Abstract
Much research is ongoing to assess and improve compliance to laws and regulations. As this domain continues to grow and mature, and with more modelling methods introduced to support compliance tasks, important questions need to be asked. What exactly are these methods used for? Where have they been applied? What benefits do they offer? This paper explores how goal-oriented and non-goal-oriented modelling methods have been used for legal and regulatory compliance, and identifies their main claimed benefits and drawbacks based on the kind of compliance tasks they perform. Using a systematic literature mapping approach, we evaluated 103 articles describing the use of modelling methods obtained from a pool of 286 articles. The results indicate that modelling methods focus on the intent of a law, but goal-oriented modelling methods do so while also reflecting the structure of a law, generally with substantial benefits for all compliance tasks. In addition, whereas modelling methods are used for compliance modelling, checking, analysis and enactment tasks, our analysis indicates that the coverage of these methods is more frequent in the healthcare domain with 55% of the articles reviewed targeting it. In terms of the contexts modelling methods address, privacy has the highest level of attention with a focus from 54% of the reviewed articles. The articles reviewed revealed a total of 60 different laws and regulations from 14 different countries, with 62% focusing on privacy. Moreover, while 82% of the articles reviewed addressed concerns of regulated parties, only 12% addressed the concerns of regulators, and 6% addressed concerns of both regulating and regulated parties. This study highlights the benefits and drawbacks of both types of modelling methods and identifies potential benefits and common drawbacks that will be of interest to researchers and practitioners in the selection of modelling methods or in the identification of selection criteria. Finally, the mapping results emphasize the need for more studies outside of healthcare, that are related to contexts other than privacy, that target compliance enactment tasks or that take the concerns of regulators into consideration.
Similar content being viewed by others
Explore related subjects
Discover the latest articles, news and stories from top researchers in related subjects.Avoid common mistakes on your manuscript.
1 Introduction
Regulatory compliance is the act of ensuring adherence of an organization, process or (software) product to laws, guidelines, specifications and regulations. The last three decades have seen an increase in interest and awareness surrounding regulations and compliance. This has been prompted mainly by crises in the financial, health, transport and oil and gas sectors. Today, concerns about security, privacy, climate change, business fairness, competitiveness and innovation pose renewed interests for better regulations and their enforcement. Research in artificial intelligence (AI) and requirements engineering (RE) are at the forefront of efforts to address these concerns, and many modelling methods are being put forward. These methods can be partitioned into two groups: goal-oriented and non-goal-oriented methods.
Goal-oriented methods are based on the use of models composed of goals from various stakeholders and their relationships, including AND/OR decompositions and positive/negative contributions. These methods offer ways of structuring requirements according to their contributions towards achieving the goals of various stakeholders [1, 52]. Central to goal modelling languages are their qualitative and quantitative analytical capabilities [3, 23]. Goal models can be used to elicit, negotiate, analyse and validate requirements and how to satisfy them [30]. The aforementioned attributes have encouraged the adoption of goal models to address legal and regulatory compliance [2, 15, 39, 48]. Non-goal-oriented modelling methods, in contrast, are composed of any method that does not use goal modelling. Examples used in legal and regulatory compliance include Prolog models [47], the Unified Modeling Language (UML) [49], production rules [34] and the use of semantic annotations [19, 53]. As there exist a very large number of non-goal-oriented modelling methods, this review focuses mainly on those proposed by the requirements engineering community.
Common activities are carried out in order to achieve compliance with laws or regulations. These activities represent the general units of work [38] within legal or regulatory compliance, and they are described as tasks. Tasks in turn “provide complete step-by-step explanations of doing all the work that needs to be done to achieve” compliance [2, 38]. As illustrated in Fig. 1, compliance tasks include modelling, checking, analysis and enactment [2]. Compliance modelling tasks address activities involved in the discovery and formalization of text extracted from laws and regulations needing compliance. These texts include compliance requirements, and the resulting models may include a variety of artefacts such as goals for regulation objectives, processes for prescriptive procedural regulations and logic expressions for deontic modalities (obligations, permissions, interdictions). Compliance checking tasks are activities that ensure that the formalized representations of regulations (the models) capture correctly compliance requirements. Often, activities for compliance modelling and checking are intertwined and used iteratively. Compliance analysis tasks involve activities that provide insight into the state of compliance of an organization, a process, a (software) product, etc., as a result of the fulfilment or violation of the compliance requirements, possibly measured via models. Finally, compliance enactment tasks involve activities for making changes to an organization, a process, a (software) product, etc., in order to establish or re-establish compliance with a law or regulation. Re-establishing compliance is needed in view of changing or evolving laws, regulations, or business processes.
