Skip to main content
SpringerLink
Log in

A systematic literature mapping of goal and non-goal modelling methods for legal and regulatory compliance

  • Original Article
  • Published:
Requirements Engineering Aims and scope Submit manuscript

Abstract

Much research is ongoing to assess and improve compliance to laws and regulations. As this domain continues to grow and mature, and with more modelling methods introduced to support compliance tasks, important questions need to be asked. What exactly are these methods used for? Where have they been applied? What benefits do they offer? This paper explores how goal-oriented and non-goal-oriented modelling methods have been used for legal and regulatory compliance, and identifies their main claimed benefits and drawbacks based on the kind of compliance tasks they perform. Using a systematic literature mapping approach, we evaluated 103 articles describing the use of modelling methods obtained from a pool of 286 articles. The results indicate that modelling methods focus on the intent of a law, but goal-oriented modelling methods do so while also reflecting the structure of a law, generally with substantial benefits for all compliance tasks. In addition, whereas modelling methods are used for compliance modelling, checking, analysis and enactment tasks, our analysis indicates that the coverage of these methods is more frequent in the healthcare domain with 55% of the articles reviewed targeting it. In terms of the contexts modelling methods address, privacy has the highest level of attention with a focus from 54% of the reviewed articles. The articles reviewed revealed a total of 60 different laws and regulations from 14 different countries, with 62% focusing on privacy. Moreover, while 82% of the articles reviewed addressed concerns of regulated parties, only 12% addressed the concerns of regulators, and 6% addressed concerns of both regulating and regulated parties. This study highlights the benefits and drawbacks of both types of modelling methods and identifies potential benefits and common drawbacks that will be of interest to researchers and practitioners in the selection of modelling methods or in the identification of selection criteria. Finally, the mapping results emphasize the need for more studies outside of healthcare, that are related to contexts other than privacy, that target compliance enactment tasks or that take the concerns of regulators into consideration.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8

Similar content being viewed by others

Notes

  1. http://www.site.uottawa.ca/~damyot/pub/Akhigbe/ListArticles2016.xlsx.

  2. https://www.hhs.gov/hipaa/index.html.

  3. http://data.legilux.public.lu/eli/etat/leg/loi/1967/12/04/n1/jo.

  4. https://www.ipc.on.ca/english/phipa/.

References

  1. Akhigbe O, Alhaj M, Amyot D, Badreddin O, Braun E, Cartwright N, Richards G, Mussbacher G (2014) Creating quantitative goal models: governmental experience. In: 33rd international conference on conceptual modeling (ER’14). LNCS, vol 8824, Springer, Berlin, pp 466–473

    Chapter  Google Scholar 

  2. Akhigbe O, Amyot D, Richards G (2015) Information technology artifacts in the regulatory compliance of business processes: a meta-analysis. In: 6th international MCETECH conference on E-technologies. LNBIP, vol 209, Springer, pp 89–104

  3. Amyot D, Ghanavati S, Horkoff J, Mussbacher G, Peyton L, Yu E (2010) Evaluating goal models within the goal-oriented requirement language. Int J Intell Syst 25(8):841–877

    Article  Google Scholar 

  4. Amyot D, Mussbacher G (2011) User requirements notation: the first ten years, the next ten years. Invited paper, J Softw (JSW), Academy Publisher, 6(5): 747–768

  5. Badreddin O, Mussbacher G, Amyot D, Behnam SA, Rashidi-Tabrizi R, Braun E, Richards G (2013) Regulation-based dimensional modeling for regulatory intelligence. In: 6th International Workshop on Requirements Engineering and Law (RELAW), pp 1–10

  6. Bano M, Zowghi D, Ikram N (2014) Systematic reviews in requirements engineering: a tertiary study. In: 2014 IEEE 4th international workshop on empirical requirements engineering (EmpiRE), IEEE CS, pp 9–16

  7. Behnam SA, Amyot D, Mussbacher G, Braun E, Cartwright N, Saucier M (2012) Using the goal-oriented pattern family framework for modelling outcome-based regulations. In: 2nd international workshop on requirements patterns (RePa’12), IEEE CS, pp 35–40

