The document describes the results of a systematic literature review on modeling languages for privacy requirements. 58 papers were identified that proposed modeling languages to capture privacy concepts. Most proposed new modeling languages or extensions to existing languages, and used illustrative examples to evaluate them. The majority of papers were solution proposals in academic contexts, focusing generally on privacy rather than a specific application domain.

1. www.cin.ufpe.br/~ler
Laboratório de Engenharia
de Requisitos
Universidade
Federal de
Pernambuco
Modeling Languages to Support Privacy
Requirements: Results from a Systematic
Literature Review
Mariana Peixoto and Carla Silva
{mmp2, ctlls}@cin.ufpe.br
08/2018

2. Outline
n Problem Characterization
n Research methodology
n Results
n Future Work
2

3. Problem Characterization
n Is necessary address the privacy issues since the early
stages of development, ie the Requirements Engineering
phase [Kalloniatis et al., 2008; Omoronyia et al., 2012; Tun et
al., 2012].
n There is a need for systematic approaches for reasoning,
modeling and analyzing privacy from the early stages of the
software development [Webster et al., 2005].
n Privacy is a multifaceted concept, comes in many forms, relating to
what one wishes to keep private [Kalloniatis et al., 2008; Gharib et
al., 2017]. This has resulted in much confusion among designers
and stakeholders, and has led in turn to wrong design decisions
[Gharib et al., 2017].
3

4. Problem Characterization
n Motivated by this scenario, we perform a Systematic
Literature Review to investigate requirements modeling
languages for privacy and provides an extensive analysis
of them.
¨ This SLR focuses on approaches that consider privacy, by
explicitly representing and analyzing privacy concepts in a
requirements model.
4

5. Research Methodology
5
Fig 1. SLR Process adapted from Kitchenham and Charters (2007).

6. Research Methodology
n What are the modeling languages used to modeling and
analysis of privacy requirements?
¨ SRQ1 - What modeling languages capture privacy concepts?
Is it an extension of existing language? The language has tool
support?
¨ SRQ2 - What are the benefits and limitations reported in the
use of the modeling languages?
¨ SRQ3 - What are the privacy concepts captured by modeling
languages?
¨ SRQ4 - What are the modeling elements used to capture
privacy concepts and their relationships?
¨ SRQ5 – Do these languages support requirements analysis?
What are the methods of analysis used?
¨ SRQ6 - Are the modeling languages concerned with cognitive
understanding aspects?
6

7. Research Methodology
Search Strategy: automatic search and snowball
method
n Search String: (“privacy”) AND (“requirements
engineering”) AND (“modeling” OR “modelling” OR
“model” OR “language” OR “notation)
n Search Engines:
¨ IEEExplore
¨ ACM Digital Library
¨ Science Direct
¨ Scopus
¨ Compendex
¨ Springer
7

8. SLR Preliminary Results
8
Inclusion Criteria Exclusion Criteria
I1 Primary Studies E1 Studies that are not focused on
Requirements Engineering
I2 Peer-reviewed studies E2 Duplicate studies (only one copy of each
study was included)
I3 Studies that present privacy
representation in some visual language
E3 Redundant paper of same author
I4 Original studies in languages: English,
Portuguese or Spanish
E4 Studies not available
I5 Studies published in any year E5 Incomplete studies (short papers (≤ 3
pages)
E6 Presentations, reports, dissertations,
theses, secondary studies, tertiary and
meta-analysis, gray literature.
E7 Studies that do not capture privacy
concepts
E8 Studies irrelevant to the research
questions
Table 1. Selection Criteria.

9. Research Methodology
Selection Procedure
n Step 1: reading titles, abstracts and keywords;
considering the inclusion and exclusion criteria.
n Step 2: reading introduction and conclusion; considering
the inclusion and exclusion criteria.
n Step 3: the studies included are fully read; excluding
irrelevant papers for the research questions.
9

10. Research Methodology
10
Data Description
Identifier (ID) Unique identifier for each paper
Year, Affiliations, List of Authors, Title,
Abstract and Keywords
Source IEEE, ACM, Scopus, Science Direct, Ei
COMPENDEX and Springer
Application context Industrial, academic, both
Study Type Journal, conference, symposium,
workshop, book chapter
Research Type (based on Wieringa et
al., 2006)
Evaluation research, validation research,
solution proposal, philosophical papers,
experience papers, opinion papers
Evaluation Method (based on
Easterbrook et al., 2008 )
Controlled experiment, case study, survey,
ethnography, action research, illustrative
scenario, not applicable
Application Domain Any domain. For example, Health Care
Research Questions Answer to each research question
Table 2. Data Extraction.