Tasks in the legal or regulatory compliance domain
Different contexts (such as privacy and security) exist that require legal or regulatory compliance. These contexts, which also exist in different domains (such as environment and healthcare), present compliance concerns that need to be addressed. Compliance tasks are therefore applied to these contexts to achieve compliance. Remarkably, it is when modelling methods are applied through compliance tasks to address compliance concerns in these contexts that their benefits and drawbacks become apparent. In this regard, we explored the benefits of these methods by analysing how they are used to perform compliance task towards addressing different concerns in these contexts across different domains. Our study looks at mapping methods used in legal and regulatory compliance based on compliance tasks they perform. The resulting analysis identifies claimed benefits and drawbacks reported in the requirements engineering articles we reviewed.
Important motivations for this review hence include understanding general benefits and drawbacks of the above categories of modelling methods for common compliance tasks, inciting researchers to highlight benefits and drawbacks more systematically in their results, and identifying domains and contexts of applications that require more attention in the future. While we did not perform any experiment to confirm the claims of reviewed papers, we acknowledge that some authors did comparisons of their proposed methods with other existing goal-oriented and non-goal-oriented modelling methods. We cite specific modelling methods when discussing benefits and drawbacks in Sect. 3, but the summary tables in Sect. 6 enumerate the benefits and drawbacks we identified, only in terms of the two groups of methods. This review covers a wider range of articles and a wider compliance scope than the review of Ghanavati et al. [15], which focused on goal-oriented modelling methods but only for business process compliance. Our review is also complementary to the recent thesis of Hashmi [20], which mainly focuses on non-goal-oriented modelling methods (often logic-based) in a business process compliance context.
The rest of the study is organized as follows: Sect. 2 describes the systematic literature mapping method we used and a description of the results obtained, particularly where and how the modelling methods are used. Section 3 provides a discussion of the claimed benefits, whereas Sect. 4 discusses threats to the validity of this work. In Sect. 5, we discuss related works and provide our conclusions and recommendations for future work in Sect. 6.
2 Method
The method we used in this study is based on Kitchenham’s systematic literature review methodology [33] and on suggestions from Peterson et al. on systematic literature mapping [42]. Systematic literature reviews are rigorous in their identification, selection, analysis and synthesis of findings of studies on a particular topic or question [50], and many have been used in a requirements context [6]. These characteristics, which enabled us to identify relevant articles in exploring evidence on the use, and benefits or drawbacks of goal and non-goal-oriented modelling methods, informed our choice of a systematic literature mapping. As with other systematic literature-based studies, when conducting a systematic literature mapping, researchers set research questions on a research topic to be answered. They also define queries to apply on a justified collection of databases, journals, conference proceedings and other sources to identify and select articles that help answer these questions. Inclusion and exclusion criteria guide the selection of primary articles for review from the obtained search results. As a systematic literature mapping approach focuses on mapping a large quantity of papers to categories, the quality assessment of such papers is less emphasized than in a review study [22, 42].
Carrying out systematic literature review/mapping studies can be done in three stages [33]. The first one is the planning stage, which addresses the process of selecting articles to review, after which the review itself is conducted in the conducting the review stage. The results from the review are then reported in the reporting the review stage. We adopted this approach in this study.
2.1 Planning
In this stage, to identify the use and explore the benefits or drawbacks of goal and non-goal-oriented modelling methods, research questions and a search query were defined. A search strategy and inclusion and exclusion criteria were also determined to guide the selection of relevant articles. We concentrated on the following three research questions:
-
1.
What are the domains and contexts where goal-oriented and non-goal-oriented modelling methods have been applied for legal and regulatory compliance?
-
2.
