The Use of Goals to Extract Privacy and Security Requirements from Policy Statements

This paper addresses the use of goals to extract non-functional requirements from policy statements. Goals are important precursors to software requirements, but the process of abstracting them from security and policy policies has not been thoroughly researched. We present a summary of a goal-based approach for extracting standard security and privacy requirements from policy statements and illustrate its application to analyze 40 financial privacy policies. We present heuristics to support goal analysis, goal refinement, and the development of tool support, including the establishment of a goal repository that can be used in future goal analyses. To gain a deeper understanding of the goal set, and to identify potential conflicts and inconsistencies between goals, we used i* to model semantic relationships between goals, their actors and strategic dependencies. The goal-based process will assist software engineers in the specification of system requirements that are in alignment an organization’s policies.