Modular norm models: practical representation and analysis of contractual rights and obligations

Compliance analysis requires legal counsel but is generally unavailable in many software projects. Analysis of legal text using logic-based models can help developers understand requirements for the development and use of software-intensive systems throughout its lifecycle. We outline a practical modeling process for norms in legally binding agreements that include contractual rights and obligations. A computational norm model analyzes available rights and required duties based on the satisfiability of situations, a state of affairs, in a given scenario. Our method enables modular norm model extraction, representation, and reasoning. For norm extraction, using the theory of frame semantics, we construct two foundational norm templates for linguistic guidance. These templates correspond to Hohfeld’s concepts of claim-right and its jural correlative, duty. Each template instantiation results in a norm model, encapsulated in a modular unit which we call a super-situation that corresponds to an atomic fragment of law. For hierarchical modularity, super-situations contain a primary norm that participates in relationships with other norm models. Norm compliance values are logically derived from its related situations and propagated to the norm’s containing super-situation, which in turn participates in other super-situations. This modularity allows on-demand incremental modeling and reasoning using simpler model primitives than previous approaches. While we demonstrate the usefulness of our norm models through empirical studies with contractual statements in open source software and privacy domains, its grounding in theories of law and linguistics allows wide applicability

A Framework for Analyzing Federal Regulations for Information Security

This research examines regulatory compliance in information systems from a software assurance perspective. Today information systems are software intensive. They are thus prone to software weaknesses, which are exploited by various attacks on the systems. However, when stakeholders are incorporating new systems, they usually tailor security controls based on system needs, thereby, software security concerns receive very less attention than it deserves. In our research, we extend NOMOS, a framework for modeling roles, norms and situations, and evaluate its applicability to information security regulations. We present a case study with the Federal Information Security Management Act (FISMA) of 2002. FISMA statements with high variability space for categorizing information and information systems across multiple documents are examined to explore the utility and limits of the NOMOS framework. Finally, we introduce mechanisms to determine applicability of FISMA and related standards to tailored constraints on software components in a larger information system