What are the main claimed benefits of using goal-oriented modelling methods for legal or regulatory compliance over non-goal-oriented modelling methods?
-
3.
What are the claimed drawbacks to the use of goal-oriented modelling methods in comparison to non-goal-oriented modelling methods?
Based on these research questions and with goal-oriented modelling methods as the comparator, we arrived at a simple search query: (“Legal Compliance” OR “Regulatory Compliance”) AND (“Goal Model*”), up to and including year 2016. This query is obviously more exhaustive for one category (goal-oriented) than the other is, but it is sufficient to enable answering the research questions about the use and comparative claimed benefits and drawbacks. We also identified three search strategies to enable us to obtain primary articles to use in answering the research questions. To ensure quality among articles, each search strategy sought articles from peer-reviewed sources.
-
(a)
In the first strategy, we concentrated on goal-oriented modelling methods. We identified four major databases in information systems, computer science and engineering that address legal and regulatory compliance: ACM Digital Library, IEEE Xplore, Scopus and Springer Link. Google Scholar was also included to help identify articles not covered in the other four databases.
-
(b)
The second search strategy concentrated on identifying both goal-oriented and non-goal-oriented modelling methods. As such, we selected conferences venues and journals that publish methods related to legal or regulatory compliance. The list of top twelve conference venues provided in the extended systematic mapping study on goal-oriented requirements engineering by Horkoff et al. [22] were selected. Our assumption is that these conference venues publish articles on non-goal-oriented modelling methods in addition to goal-oriented modelling methods. In addition to these twelve venues, we included proceedings of the Requirement Engineering and Law Workshop (RELAW). RELAW is a conference co-located with the IEEE International Conference on Requirements Engineering (RE) and includes explicitly legal and regulatory compliance within its scope.
-
(c)
For the final search strategy, we focused on the published comprehensive examination of different types of Information Technology artefacts used in legal or regulatory compliance investigated by Akhigbe et al. [2]. This body of work, which identified both goal and non-goal-modelling methods, represents the most recent review (at the time of writing) in the legal and regulatory compliance domain.
Regarding exclusion/inclusion criteria, we decided to keep the scope of the study limited to articles with modelling approaches in the requirements engineering area (to ensure good coverage of one specific domain), with evidence of application to real laws or regulations (to ensure a minimum level of quality). We applied an inclusion criterion first to identify articles that addressed the use of modelling methods. Articles involving either types of methods and addressing compliance, contracts, controls, rules, risks or standards, but not in conjunction with a law or regulation were excluded. As such, the articles selected were only those involving modelling methods used for compliance modelling, checking, analysis or enactment. In addition, articles with a mention of legal or regulatory compliance only in their title, keywords or references as well as systematic literature reviews and theses were excluded. Also excluded were articles with proposals and prototypes that were not evaluated or validated against a law or regulation.
2.2 Conducting the review
In this stage, we obtained primary articles that addressed the three research questions. We used the three search strategies on the databases, journal and conference proceedings using the search query and the inclusion and exclusion criteria. Using the first search strategy, we applied the search query to the ACM Digital Library, IEEE Xplore and Scopus databases as well as to Google Scholar. A total of 601 hits were obtained. Using the inclusion criterion and by removing duplicates, we selected 70 articles, as indicated in Table 1.
For the second search strategy, we did a search for both goal-oriented and non-goal-oriented modelling methods in conference proceedings. The conference proceedings are: IEEE International Conference on Requirements Engineering (RE), IEEE International Conference on Conceptual Modelling (ER), ACM Symposium on Applied Computing (SAC), Requirements Engineering: Foundation for Software Quality (REFSQ), International Conference on Advanced Information Systems Engineering (CAiSE), International Conference on Software Engineering (ICSE) and International Conference on Model Driven Engineering Languages and Systems (MODELS). The journal searched were Journal of Systems and Software (JSS), Requirements Engineering Journal (REJ), Transactions on Software Engineering (TSE), International Journal of Intelligent Systems (IJIES) and Information and Software Technology Journal (ISTJ). The 13th selected venue is the specialized RELAW workshop. For this strategy, we modified the search query to make it wider in scope and searched with only (“Legal Compliance” OR “Regulatory Compliance”).
