Nadzeya Kiyavitskaya,Nicola Zeni,Travis D. Breaux,Annie I. Antón,James R. Cordy,Luisa Mich,John Mylopoulos

DOI: https://doi.org/10.1007/978-3-540-87877-3_13

2008-01-01

Abstract:Government regulations are increasingly affecting the security, privacy and governance of information systems in the United States, Europe and elsewhere. Consequently, companies and software developers are required to ensure that their software systems comply with relevant regulations, either through design or re-engineering. We previously proposed a methodology for extracting stakeholder requirements, called rights and obligations, from regulations. In this paper, we examine the challenges to developing tool support for this methodology using the Cerno framework for textual semantic annotation. We present the results from two empirical evaluations of a tool called “Gaius T.” that is implemented using the Cerno framework and that extracts a conceptual model from regulatory texts. The evaluation, carried out on the U.S. HIPAA Privacy Rule and the Italian accessibility law, measures the quality of the produced models and the tool’s effectiveness in reducing the human effort to derive requirements from regulations.

Xing Hu,Zhipeng Gao,Xin Xia,David Lo,Xiaohu Yang

DOI: https://doi.org/10.1109/ase51524.2021.9678552

2021-01-01

Abstract:Smart contracts have obtained much attention and are crucial for automatic financial and business transactions. For end-users who have never seen the source code, they can read the user notice shown in end-user client to understand what a transaction does of a smart contract function. However, due to time constraints or lack of motivation, user notice is often missing during the development of smart contracts. For end-users who lack the information of the user notices, there is no easy way for them to check the code semantics of the smart contracts. Thus, in this paper, we propose a new approach SMARTDOC to generate user notice for smart contract functions automatically. Our tool can help end-users better understand the smart contract and aware of the financial risks, improving the users' confidence on the reliability of the smart contracts. SMARTDOC exploits the Transformer to learn the representation of source code and generates natural language descriptions from the learned representation. We also integrate the Pointer mechanism to copy words from the input source code instead of generating words during the prediction process. We extract 7,878 (function, notice) pairs from 54,739 smart contracts written in Solidity. Due to the limited amount of collected smart contract functions (i.e., 7,878 functions), we exploit a transfer learning technique to utilize the learned knowledge to improve the performance of SMARTDOC. The learned knowledge obtained by the pre-training on a corpus of Java code, that has similar characteristics as Solidity code. The experimental results show that our approach can effectively generate user notice given the source code and significantly outperform the state-of-the-art approaches. To investigate human perspectives on our generated user notice, we also conduct a human evaluation and ask participants to score user notice generated by different approaches. Results show that SMARTDOC outperforms baselines from three aspects, naturalness, informativeness, and similarity.

Travis D. Breaux,Matthew W. Vail,Annie I. Antón,T.D. Breaux,M.W. Vail,A.I. Anton

DOI: https://doi.org/10.1109/re.2006.68

2006-09-01

Abstract:In the United States, federal and state regulations prescribe stakeholder rights and obligations that must be satisfied by the requirements for software systems. These regulations are typically wrought with ambiguities, making the process of deriving system requirements ad hoc and error prone. In highly regulated domains such as healthcare, there is a need for more comprehensive standards that can be used to assure that system requirements conform to regulations. To address this need, we expound upon a process called Semantic Parameterization previously used to derive rights and obligations from privacy goals. In this work, we apply the process to the Privacy Rule from the U.S. Health Insurance Portability and Accountability Act (HIPAA). We present our methodology for extracting and prioritizing rights and obligations from regulations and show how semantic models can be used to clarify ambiguities through focused elicitation and to balance rights with obligations. The results of our analysis can aid requirements engineers, standards organizations, compliance officers, and stakeholders in assuring systems conform to policy and satisfy requirements.

