Evaluating a privacy requirements specification method by using a mixed-method approach: results and lessons learnedShow others and affiliations
2023 (English)In: Requirements Engineering, ISSN 0947-3602, E-ISSN 1432-010X, Vol. 28, no 2, p. 229-255Article in journal (Refereed) Published
Abstract [en]
Although agile software development (ASD) has been adopted in the industry, requirements approaches for ASD still neglect non-functional requirements. Privacy has become a concern due to new user demands and data protection laws. Hence, privacy needs to be properly specified, but agile requirements engineering techniques do not explicitly represent privacy requirements and, therefore, are not able to proper analyze such requirements. In this context, Privacy Criteria Method (PCM), an approach to specify privacy in requirements activities, was proposed to produce more complete and detailed privacy requirements. By considering PCM a promising approach to be used in ASD and the importance of empirical evaluation of new methods, we have as objectives: 1 evaluate the ability of PCM to support systems analysts in specifying privacy requirements when used in conjunction with some agile specification methods; and 2 show our lessons learned in conducting empirical research based on an mix-method approach defined to empirically evaluate the suitability of a requirements specification in specifying privacy requirements. Mixed-method approach is a controlled experiment as a quantitative evaluation and a feasibility study (questionnaire and task analysis based) study as a qualitative and quantitative evaluation. The requirements specifications following PCM allow to represent privacy aspects, such as user’s personal data and the privacy mechanism that can be used to mitigate a privacy risk scenario. We also observed that some extra time is necessary to specify privacy requirements with PCM, but it does not imply a greater perceived effort. Specifications produced with PCM are of good quality and more privacy detailed. Additionally, we attest to the importance of conducting empirical research to evaluate new methods. PCM assists in specifying more complete and detailed in relation to traditional techniques used in ASD, which facilitates communication between the requirements analysts and developers. © 2022, The Author(s), under exclusive licence to Springer-Verlag London Ltd., part of Springer Nature.
Place, publisher, year, edition, pages
Springer Science+Business Media B.V., 2023. Vol. 28, no 2, p. 229-255
Keywords [en]
Agile software development, Empirical study, Privacy criteria method, Privacy requirements specification, Job analysis, Requirements engineering, Risk perception, Software design, Specifications, Empirical research, Empirical studies, Industry requirements, Mixed method, Privacy requirement specification, Privacy requirements, Quantitative evaluation, Requirements specifications, Data privacy
National Category
Software Engineering
Identifiers
URN: urn:nbn:se:bth-23724DOI: 10.1007/s00766-022-00388-2ISI: 000857797700001Scopus ID: 2-s2.0-85138227443OAI: oai:DiVA.org:bth-23724DiVA, id: diva2:1701594
Part of project
SERT- Software Engineering ReThought, Knowledge Foundation
Funder
Knowledge Foundation, 201800102022-10-062022-10-062023-06-19Bibliographically approved