The searches on the journals and conference proceedings returned 358 articles of which we selected 117 articles using the inclusion criterion (Table 1). Finally, for the third search strategy, the manual search of the 342 articles reviewed in Akhigbe et al. [2] with the query resulted in 278 articles of which we selected 165 articles based on the inclusion criterion (Table 1).
In the end, based on the three search strategies and after removal of duplicates, we arrived at 286 articles. We then read each of the 286 articles and, based on the exclusion criteria, we selected 103 articles to answer the research questions, as illustrated in Table 2. The list of their 103 selected articles and their year of publication can be accessed online.Footnote 1 This list also includes, for each paper, a brief description of the method, compliance context and domain in which the method was applied, the law or regulation addressed, whether concerns were of regulating or regulated parties, and the compliance tasks covered.
2.3 Reporting the review
In this stage, we present results from the review of primary articles. Herein, we provide a descriptive analysis of the state of research in legal and regulatory compliance as observed from the review to answer the first research question. We provide a comprehensive review answering the remaining two research questions in Sect. 3.
A slightly larger number of articles on non-goal-oriented modelling methods were obtained for legal or regulatory compliance with 57% of observed methods (59 of the 103 articles reviewed). Only one article had a combination of both methods as illustrated in Fig. 2. The review indicates that these methods have been used in the last 30 years with four articles published between 1986 and 2001 and seven between 2002 and 2006. The last 10 years witnessed a large increase in the use of these modelling methods with 40 articles published between 2007 and 2011 and 52 between 2012 and 2016, inclusively.
Distribution of the number of selected articles about goal-oriented and non-goal-oriented modelling methods in legal or regulatory compliance
Figure 3 illustrates the distribution of the selected articles over this 30-year period. The figure also highlights an increase in the last 5 years, of the number of publications about goal-oriented modelling methods by eight, and a slight increase in the number of publications about non-goal-oriented modelling methods by three. Finally, within this period, one article introduced an integration of both methods.
Distribution over time of selected articles on goal-oriented and non-goal-oriented modelling methods used for legal or regulatory compliance
To further contribute to our first research question, the next two sub-sections report on the different domains and contexts where modelling methods were used, as well as the laws/regulations targeted and whether this was done from the viewpoint of regulated parties or of regulators.
2.3.1 Domain and context
As illustrated in Table 3, of the eleven domains where these methods have been used for legal or regulatory compliance, healthcare has witnessed the highest number of applications. There were 57 articles (55%), in this domain with 32 for non-goal-oriented modelling methods and 25 for goal-oriented modelling methods. The government domain came second with 14 articles (14%), 13 for non-goal-oriented-modelling methods and only one for goal-oriented-modelling method. The financial sector was next with 12 articles (12%), five for goal-oriented, six for non-goal-oriented and one for both modelling methods. Transport domain had eight articles (8%) with seven for goal-oriented and one for non-goal-oriented-modelling method, and the business domain had five articles (5%) two for goal-oriented and three for non-goal-oriented-modelling method. The education domain had two articles (2%) both of which were on goal-oriented-modelling method. Finally, the environment, media, nuclear, oil and gas, and telecommunications domains witnessed the lowest number of articles with just one (1%) each. In these eleven domains, across the 103 reviewed articles, the methods were used in 16 different contexts, shown in Table 4. At times, these methods were used in more than one context in an article, which explains why the total of 112 is larger than the number of papers (103). Of the 16 contexts, privacy and security were the most often addressed with 61 (54%) and 14 (13%) articles with their applications, respectively.
2.3.2 Laws, regulations and target audiences
Compliance concerns involving a total of 60 laws and regulations representing 14 countries around the world have been addressed by these methods. Table 11 in Appendix B shows the 60 laws and regulations discussed in the 103 selected papers, the domains and contexts where they were applied, as well as the jurisdiction (countries). As shown in Table 5, the USA is the focus of 35% of the laws and regulations studied, while Canada with 13% and Italy with 12% are the other top countries. Often, there were more than one law or regulation addressing the same context. In addition, European laws and regulations, though binding on every European Union (EU) member country, were applied to specific countries (e.g. Italy) in the articles and addressed as such.
