A Named Entity Recognition Based Approach for Privacy Requirements Engineering

A Named Entity Recognition Based Approach for Privacy Requirements Engineering

Abstract

The presence of experts, such as a data protection officer (DPO) and a privacy engineer is essential in Privacy Requirements Engineering. This task is carried out in various forms including threat modeling and privacy impact assessment. The knowledge required for performing privacy threat modeling can be a serious challenge for a novice privacy engineer. We aim to bridge this gap by developing an automated approach via machine learning that is able to detect privacy-related entities in the user stories. The relevant entities include (1) the Data Subject, (2) the Processing, and (3) the Personal Data entities. We use a state-of-the-art Named Entity Recognition (NER) model along with contextual embedding techniques. We argue that an automated approach can assist agile teams in performing privacy requirements engineering techniques such as threat modeling, which requires a holistic understanding of how personally identifiable information is used in a system. In comparison to other domain-specific NER models, our approach achieves a reasonably good performance in terms of precision and recall.

Grafik Top
Authors
  • Herwanto, Guntur B.
  • Quirchmayr, Gerald
  • Tjoa, A Min
Grafik Top
Editors
  • Yue, Tao
  • Mirakhorli, Mehdi
Grafik Top
Shortfacts
Category
Paper in Conference Proceedings or in Workshop Proceedings (Paper)
Event Title
2021 IEEE 29th International Requirements Engineering Conference Workshops (REW)
Divisions
Multimedia Information Systems
Event Location
Notre Dame, IN, USA
Event Type
Workshop
Event Dates
20-24 Sept 2021
Series Name
2021 IEEE 29th International Requirements Engineering Conference Workshops (REW)
ISSN/ISBN
978-1-6654-1898-0
Page Range
pp. 406-411
Date
September 2021
Export
Grafik Top