11. Research Methodology
Quality Assessment
n To verify the quality, the studies were classified
according to Wieringa (2005):
¨ Validation Research
¨ Evaluation Research
¨ Experience Papers
¨ Opinion Papers
¨ Philosophical Papers
¨ Solution Proposal
11

12. 12
Quality Assessment
Question Eva Val Sol Phi Exp Opi
QA1- Are the proposed concepts/relations clearly defined? (Gharib et al.,
2017).
x x x x x x
QA2- Does the work propose sufficient concepts/relations to deal with privacy
aspects? (Gharib et al., 2017).
x x x x x x
QA3- Is the problem clearly stated? (Wieringa, 2006). x x x
QA4- Is the research method clearly stated? (Wieringa, 2006). x x
QA5- Is there an adequate description of the context? (Dyba and Dingsoyr,
2008).
x x
QA6- Was the data collected in a way that addressed the research issue?
(Dyba and Dingsoyr, 2008).
x x
QA7- Was the data analysis sufficiently rigorous? (Dyba and Dingsoyr, 2008). x x
QA8- Is there a clear statement of findings? (Dyba and Dingsoyr, 2008). x x
QA9- Was there a control group with which to compare treatments? (Dyba and
Dingsoyr, 2008).
x
QA10- Is the technique novel, or is the application of the techniques to this
kind of problem novel? (Wieringa, 2006).
x
QA11- Is the technique argued? (Wieringa, 2006). x
QA12- Is the broader relevance of this novel technique argued? (Wieringa,
2006).
x
QA13- Is there sufficient discussion of related work? (Wieringa, 2006). x
QA14- Is the conceptual framework original? (Wieringa, 2006). x
QA15- Is it argued? (Wieringa, 2006). x
QA16- Is the experience original? (Wieringa, 2006). x
QA17- Is the report about it sound? (Wieringa, 2006). x
QA18- Is the report relevant for practitioners? (Wieringa, 2006). x
QA19- Is the stated position argued? (Wieringa, 2006). x
QA20- Is the opinion Innovating? (Wieringa, 2006). x
Table 3. Quality Assessment

13. Research Methodology
Quality Assessment
n To verify the quality, the studies were classified
according to Wieringa (2005):
¨ Validation Research (less than 4.5 of 9.0)
¨ Evaluation Research (less than 3.5 of 8.0)
¨ Experience Papers (less than 2.5 of 5.0)
¨ Opinion Papers (less than 2.5 of 5.0)
¨ Philosophical Papers (less than 2.5 of 4.0)
¨ Solution Proposal (less than 2.5 of 7.0)
13

14. Research Methodology
Threats to validity
n This review was conducted by only one researcher and
one advisor. To reduce the bias in this case, a structured
data extraction approach was used, as indicated by
Cruzes and Dyba (2011).
n The search string used for the automatic search may not
include all the existing synonyms for the terms present in
the expression "Modeling languages that support privacy
requirements" and thus be insufficient to capture all area
studies. To reduce this bias the snowball search was
performed.
14

15. SLR Results
15
Fig 2. SLR Results.

16. SLR Results
16
ID Title Authors
ACM7 Distilling Privacy Requirements for Mobile
Applications
Thomas, K; Bandara, A. K.;
Price, B.A.; Nuseibeh, B.
(2014)
ACM8 Elaborating Security Requirements by
Construction of Intentional Anti-Models
Lamsweerde, A.V. (2004)
ACM17 Legal Goal-oriented Requirement Language
(Legal GRL) for Modeling Regulations
Ghanavati, S.; Amyot, D.;
Rifaut, A. (2014)
COMPEDEX9 Designing privacy-aware personal health record
systems
Samavi, R.; Topaloglou, T.
(2008)
IEEE18 Compliance Analysis Based on a Goal-oriented
Requirement Language Evaluation Methodology
Ghanavati, S.; Amyot D.;,
Peyton, L. (2009)
IEEE30 Goal-oriented compliance with multiple
regulations
Ghanavati, S.; Rifaut;, A.;
Dubois, E.; Amyot, D. (2014)
IEEE48 Requirements engineering patterns for the
modeling of Online Social Networks features
Bouraga, S.; Jureta, I.;
Faulkner, S. (2014)
... .... ...
Table 4. Selected Papers

17. SLR Results
n Overview Results
17
Fig 3. Publication year.
1
6
4
3 3
2
5
4
2
4
3 3
9
3
4
2
0
1
2
3
4
5
6
7
8
9
10
2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017

18. SLR Results
n Overview Results
18
Fig 4. Authors nationalities.
1
6
1
17
1
1
1
1
9
2
1
2
17
1
3
2
2
1
3
13
1
0
2
4
6
8
10
12
14
16
18
Australia
Belgium
Brazil
Canada
Chile
China
Cyprus
France
Germany
Greece
India
Ireland
Italy
Japan
Luxembourg
Netherlands
Norway
Saudi Arabia
Spain
UK
USA