  8. Braun E, Cartwright N, Shamsaei A, Behnam SA, Richards G, Mussbacher G, Alhaj M, Tawhid R (2012) Drafting and modeling of regulations: Is it being done backwards? In: Fifth international workshop on requirements engineering and law (RELAW), IEEE CS, pp 1–6

  9. Feldt R, Magazinius A (2010) Validity threats in empirical software engineering research—an initial survey. In: Proceedings of the 22nd international conference on software engineering and knowledge engineering (SEKE). Knowledge Systems Institute Graduate School, pp 374–379

  10. Ghanavati S, Amyot D, Peyton L (2007) A requirements management framework for privacy compliance. In: Proceedings of the 10th workshop on requirements engineering (WER’07), pp 149–159

  11. Ghanavati S, Amyot D, Peyton L (2008) Comparative analysis between document-based and model-based compliance management approaches. In: Requirements engineering and law (RELAW’08), IEEE CS, pp 35–39

  12. Ghanavati S, Amyot D, Peyton L (2009) Compliance analysis based on a goal-oriented requirement language evaluation methodology. In: 17th IEEE international conference on requirements engineering (RE), IEEE CS, pp 133–142

  13. Ghanavati S, Amyot D, Siena A, Susi A, Perini A (2010a) Making business processes law compliant. In: First workshop on law compliancy issues in organisational systems and strategies (iComply’10). Retrieved 05 Feb 2016 from http://jucmnav.softwareengineering.ca/ucm/pub/UCM/VirLibiComply2010/iComply2010-GASSP.pdf

  14. Ghanavati S, Amyot D, Peyton L, Siena A, Perini A, Susi A (2010) Integrating business strategies with requirement models of legal compliance. Int J Electron Bus 8(3):260–280

    Article  Google Scholar 

  15. Ghanavati S, Amyot D, Peyton L (2011) A systematic review of goal-oriented requirements management frameworks for business process compliance. In: Fourth international workshop on requirements engineering and law (RELAW), IEEE CS, pp 25–34

  16. Ghanavati S, Amyot D, Rifaut, A (2014a) Legal goal-oriented requirement language (legal GRL) for modeling regulations. In: 6th international workshop on modeling in software engineering (MiSE), ACM, pp 1–6

  17. Ghanavati S, Amyot D, Rifaut A, Dubois E (2014b) Goal-oriented compliance with multiple regulations. In: 22nd IEEE international on requirements engineering conference (RE’14), IEEE CS, pp 73–82

  18. Gordon G, Breaux T (2013) A cross-domain empirical study and legal evaluation of the requirements water marking method. Requir Eng 18(2):147–173

    Article  Google Scholar 

  19. Governatori G, Hoffmann J, Sadiq S, Weber I (2008) Detecting regulatory compliance for business process models through semantic annotations. In: BPD-08: 4th international workshop on business process designm, LNBIP, vol 17, Springer, Berlin Heidelberg, pp 5–17

    Chapter  Google Scholar 

  20. Hashmi M (2015) Evaluating business process compliance management frameworks. PhD Thesis, Information Systems School, Queensland University of Technology, Australia, December, 2015. Retrieved 2 Feb 2016, from http://ssrg.nicta.com.au/publications/nictaabstracts/9138.pdf

  21. Hohfeld WN (1913) Some fundamental legal conceptions as applied in judicial reasoning. Yale Law J 23(1):16–59. Retrieved 2 Feb 2016, from http://www.jstor.org/stable/785533

    Article  Google Scholar 

  22. Horkoff J, Aydemir FB, Cardoso E, Li T, Maté A, Paja E, Salnitri M, Piras L, Mylopoulos J, Giorgini P (2017) Goal-oriented requirements engineering: an extended systematic mapping study. Requir Eng (online first) pp 1–28. https://doi.org/10.1007/s00766-017-0280-z

    Article  Google Scholar 

  23. Horkoff J, Yu ESK (2013) Comparison and evaluation of goal-oriented satisfaction analysis techniques. Requir Eng 18(3):199–222

    Article  Google Scholar 

  24. Ingolfo S, Siena A, Mylopoulos J (2011) Establishing regulatory compliance for software requirements. In: Conceptual modeling—ER 2011. LNCS, vol 6998, Springer, Heidelberg, pp 47–61