Catherine Sai,Shazia Sadiq,Lei Han,Gianluca Demartini,Stefanie Rinderle-Ma

2024-01-02

Abstract:Organizations face the challenge of ensuring compliance with an increasing amount of requirements from various regulatory documents. Which requirements are relevant depends on aspects such as the geographic location of the organization, its domain, size, and business processes. Considering these contextual factors, as a first step, relevant documents (e.g., laws, regulations, directives, policies) are identified, followed by a more detailed analysis of which parts of the identified documents are relevant for which step of a given business process. Nowadays the identification of regulatory requirements relevant to business processes is mostly done manually by domain and legal experts, posing a tremendous effort on them, especially for a large number of regulatory documents which might frequently change. Hence, this work examines how legal and domain experts can be assisted in the assessment of relevant requirements. For this, we compare an embedding-based NLP ranking method, a generative AI method using GPT-4, and a crowdsourced method with the purely manual method of creating relevancy labels by experts. The proposed methods are evaluated based on two case studies: an Australian insurance case created with domain experts and a global banking use case, adapted from SAP Signavio's workflow example of an international guideline. A gold standard is created for both BPMN2.0 processes and matched to real-world textual requirements from multiple regulatory documents. The evaluation and discussion provide insights into strengths and weaknesses of each method regarding applicability, automation, transparency, and reproducibility and provide guidelines on which method combinations will maximize benefits for given characteristics such as process usage, impact, and dynamics of an application scenario.

Computation and Language,Artificial Intelligence

Shabnam Hassani,Mehrdad Sabetzadeh,Daniel Amyot,Jain Liao

2024-04-23

Abstract:As software-intensive systems face growing pressure to comply with laws and regulations, providing automated support for compliance analysis has become paramount. Despite advances in the Requirements Engineering (RE) community on legal compliance analysis, important obstacles remain in developing accurate and generalizable compliance automation solutions. This paper highlights some observed limitations of current approaches and examines how adopting new automation strategies that leverage Large Language Models (LLMs) can help address these shortcomings and open up fresh opportunities. Specifically, we argue that the examination of (textual) legal artifacts should, first, employ a broader context than sentences, which have widely been used as the units of analysis in past research. Second, the mode of analysis with legal artifacts needs to shift from classification and information extraction to more end-to-end strategies that are not only accurate but also capable of providing explanation and justification. We present a compliance analysis approach designed to address these limitations. We further outline our evaluation plan for the approach and provide preliminary evaluation results based on data processing agreements (DPAs) that must comply with the General Data Protection Regulation (GDPR). Our initial findings suggest that our approach yields substantial accuracy improvements and, at the same time, provides justification for compliance decisions.

Software Engineering

Gokul Rejithkumar,P. Anish,S. Ghaisas

DOI: https://doi.org/10.1109/RE59067.2024.00037

2024-06-24

Abstract:Software Engineering (SE) contracts play a pivotal role in Information Technology Outsourcing (ITO) projects. The obligations in SE contracts are known to be a useful source for deriving software requirements, thereby contributing to the overall Software Development Life Cycle (SDLC). Making sense of contractual obligations is an important first step in successfully executing software projects. This includes building compliant systems, meeting delivery deadlines, avoiding heavy penalties, and steering clear of expensive litigations. In this work, we present an approach to capture the essence of a contractual clause by extracting its Contracts Grammar. Through an exploratory study, we first identify the constituents of Contracts Grammar. Subsequently, we experiment with multiple approaches for the automated extraction of these constituents, including extractive question-answering, token classification, text-to-text generation, prompting, and regular expressions. The question-answering based approach performed the best in terms of high average ROUGE-L score of 0.81, and faster inference times. The work presented in this paper is a part of the Contracts Governance System (CGS) and is in the process of deployment within a large IT vendor organization.