19. SLR Results
n Overview Results
19
Table 5. Paper type x context.
Application Context
Study Type Academic Academic/Industrial
Total
Conference 24 0 24
Journal 17 4 21
Symposium 2 0 2
Workshop 11 0 11
Total 54 (93.1%) 4 (6.8%) 58 (100%)

20. SLR Results
n Overview Results
20
Table 6. Research type.
Research Type Frequency Percentage
Solution Proposal 48 82.8
Evaluation
Research 7 12.1
Validation
Research 3 5.2
Total 58 100.0

21. SLR Results
n Overview Results
21
Table 7. Evaluation method
Evaluation Method
Frequency
Percentage
Case study
13
22.4
Case study and Survey
1
1.7
Controlled Experiment
3
5.2
Illustrative Scenario
35
60.3
Not Applicable
5
8.6
Survey
1
1.7
Total
58
100.0

22. SLR Results
22
Table 8 Application Domain
Application Domain
Frequency
Percentage
Business Process Management
1
1.7
Cloud Computing Systems
2
3.4
Context-sensitive systems
1
1.7
General
32
55.2
Health Care
5
8.6
Internet Services
1
1.7
Legal Regulations
6
10.3
Mobile Applications
2
3.4
Online Social Networks
1
1.7
Public Key Infrastructures
1
1.7
Security Policies
1
1.7
Smart Grids
1
1.7
Socio-Technical Systems
3
5.2
Web of Things
1
1.7
Total
58
100.0

23. 23
Table 9. Languages used for privacy.
Language Frequency Percentage
UML4PF 1 1.4
BPMN 1 1.4
CORAS Risk Modeling 1 1.4
Data Flow Diagrams 1 1.4
Goal/Agent Modeling 8 11.4
GRL 3 4.3
i-Star 9 12.9
KAOS 1 1.4
Legal GRL 2 2.9
Misuse Cases 4 5.7
NFR Framework 3 4.3
Problem Frames 5 7.1
SecBPMN-ml 1 1.4
Secure Tropos 6 8.6
Security-Aware Tropos 1 1.4
SI* modelling 3 4.3
STS-ml 2 2.9
Threat Model 2 2.9
Threat Tree 1 1.4
Tropos 6 8.6
UML 3 4.3
UMLsec 3 4.3
Use Case Maps 2 2.9
User Requirements Notation 1 1.4
Total 70 100.0

24. SLR Results
What modeling languages capture privacy concepts?
24
Fig 5. Taxonomy of privacy modeling languages.

25. SLR Results
Is it an extension of existing language?
n 44 (75.9%) studies used an existing language;
n 14 (24.1%) studies proposed an extension of an existing
language;
n It was not possible to observe the proposal of no new
language.
25

26. SLR Results
The language has tool support?
26
Table 10. Paper Whose has Tool Support.
ID
Tool Name
ACM7
Customized OpenArgue
ACM17/ IEEE18/ IEEE30/
SCOPUS6/ SPRINGER119/
SPRINGER277
Extended tool support (jUCMNav)
SPRINGER183/ SPRINGER420/
SPRINGER23
UMLsec tool
SPRINGER23
Used Secure Tropos tool
SPRINGER160
Toolset for modeling in SecBPMN-ml
IEEE58/SPRINGER302
Extended/Used UML profile
SCOPUS20
Used CREE-tool
SCIENCE27
Tool developed using
the Open Models Initiative Platform

27. SLR Results
What are the privacy concepts captured by modeling languages?
Privacy Concepts Catalog
Private/ Public/ Semi Public/ Owner/ Third Party/ Personal
Information/ Privacy Mechanism- goals/ Safeguards/ Awareness –
Necessity to know/ Openness/ Consent/ Accuracy/ Agreement/
Obligation/ Socialization/ Intentionality/ Non Repudiation/
Availability/ Permission/ Collect/ Disclosure/ Use/ Access Control/
Autonomy/ Vulnerability/ Confidentiality/ Intervenability/
Dectectability/ Integrity/ Unobservability/ Unlikability/ Anonymity/
Pseudonymity/ Authorization/ Authentication/ Opportunity/ Strength/
Weakness/ Conflict/ Trust/ Constraint/ Assurance/ Measure/ Privacy
Threats/ Harms/ Exposure/ Surveillance/ Aggregation/
Misinformation/ Power Imbalance/ Contextl/ Intrusion/ Identification/
Accountability/ Compliance/ Auditability/ Processor/ Privacy policy/
Privacy Preferences
27

28. SLR Results
What are the privacy concepts captured by modeling languages?
n UML is used to support Personal Information, Awareness,
Consent, Obligation, Non Repudiation, Disclosure, Access
Control, Confidentiality, Integrity, Anonymity, Authorization and
Harms.
n NFR Framework is used to support, Privacy Mechanism,
Awareness, Socialization, Intentionality, Permission,
Autonomy, Vulnerability, Confidentiality, Anonymity, Conflict,
Trust, Privacy Threats in COMPEDEX9, SCIENCE178 and
SNOW115.
28