    Chapter  Google Scholar 

  25. Ingolfo S, Siena A, Mylopoulos J, Susi A, Perini A (2013) Arguing regulatory compliance of software requirements. Data Knowl Eng 87:279–296

    Article  Google Scholar 

  26. Ingolfo S, Siena A, Jureta I, Susi A, Perini A, Mylopoulos J (2013b) Choosing compliance solutions through stakeholder preferences. In: Requirements engineering: foundation for software quality (REFSQ 2013). LNCS, vol 7830, Springer, Heidelberg, pp 206–220

    Chapter  Google Scholar 

  27. Ingolfo S, Souza VES (2013) Law and adaptivity in requirements engineering. In: 8th international symposium on software engineering for adaptive and self-managing systems, IEEE Press, pp 163–168

  28. Ingolfo S, Jureta I, Siena A, Perini A, Susi A (2014) Nòmos 3: legal compliance of roles and requirements. In: 33rd international conference on conceptual modeling. LNCS, vol 8824, Springer, Switzerland, pp 275–288

    Chapter  Google Scholar 

  29. Jureta I, Breaux T, Siena A, Gordon D (2013) Toward benchmarks to assess advancement in legal requirements modeling. In: Sixth international workshop on requirements engineering and law workshop (RELAW), IEEE CS, pp 25–33

  30. Kavakli E (2002) Goal-oriented requirements engineering: a unifying framework. Requir Eng 6(4):237–251

    Article  Google Scholar 

  31. Kharbili ME, Stein S, Markovic I, Pulvermüller E (2008a) Towards a framework for semantic business process compliance management. In: Proceedings of the 1st international workshop on governance, risk and compliance (GRCIS’08), CEUR-WS, vol 339, pp 1–15

  32. Kharbili ME, de Medeiros AKA, Stein S, van der Aalst WMP (2008b) Business process compliance checking: Current state and future challenges. In: MobIS 2008. LNI, vol 141, GI, pp 107–113

  33. Kitchenham B, Charters S (2007) Guidelines for performing systematic literature reviews in software engineering, version 2.3. Tech. rep., Keele Univ. and Univ. of Durham, UK

  34. Maxwell JC, Antón AI (2009) Checking existing requirements for compliance with law using a production rule model. In: Second international workshop on requirements engineering and law (RELAW), IEEE CS, pp 1–6

  35. Maxwell J, Anton AI, Swire P (2011) A legal cross-references taxonomy for identifying conflicting software requirements. In: 19th IEEE international requirements engineering conference (RE’11), IEEE CS, pp 197–206

  36. Maxwell JC, Antón AI, Swire P, Riaz M, McCraw CM (2012) A legal cross-references taxonomy for reasoning about compliance requirements. Requir Eng 17(2):9–115

    Article  Google Scholar 

  37. Maxwell JC, Antón AI, Swire P (2012b) Managing changing compliance requirements by predicting regulatory evolution: an adaptability framework. In: 20th IEEE international requirements engineering conference (RE’12), IEEE CS, pp 101–110

  38. OMG (2008) Software process engineering meta-model specification, version 2.0. Document formal/2008-04-01

  39. Otto PN, Antón AI (2007) Addressing legal requirements in requirements engineering. In: 15th IEEE international requirements engineering conference (RE’07), IEEE, pp 5–14

  40. Palmieri A, Collet P, Amyot D (2015) Handling regulatory goal model families as software product lines. In: Advanced information systems engineering (CAiSE’15). LNCS, vol 9097, Springer, pp 181–196

  41. Perry DE, Porter AA, Votta LG (2000) Empirical studies of software engineering: a roadmap. In: Future of software engineering, ICSE 2000, ACM Press, New York, pp 345–355

  42. Petersen K, Feldt R, Mujtaba S, Mattson M (2008) Systematic mapping studies in software engineering. In: 12th Int. conf. on evaluation and assessment in software engineering (EASE’2008). BCS, paper 8

  43. Rashidi-Tabrizi R, Mussbacher G, Amyot D (2013) Transforming regulations into performance models in the context of reasoning for outcome-based compliance. In: Sixth international workshop on requirements engineering and law (RELAW), IEEE CS, pp 34–43