Computer Science

Barbara Gallina,Gergő László Steierhoffer,Thomas Young Olesen,Eszter Parajdi,Mike Aarup

DOI: https://doi.org/10.1002/smr.2728

2024-09-01

Journal of Software Evolution and Process

Abstract:An ontology for mastering the cognitive complexity of the compliance problem, when heterogeneous and geographically distributed knowledge‐driven organizational structures (legal department, standardization department, etc.) need to communicate. We provide (1) an illustration of the usefulness of our ontology in the context of pumps manufacturing and safety process compliance with the Machinery Directive andharmonized standards; (2) a set of competency questions that translate competencies within the departments; and (3) a set of queries that retrieve answers to the questions and populate a justification for compliance, generated by instantiating a novel argumentation pattern. Legislations impose requirements on the manufacturing of machinery. Typically, these requirements are interpreted and refined by (domain‐specific) technical committees and published in terms of standards. At the company level, these refined requirements are further interpreted, refined, and documented in terms of internal processes. Due to the proliferation of (interdependent) legislations and standards and the consequent increase of the cognitive complexity, at the company level, manual knowledge management is becoming more and more challenging and requires automated decision support. Despite the availability of approaches aimed at automating the decision support, no one offers a satisfactory solution. In this paper, we focus on knowledge management for process compliance and we propose a novel structured ontology. Our ontology aims at mastering (by dividing and conquering via tracing) the cognitive complexity of the compliance problem, when heterogeneous and sometimes geographically distributed knowledge‐driven organizational structures (legal department, standardization department, etc.) are involved and need to communicate. We also illustrate the potential usefulness of our proposed ontology in the context of pumps manufacturing and safety process compliance with the Machinery Directive and related harmonized standards including EN 809:1998+A1. Specifically, first, we identify the competencies that characterize departments and interdepartment interactions, then we formulate an initial set of competency questions that translate those identified competencies, then we show how the ontology can be exploited to retrieve the answers to the questions and how the answers can be exploited to build a justification for compliance. Precisely, we propose an argumentation pattern given in two different argumentation notations, and we show how it can be partly instantiated by exploiting the returned answers. The illustration also partly covers the compliance with the Machinery Regulation, expected to replace the Machinery Directive by January 2027. Finally, we sketch our intended future work.

computer science, software engineering

Giampaolo Bella,Gianpietro Castiglione,Daniele Francesco Santamaria

2023-06-30

Abstract:Large documents written in juridical language are difficult to interpret, with long sentences leading to intricate and intertwined relations between the nouns. The present paper frames this problem in the context of recent European security directives. The complexity of their language is here thwarted by automating the extraction of the relevant information, namely of the parts of speech from each clause, through a specific tailoring of Natural Language Processing (NLP) techniques. These contribute, in combination with ontology development principles, to the design of our automated method for the representation of security directives as ontologies. The method is showcased on a practical problem, namely to derive an ontology representing the NIS 2 directive, which is the peak of cybersecurity prescripts at the European level. Although the NLP techniques adopted showed some limitations and had to be complemented by manual analysis, the overall results provide valid support for directive compliance in general and for ontology development in particular.

Artificial Intelligence,Computation and Language

Davide Pasetto,Hubertus Franke,Weihong Qian,Zhili Guo,Honglei Guo,Dongxu Duan,Yuan Ni,Yingxin Pan,Shenghua Bao,Feng Cao,Zhong Su

DOI: https://doi.org/10.1145/2482767.2482798

2013-01-01

Abstract:Governance, Risk Management and Compliance are key success factors for corporations. Every company worldwide must ensure a proper compliance level with current and future laws and regulations, but managing the dynamic nature of the regulatory environment is a challenge, for both small and medium business as well as large corporations. Specifically the challenge is knowing and interpreting which regulations impact a particular business. Governments and standard bodies keep producing new, revised legislation, and businesses today rely on employees and consultants for tracking and understanding impact on their operations. This paper introduces a novel prototype solution that addresses these concerns through the use of advanced text analytics. In particular the system is able to discover sources of regulatory content on the world wide web, track the changes to these regulations, extract metadata and semantic information and use these to provide a semantically guided comparison of regulation versions. Moreover, by leveraging the IBM DeepQA architecture, the solution is able to cross reference business objectives with the regulatory database and provide insights about the impact of new and revised laws on a company's business.