29. SLR Preliminary Results
What are the modeling elements used to capture privacy
concepts and their relationships?
29
Concept <Element; Relationships (ID)>
Private <Resource; Dependency (IEEE48)>
Public <Resource; Dependency (IEEE48)>
Semi-Public <Resource; Dependency (IEEE48)>
Owner <Owner; Dependency (SNOW122)
Third Party <Goal; Decomposition link (ACM17)>
Personal Information <Resource; Dependency (COMPEDEX9/IEEE48/SNOW123), part of
(SCOPUS31), Trust relation, Owner relation, Permission relation
(SCOPUS30)>, <Goal; Contribution Link (IEEE18/SNOW7), Goal
decomposition (SNOW46), Dependency (SCIENCE323/SCIENCE332)>,
<Softgoal; Decomposition Link (IEEE30), Strategic Dependencies
(IEEE53), Association (SCIENCE40)>, < Stereotype; Extension
(IEEE58)>, <Document; Contribution link SNOW122)>
Table 11. Modeling elements and relationships.

30. SLR Preliminary Results
What are the modeling elements used to capture privacy concepts
and their relationships?
30Fig 6. SLR Modeling Elements Results.

31. SLR Preliminary Results
Do these languages support requirements analysis? What are the
methods of analysis used?
n 48 (82.8%) do support analysis and 10 (17.2%) don’t.
31
Fig 7. Requirements Analysis Methods.

32. SLR Results
Do these languages support requirements analysis? What are the
methods of analysis used?
32
ID Requirements Analysis Techniques Supported Concept
SNOW115 Privacy and Transparency Together Analysis: Aims to
analyze how privacy would impact Transparency and
vice versa.
Third Party, Personal Information, Privacy
Mechanism, Awareness, Socialization, Collect,
Use, Anonymity and Trust
IEEE53/
SNOW123
Attacker Analysis: Aims to identify potential system
abusers and their malicious intents
Personal Information, Privacy Mechanism,
Awareness, Consent, Collect, Disclosure,
Access Control, Confidentiality, Authorization,
Authentication, Trust, Constraint, Assurance and
Privacy Threats
SNOW122 Consistency Analysis: Aims to verify whether the
diagram built by the designer is consistent and valid.
Owner, Personal Information, Availability,
Confidentiality, Integrity, Authorization and
Privacy Threats
IEEE53 Countermeasure Analysis: System designers make
decisions on how to protect security and privacy from
potential attackers and vulnerabilities
Personal Information, Awareness, Disclosure,
Access Control, Confidentiality, Authorization,
Trust and Privacy Threats
Table 12. Requirements Analysis Techniques X Supported Concept
.

33. SLR Results
Are the modeling languages concerned with cognitive
understanding aspects?
n only one study!
¨ They conducted a study in two countries with 152 participants in which
they assessed the effectiveness of graphical representations with
respect to extraction correct information about risks.
33

34. SLR Results - Quality Assessment
n Evaluation research: 7 papers just one received maximum
score, quality 80 ;
n Validation research: 3 papers (two studies received 80) from a
maximum of 90;
n Solution proposal: 48 papers just three received maximum
score, quality 70.
34

35. Future Work
n Concepts Validation
n Conceptual Model
n Framework of Privacy Capabilities
35

36. Main References
n Gharib, M., Giorgini, P., Mylopoulos, J. (2017) Towards an
Ontology for Privacy Requirements via a Systematic Literature
Review. In: Mayr H., Guizzardi G., Ma H., Pastor O. (eds)
Conceptual Modeling. LNCS, vol 10650. Springer, pages 193–
208.
n Hadar, I., Hasson, T., Ayalon, O., Toch, E., Birnhack, M.,
Sherman, S., & Balissa, A. (2018) Privacy by designers:
software developers’ privacy mindset. Empirical Software
Engineering, pages 259-289.
n Kitchenham, B., Charters, S. Guidelines for performing
Systematic Literature Reviews in Software Engineering.
Technical Report, EBSE-2007-01, Software Engineering Group,
School of Computer Science and Mathematics. Keele
University, Keele, UK.
n Privacy in RE: https://sites.google.com/cin.ufpe.br/
privacyconcepts/home
36

37. www.cin.ufpe.br/~ler
Laboratório de Engenharia
de Requisitos
Universidade
Federal de
Pernambuco
Modeling Languages to Support Privacy
Requirements: Results from a Systematic
Literature Review
Mariana Peixoto and Carla Silva
{mmp2, ctlls}@cin.ufpe.br
08/2018