구사항 명세 단계에서 프라이버시 요구사항이 명확히 정의되지 않은 채 보안 요구사항만 명세 되어 소프트웨어 개발 시 보안 기술 구현에 집중하기 때문이다. 즉, 기존 연구들은 프라이버시와 보안의 관계성을 고려하지 않은 채 보안 요구사항을 도출하거나 프라이버시 보호를 위한 원칙, 법률 등을 보완하는 것에 집중되어 있다. 따라서 법률을 기반으로 소프트웨어 개발 시 적용 가능한 프라이버시 요구사항을 도출하고 프라이버시와 보안의 관계를 명확히 명시하는 방법이 필요하다. 본 연구에서는 프라이버시 친화 시스템 구축을 위해 필요한 프라이버시 요구사항을 검증 및 도출하고, 프라이버시 보증 사례 작성을 통해 보안과 프라이버시의 관계성을 표현한다.

Keywords

Acknowledgement

Supported by : 한국연구재단

References

  1. Warren and Brandies, "The Right to Privacy," Harvard Law Review, Vol. 4, No. 5, Dec. 1890.
  2. Breaux, T., "Privacy requirements in an age of increased sharing," IEEE software, Vol. 31, No. 5, pp. 24-27. Sep. 2014. https://doi.org/10.1109/MS.2014.118
  3. R. A. Spinello, Information Privacy, The Oxford Handbook of Business Ethics, 2010.
  4. KISA. (2016). KISA Report [Online]. Available: http://www.kisa.or.kr/public/library/report_List.jsp (downloaded 2016, Oct. 10)
  5. Online Privacy Association. (2013, Nov 28). [Online]. Available: http://www.opa.or.kr/ (downloaded 2015 Dec 29)
  6. S. K. Lee. (2015, Jan 20). [Online]. Available: http://www.bloter.net/archives/218452 (Access 2016, Dec. 01)
  7. B. S. Baek. (2015. Dec 20). [Online]. Available: http://www.zdnet.co.kr/news/news_view.asp?artice_id=201 51220151142 (Access 2016, Dec. 01)
  8. Korea Internet Security Agency. [Online]. Available: https://www.privacy.go.kr/nns/ntc/pex/personalExam.do (Access 2016, Dec 01)
  9. Y. Y. Lee and B. B. Lee. (2015, May 27) [Online]. Available: http://www.yonhapnews.co.kr/bulletin/2015/05/27/0200000000AKR20150527083951009.HTML (Access 2016, Dec. 05)
  10. G. Y. Moon. [Online]. Available: http://www.boannews.com/media/view.asp?idx=49755. (Access 2016, Dec. 05)
  11. K. Wiegers and J. Beatty, Software Requirements, 3rd Ed., Microsoft, 2015.
  12. S. Spiekermann and L. F. Cranor, "Engineering Privacy," IEEE Transaction on Software Engineering, Vol. 35, No. 1, pp. 67-82, 2009. https://doi.org/10.1109/TSE.2008.88
  13. T. D. Breaux and A. I. Anton, "Deriving Semantic Models from Privacy Policies," Policies for Distributed System and Networks(POLICY), 2005.
  14. T. Alshugran and J. Dichter, "Extracting and Modeling the Privacy Requirements from HIPPA for Healthcare Application," Systems, Applications and Technology Conference (LISAT), 2014.
  15. A. I. Anton and J. B. Earp, "Strategies for Developing Policies and Requirements for Secure Electronic Commerce Systems," E-commerce security and privacy, Vol. 2, pp. 29-46, 2000.
  16. P. Bresciani, A. Perini, P. Giorgini, F. Giunchiglia and J. Mylopoulos, "Tropos: An Agent-Oriented Software Development Methodology," Autonomous Agents and Multi-Agent Systems, Vol. 8, No. 3, pp. 203-236, 2004. https://doi.org/10.1023/B:AGNT.0000018806.20944.ef
  17. H. Mouratidis and P. Giorgini, "Secure Tropos: A Security-Oriented Extension of the Tropos Methodology," International Journal of Software Engineering and Knowledge Engineering, Vol. 17, No. 2, pp. 285-309, 2007. https://doi.org/10.1142/S0218194007003240
  18. C. Kalloniatis, E. Kavakli and S. Gritzalis, "Using Privacy Process Patterns for Incorporating Privacy Requirements into the System Design Process," Second International Conference on Availability, Reliability and Security, 2007.
  19. C. Kalloniatis, E. Kavakli and S. Gritzalis, "Addressing privacy requirements in system design: The PriS method," Requirements Engineering, Vol. 13, No. 8, pp. 241-255, 2008. https://doi.org/10.1007/s00766-008-0067-3