Hugo A. López,Søren Debois,Tijs Slaats,Thomas T. Hildebrandt

DOI: https://doi.org/10.1007/978-3-030-45234-6_19

2020-01-01

Abstract:Legal compliance is an important part of certifying the correct behaviour of a business process. To be compliant, organizations might hard-wire regulations into processes, limiting the discretion that workers have when choosing what activities should be executed in a case. Worse, hard-wired compliant processes are difficult to change when laws change, and this occurs very often. This paper proposes a model-driven approach to process compliance and combines a) reference models from laws, and b) business process models. Both reference and process models are expressed in a declarative process language, The Dynamic Condition Response (DCR) graphs. They are subject to testing and verification, allowing law practitioners to check consistency against the intent of the law. Compliance checking is a combination of alignments between events in laws and events in a process model. In this way, a reference model can be used to check different process variants. Moreover, changes in the reference model due to law changes do not necessarily invalidate existing processes, allowing their reuse and adaptation. We exemplify the framework via the alignment of laws and business rules and a real contract change management process, Finally, we show how compliance checking for declarative processes is decidable, and provide a polynomial time approximation that contrasts NP complexity algorithms used in compliance checking for imperative business processes. All-together, this paper presents technical and methodological steps that are being used by legal practitioners in municipal governments in their efforts towards digitalization of work practices in the public sector.

Guido Governatori

DOI: https://doi.org/10.48550/arXiv.1403.6865

2014-03-27

Abstract:In this paper we propose an ITC (Information and Communication Technology) approach to support regulatory compliance for business processes, and we report on the development and evaluation of a business process compliance checker called Regorous, based on the compliance-by-design methodology proposed by Governatori and Sadiq

Software Engineering,Computers and Society

Daniel Gorín,Sergio Mera,Fernando Schapachnik

DOI: https://doi.org/10.48550/arXiv.1109.2658

2011-09-13

Computers and Society

Abstract:Although many attempts at automated aids for legal drafting have been made, they were based on the construction of a new tool, completely from scratch. This is at least curious, considering that a strong parallelism can be established between a normative document and a software specification: both describe what an entity should or should not do, can or cannot do. In this article we compare normative documents and software specifications to find out their similarities and differences. The comparison shows that there are distinctive particularities, but they are restricted to a very specific subclass of normative propositions. The rest, we postulate, can be dealt with software tools. For such an enterprise the \FormaLex tool set was devised: an LTL-based language and companion tools that utilize model checking to find out normative incoherences in regulations, contracts and other legal documents. A feature-rich case study is analyzed with the presented tools.

Charalampos Alexopoulos,Euripidis Loukis,Shefali Virkar

DOI: https://doi.org/10.1007/s13132-023-01415-5

IF: 1.815

2023-07-07

Journal of the Knowledge Economy

Abstract:It is widely recognized that legislation is of critical importance for the proper functioning of economies and societies. However, the increasing complexity of the problems and challenges faced by modern economies and societies have resulted in the development of extensive, highly complex, and continuously evolving legislations. This makes it difficult for firms and administrations, as well as individual lawyers and public servants, to know the current applicable legislation on a particular topic of interest, as well as its evolution over time. This difficulty increases further due to the internationalization–globalization of economic activity, as well as the development of supranational organizations (such as the European Union (EU)), which make it necessary to continuously monitor legislations of several countries on various topics of interest. Existing national legal information platforms cannot satisfy the above highly complex requirements. This paper contributes to filling this gap, initially by describing the architecture and the capabilities/functionalities of an advanced "international" legal information platform, which has been developed as part of the European research program "ManyLaws," based on requirements collected through interviews with lawyers and public servants; it enables the advanced search and retrieval of relevant legal documents on a particular topic of interest from within the legislative corpuses of many different countries, as well as EU legislation, using existing sources of open legal information, and also the automated comparative analysis of them and identification of various types of relations among them. The evaluation of this advanced legal information platform, using an extension of the Technology Acceptance Model (TAM), provides evidence of the usefulness and the ease of use of its novel functionalities, as well as their positive contribution to the productivity of both national-level legal work and international-level legal work, especially within the EU. The proposed advanced legal information platform can be quite useful for firms and administrations, as well as individual lawyers and public servants, active in the modern globalized economic context.

