Privacy and security regulations are a major challenge for engineering privacy and security in software systems. This is because the directives are often specified abstractly to a wider audience, therefore difficult to measure information disclosure risk more intuitively. From a software engineering perspective, these regulations can sometimes be ambiguous and open to multiple interpretations. Sometimes, these regulations are not developed with software engineering in mind. This makes it difficult for system engineers to translate privacy requirements from legal texts into concrete and verifiable software requirements. This makes legal compliance and monitoring systems for compliance a challenge in software engineering [1,2]. If software engineers are saddled with the ultimate responsibility of privacy-preserving design, then there should be techniques and solutions that act as a middleman for interpreting privacy regulations of end-users into systematic and analytic lines of action to achieve such privacy. In an era where privacy regulatory compliance is key, such middleman technology is required by organisations to mitigate risks to a violation. This research deals with the challenge of connecting privacy and security regulations with software engineering, with a vision for assisting privacy engineers in designing secured and privacy-preserving systems that are regulation-compliant and adjustable to measurement metrics such as consistency, completeness, utility, and evolution in privacy legislation.
Different tools, techniques and methods have been provided to help technology-based organizations and software engineers to minimise risk related to regulatory compliance through privacy and security-by-design. The goal of such tools and techniques is to provide models, patterns, frameworks to elicit and manage privacy and security requirements from laws and regulations. The common denominator amongst the approaches is the recognition of the challenge that concepts and terminologies used in requirements engineering are different from those used in legal texts. One of the core activities in systems software requirement engineering is eliciting requirements. Eliciting legally compliant requirements for developing privacy-aware and privacy-preserving systems is a necessary task. Different methods and tools have been provided for eliciting requirements for legally compliant software based on the relevant data protection laws and legislation. However, the completeness, consistency, robustness to the evolution of privacy legislation and utility of the proposed approaches is a challenging research problem. This project aims to propose and verify techniques for interoperable standards for eliciting software requirements from legal texts.
The research questions that drive the objectives of this project are:
RQ1: What are the required metrics for addressing legal requirements in requirements engineering?
RQ2: How can the privacy requirement of end-users be translated into concrete and verifiable evidence technology using privacy regulations?
RQ3: Given a legal text relevant to information security for analysis, to what extent can the elicited software requirements specification be operationalized such that it is consistent, complete, robust to evolving legislation and verifiable?
RQ4: What are the criteria for measuring requirements satisfaction, understanding requirement violations and the usability of specification languages.
This project will span across Artificial Intelligence, Software Engineering and Security. In this PhD project, a tool will be built to demonstrate how the frameworks processes and output assists software architects in engineering privacy-preserving software systems and regulatory compliance by using different privacy laws as input.
Project Key Words: Security and Privacy; Requirements Engineering; Software Requirements; Privacy and Security Requirements; Artificial Intelligence; Legal Compliance; Natural Language Processing; Machine Learning.
Start Date: 01/10/22
Application Closing date: 28/02/22
For further information about eligibility criteria please refer to the DfE Postgraduate Studentship Terms and Conditions 2021-22 at https://go.qub.ac.uk/dfeterms
Applicants should apply electronically through the Queen’s online application portal at: https://dap.qub.ac.uk/portal/
A minimum 2.1 honours degree or equivalent in Computer Science or Electrical and Electronic Engineering or relevant degree is required.
This three year studentship, for full-time PhD study, is potentially funded by the Department for the Economy (DfE) and commences on 1 October 2022. For UK domiciled students the value of an award includes the cost of approved tuition fees as well as maintenance support (Fees £4,500 pa and Stipend rate £15,609 pa - 2022-23 rates to be confirmed). To be considered eligible for a full DfE studentship award you must have been ordinarily resident in the United Kingdom for the full three year period before the first day of the first academic year of the course.
For candidates who do not meet the above residency requirements, a small number of international studentships may be available from the School. These are expected to be highly competitive, and a selection process will determine the strongest candidates across a range of School projects, who may then be offered funding for their chosen project.