  20. C. Kalloniatis, E. Kavakli and S. Gritzalis, "Dealing with Privacy Issues during the System Design Process," IEEE International Symposium on Signal Processing and Information Technology, 2005.
  21. Y. Wang and A. Kobsa, "Privacy-Enhancing Technologies," Handbook of Research on Social and Organizational Liabilities in Information Security, pp. 352-375, 2008.
  22. D. I. Yang, Introduction to Information Security, 7th Ed., pp. 49-50, Hanbit Academy, Inc., 2016.
  23. T. D. Kim. Information Security [Online]. Available: http://terms.naver.com/entry.nhn?docId=2073350&cid=44414&categoryId=44414 (Access 2016, Dec 06)
  24. A. Cavoukian, "Privacy by Design The 7 foundational principles: Implementation and Mapping of Fair Information Practices," Information and Privacy Commissioner of Ontario, Canada, 2009.
  25. A. Cavoukian, Privacy by Design, The 7 Foundational Principles, 2006.
  26. V. R. Basili, G. Caldiera and H. D. Rombach, The Goal Question Metric Approach, pp. 527-532, Encyclopedia of Software Engineering, 1994.
  27. A. a. Abdulrazeg, N. Norwawi and N. Basir, "Security Measurement Based On GQM To Improve Application Security During Requirements Stage," International Journal of Cyber-Security and Digital Forensics, Vol. 1, No. 3, pp. 211-220, 2012.
  28. T. Kelly and R. Weaver, The Goal Structuring Notation - A Safety Argument Notation, 2004.
  29. R. A. Gandhi and S. W. Lee, "Assurance Case Driven Case Study Design for Requirements Engineering Research," Requirements Engineering: Foundation for Software Quality, 2009.
  30. The GSN Working Group Online. (2011). GSN Community Standard Version 1 [Online]. Available: http://www.goalstructuringnotation.info (downloaded 2016 Mar 02)
  31. J. H. Cho and S. W. Lee, "A Method to Elicit Privacy Requirements using PbD 7 Principles and GQM," Proc. of the 18th KCSE Korea Conference on Software Engineering 2016, pp. 335-338, 2016.
  32. M. Hansen, M. Jensen and M. Rost, "Protection Goals for Privacy Engineering," IEEE CS Security and Privacy Workshops, 2015.
  33. Alliance of Automobile Manufacturers, Inc., Association of Global Automakers, Inc. (2014, Nov 12) [Online] Available: http://autoalliance.org/connectedcars/automotive-privacy-2/principles/ (downloaded 2016 Nov. 11)
  34. M. Sultan and A. Miranskyy, "Ordering Interrogative Questions for Effective Requirements Engineering: The W6H pattern," 5th International Workshop on Requirements Patterns, RePa 2015 - Proceedings, 2016.
  35. Ministry of the Interior and KISA. Guideline for Privacy Impact Assessment (2016, Apr). [Online] Available: https://www.privacy.go.kr/per/iass/rfr/selectBoardList.do (downloaded 2016, Oct. 19)
  36. Korea Internet Security Agency. (2014, Oct 07). [Online]. Available: http://www1.i-privacy.kr/servlet/command.user4.IndexCommand (downloaded 2016 Oct 10)
  37. Noom (2014, Jan 01). [Online]. Available: www.noom.co.kr (Access 2016, Dec. 01)
  38. Korea Internet Security Agency. (2015, Sep 02). [Online]. Available: http://www1.i-privacy.kr/servlet/command.user4.board.BoardCommand?select_cat1=4&select_cat2=3 (downloaded 2016 Nov 20)
  39. Toss (2016, Sep 06). [Online]. Available: https://toss.im/privacy/ (Access 2016, Dec 01)
  40. S. W. Lee and D. C. Rine, "Case Study Methodology Designed Research in Software Engineering Methodology Validation," Sixteenth International Conference on Software Engineering and Knowledge Engineering, 2004.
  41. R. K. Yin, Case Study Research Design and Methods, SAGE, 2014.