economics

Xusheng Xiao,Amit M. Paradkar,Suresh Thummalapenta,Tao Xie

DOI: https://doi.org/10.1145/2393596.2393608

2012-01-01

Abstract:ABSTRACTAccess Control Policies (ACP) specify which principals such as users have access to which resources. Ensuring the correctness and consistency of ACPs is crucial to prevent security vulnerabilities. However, in practice, ACPs are commonly written in Natural Language (NL) and buried in large documents such as requirements documents, not amenable for automated techniques to check for correctness and consistency. It is tedious to manually extract ACPs from these NL documents and validate NL functional requirements such as use cases against ACPs for detecting inconsistencies. To address these issues, we propose an approach, called Text2Policy, to automatically extract ACPs from NL software documents and resource-access information from NL scenario-based functional requirements. We conducted three evaluations on the collected ACP sentences from publicly available sources along with use cases from both open source and proprietary projects. The results show that Text2Policy effectively identifies ACP sentences with the precision of 88.7% and the recall of 89.4%, extracts ACP rules with the accuracy of 86.3%, and extracts action steps with the accuracy of 81.9%.

Shuang Liu,Baiyang Zhao,Renjie Guo,Guozhu Meng,Fan Zhang,Meishan Zhang

DOI: https://doi.org/10.1145/3442381.3450022

2021-04-19

Abstract:With the rapid development of web and mobile applications, as well as their wide adoption in different domains, more and more personal data is provided, consciously or unconsciously, to different application providers. Privacy policy is an important medium for users to understand what personal information has been collected and used. As data privacy protection is becoming a critical social issue, there are laws and regulations being enacted in different countries and regions, and the most representative one is the EU General Data Protection Regulation (GDPR). It is thus important to detect compliance issues among regulations, e.g., GDPR, with privacy policies, and provide intuitive results for data subjects (i.e., users), data collection party (i.e., service providers) and the regulatory authorities. In this work, we target to solve the problem of compliance analysis between GDPR (Article 13) and privacy policies. We format the task into a combination of a sentence classification step and a rule-based analysis step. We manually curate a corpus of 36,610 labeled sentences from 304 privacy policies, and benchmark our corpus with several standard sentence classifiers. We also conduct a rule-based analysis to detect compliance issues and a user study to evaluate the usability of our approach. The web-based tool AutoCompliance is publicly accessible 1.

Sallam Abualhaija,Marcello Ceci,Lionel Briand

2024-02-17

Abstract:Modern software has been an integral part of everyday activities in many disciplines and application contexts. Introducing intelligent automation by leveraging artificial intelligence (AI) led to break-throughs in many fields. The effectiveness of AI can be attributed to several factors, among which is the increasing availability of data. Regulations such as the general data protection regulation (GDPR) in the European Union (EU) are introduced to ensure the protection of personal data. Software systems that collect, process, or share personal data are subject to compliance with such regulations. Developing compliant software depends heavily on addressing legal requirements stipulated in applicable regulations, a central activity in the requirements engineering (RE) phase of the software development process. RE is concerned with specifying and maintaining requirements of a system-to-be, including legal requirements. Legal agreements which describe the policies organizations implement for processing personal data can provide an additional source to regulations for eliciting legal requirements. In this chapter, we explore a variety of methods for analyzing legal requirements and exemplify them on GDPR. Specifically, we describe possible alternatives for creating machine-analyzable representations from regulations, survey the existing automated means for enabling compliance verification against regulations, and further reflect on the current challenges of legal requirements analysis.