  44. Ramezani E, Fahland D, van Dongen B, van der Aalst W (2013) Diagnostic information for compliance checking of temporal compliance requirements. In: Advanced information systems engineering (CAiSE 2013). LNCS, vol 7908, Springer, Heidelberg, pp 304–320

  45. Shamsaei A, Pourshahid A, Amyot D (2011) Business process compliance tracking using key performance indicators. In: Business process management workshops. LNBIP, vol 66, Springer, Heidelberg, pp 73–84

    Chapter  Google Scholar 

  46. Shamsaei A, Amyot D, Pourshahid A, Braun E, Yu E, Mussbacher G, Tawhid R, Cartwright N (2013) An approach to specify and analyze goal model families. In: System Analysis and modelling: theory and practice (SAM 2012). LNCS, vol 7744, Springer, Berlin Heidelberg, pp 34–52

    Chapter  Google Scholar 

  47. Sherman DMA (1987) Prolog model of the Income Tax Act of Canada. In: 1st international conference on artificial intelligence and law, ACM, pp 127–136

  48. Siena A, Ingolfo S, Perini A, Susi A, Mylopoulos J (2013) Automated reasoning for regulatory compliance. In: Conceptual modeling (ER 2013). LNCS, vol 8217, Springer, Heidelberg, pp 47–60

    Chapter  Google Scholar 

  49. Soltana G, Sabetzadeh M, Briand LC (2016) Model-based simulation of legal requirements: experience from tax policy simulation. In: 24th international requirements engineering conference (RE’16), IEEE CS, pp 303–312

  50. Sweet M, Moynihan R (2007) Improving population health: the uses of systematic reviews. Milbank Memorial Fund, pp 1–84. Retrieved 22 Nov 2014, from http://wwwmilbank.org/uploads/documents/0712populationhealth/populationhealth.html

  51. Tawhid R, Alhaj M, Mussbacher G, Braun E, Cartwright N, Shamsaei A, Amyot D, Behnam SA, Richards G (2012) Towards outcome-based regulatory compliance in aviation security. In: 20th international requirements engineering conference (RE’12), IEEE CS, pp 267–272

  52. Yu E (1997) Towards modelling and reasoning support for early-phase requirements engineering. In: 3rd IEEE int. symp. on requirements engineering (RE’97), IEEE CS, pp 226–235

  53. Zeni N, Kiyavitskaya N, Cordy JR, Mich L, Mylopoulos J (2008) Annotating regulations using Cerno: an application to Italian documents—extended abstract. In: Proceedings of ARES’08, IEEE Press, pp 1437–1442

Download references

Acknowledgements

This research was supported by the National Science and Engineering Research Council of Canada (NSERC) Discovery program and by Interis Consulting/BDO. We also thank the anonymous reviewers for their comments and suggestions, which led to many improvements in this paper.

Author information

Authors and Affiliations

  1. School of Electrical Engineering and Computer Science, University of Ottawa, Ottawa, Canada

    Okhaide Akhigbe & Daniel Amyot

  2. Telfer School of Management, University of Ottawa, Ottawa, Canada

    Gregory Richards

Authors
  1. Okhaide Akhigbe
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Daniel Amyot
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Gregory Richards
    View author publications

    You can also search for this author in PubMed Google Scholar

Contributions

DA defined the research questions while OA developed the search strategies and carried out the review. DA reviewed the analysis results for consistency and completeness. All authors discussed the results. OA finalized the article with assistance from DA and GR.

Corresponding author

Correspondence to Daniel Amyot.

Ethics declarations

Conflict of interest

The authors declare that they have no conflict of interest.

Appendices

Appendix A: List of selected 103 articles

See Table 10.

Table 10 Selected goal-oriented modelling and non-goal-oriented modelling methods. The ones whose titles are in bold italic (5 out of 103) do not include compliance modelling tasks
Full size table

Appendix B: Frequencies of covered laws and regulations

See Table 11.

Table 11 Different legal or regulatory compliance contexts to which goal-oriented and non-goal-oriented modelling methods were applied (total: 128)
Full size table

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Akhigbe, O., Amyot, D. & Richards, G. A systematic literature mapping of goal and non-goal modelling methods for legal and regulatory compliance. Requirements Eng 24, 459–481 (2019). https://doi.org/10.1007/s00766-018-0294-1

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s00766-018-0294-1

Keywords

Search

Navigation