Software Engineering,Artificial Intelligence

Francesco Sovrano,Michaël Lognoul,Alberto Bacchelli

DOI: https://doi.org/10.1145/3639475.3640112

2024-01-23

Abstract:Compliance with the European Union's Platform-to-Business (P2B) Regulation is challenging for online platforms, and assessing their compliance can be difficult for public authorities. This is partly due to the lack of automated tools for assessing the information (e.g., software documentation) platforms provide concerning ranking transparency. Our study tackles this issue in two ways. First, we empirically evaluate the compliance of six major platforms (Amazon, Bing, Booking, Google, Tripadvisor, and Yahoo), revealing substantial differences in their documentation. Second, we introduce and test automated compliance assessment tools based on ChatGPT and information retrieval technology. These tools are evaluated against human judgments, showing promising results as reliable proxies for compliance assessments. Our findings could help enhance regulatory compliance and align with the United Nations Sustainable Development Goal 10.3, which seeks to reduce inequality, including business disparities, on these platforms.

Software Engineering,Artificial Intelligence

Anna Wróblewska,Bartosz Pieliński,Karolina Seweryn,Karol Saputa,Aleksandra Wichrowska,Sylwia Sysko-Romańczuk,Hanna Schreiber

DOI: https://doi.org/10.48550/arXiv.2209.00944

2022-09-02

Computation and Language

Abstract:This paper presents research on a prototype developed to serve the quantitative study of public policy design. This sub-discipline of political science focuses on identifying actors, relations between them, and tools at their disposal in health, environmental, economic, and other policies. Our system aims to automate the process of gathering legal documents, annotating them with Institutional Grammar, and using hypergraphs to analyse inter-relations between crucial entities. Our system is tested against the UNESCO Convention for the Safeguarding of the Intangible Cultural Heritage from 2003, a legal document regulating essential aspects of international relations securing cultural heritage.

Guido Boella,Luigi Di Caro,Alice Ruggeri,Livio Robaldo

DOI: https://doi.org/10.1007/s10844-014-0320-9

2014-05-27

Journal of Intelligent Information Systems

Abstract:Nowadays, there is a huge amount of textual data coming from on-line social communities like Twitter or encyclopedic data provided by Wikipedia and similar platforms. This Big Data Era created novel challenges to be faced in order to make sense of large data storages as well as to efficiently find specific information within them. In a more domain-specific scenario like the management of legal documents, the extraction of semantic knowledge can support domain engineers to find relevant information in more rapid ways, and to provide assistance within the process of constructing application-based legal ontologies. In this work, we face the problem of automatically extracting structured knowledge to improve semantic search and ontology creation on textual databases. To achieve this goal, we propose an approach that first relies on well-known Natural Language Processing techniques like Part-Of-Speech tagging and Syntactic Parsing. Then, we transform these information into generalized features that aim at capturing the surrounding linguistic variability of the target semantic units. These new featured data are finally fed into a Support Vector Machine classifier that computes a model to automate the semantic annotation. We first tested our technique on the problem of automatically extracting semantic entities and involved objects within legal texts. Then, we focus on the identification of hypernym relations and definitional sentences, demonstrating the validity of the approach on different tasks and domains.

computer science, information systems, artificial intelligence

Harshil Darji,Jelena Mitrović,Michael Granitzer

2024-07-06

Abstract:The process of annotating data within the legal sector is filled with distinct challenges that differ from other fields, primarily due to the inherent complexities of legal language and documentation. The initial task usually involves selecting an appropriate raw dataset that captures the intricate aspects of legal texts. Following this, extracting text becomes a complicated task, as legal documents often have complex structures, footnotes, references, and unique terminology. The importance of data cleaning is magnified in this context, ensuring that redundant information is eliminated while maintaining crucial legal details and context. Creating comprehensive yet straightforward annotation guidelines is imperative, as these guidelines serve as the road map for maintaining uniformity and addressing the subtle nuances of legal terminology. Another critical aspect is the involvement of legal professionals in the annotation process. Their expertise is valuable in ensuring that the data not only remains contextually accurate but also adheres to prevailing legal standards and interpretations. This paper provides an expanded view of these challenges and aims to offer a foundational understanding and guidance for researchers and professionals engaged in legal data annotation projects. In addition, we provide links to our created and fine-tuned datasets and language models. These resources are outcomes of our discussed projects and solutions to challenges faced while working on them.

Information Retrieval,Computation and Language,Machine Learning