With privacy being the most frequent context, privacy laws and regulations naturally appear the most involved in the reviewed articles. In this regard, out of 112 instances of laws and regulations discussed in the selected papers (Table 11), 63% (80 instances) addressed context-involving privacy and 38% (48 instances) addressed laws and regulations not involving privacy contexts. The USA’s Health Insurance Portability and Accountability ActFootnote 2 (HIPAA) was the most frequently used law with 39 applications. Luxembourg Income Tax LawFootnote 3 and Canada’s Personal Health Information Protection ActFootnote 4 (PHIPA) are next in line with a distant five applications each. In terms of the audience targeted by these laws and regulations or whose compliance concerns were addressed, regulated parties (e.g. companies) benefited the most with 82% (85 articles) addressing their concerns while 12% (twelve articles) addressed the concerns of the regulators (e.g. governments). Finally, 6% (six articles) addressed concerns of both the regulated parties and the regulators. Table 6 shows how the papers are distributed over the different targeted audiences, for each type of method.
3 Discussion: benefits and drawbacks
In Sect. 1, we described compliance tasks as the basic units of work to be done: modelling, checking, analysis and enactment. The 103 reviewed articles addressed a total of 236 compliance tasks. Figure 4 illustrates that 42% (98) were compliance modelling tasks, 43% (102) compliance checking tasks, 13% (31) compliance analysis tasks and 2% (5) compliance enactment tasks. Table 7 shows their distribution over goal-oriented modelling and non-goal-oriented modelling methods. There was one compliance modelling, checking and analysis task addressed by the article that integrated both methods. This result closely agrees with claims of Akhigbe et al. [2] that compliance analysis and enactment tasks are the least addressed in the legal and regulatory compliance domain, independently of whether modelling is involved or not. Table 7 also suggests that goal-oriented modelling methods addressed these tasks the most with 24 for compliance analysis and four for compliance enactment compared to six and one (respectively) for non-goal-oriented requirements modelling methods.
Distribution of compliance tasks addressed in articles on legal and regulatory compliance
3.1 Benefits and drawbacks: compliance modelling tasks
Two major approaches are involved in activities that constitute compliance modelling tasks. Herein, modelling activities, such as discovering, eliciting, sourcing, representing, prioritizing or specifying requirements in laws or regulations needing compliance, are done either by focusing on the intent of the law or the structure of the law (see Table 10 in Appendix A). The intent category seeks to directly understand and represent what the law says, often by identifying deontic norms (obligations and permissions). This is done either by use of techniques based on natural language such as semantic annotations, the use of logic programming or the use of the Hohfeldian Taxonomy [21]. The structure category, in contrast, seeks to abstract from semantics of the law. It rather explores intended relationships between the structural elements of the law (e.g. articles and sections), and often between the law and processes it addresses. This is done by identifying relationships (e.g. decompositions and quantitative contributions) between legal prescriptions and the actors, objectives, indicators or processes involved.
As illustrated in Fig. 5, goal-oriented modelling methods appear to be the only approach whose model structure reflects the structure of the corresponding law (19 articles). An example of this is the approach of Tawhid et al. [51], where regulations are modelled for measuring compliance using the Goal-oriented Requirement Language (GRL), standardized as part of the User Requirements Notation [4]. A simplified model targeting airport security regulations, decomposed into articles, sections, sub-sections, etc., and ultimately measured using indicators is illustrated in Fig. 6. Goals capture parts of the regulations at different structural levels, and contributions or AND/OR decomposition links connects these parts together. OR-decomposition is used in particular when some part of a regulation explicitly offers alternative means of satisfying a higher-level part. Measurements (e.g. from airport inspections) feed the indicators, which convert measures into satisfaction levels by comparing them to target expectations. Satisfaction values are propagated to the goals (through the various links) in order to assess compliance levels [3]. Colour feedback reflects satisfaction levels (the greener, the better). As the focus is solely on the structure of the regulation, the content of the goals here has little logical semantics. However, goal models are a good match for an increasing number of laws and regulations that are outcome-based, meaning, that focus more on goals and outcomes than on prescriptive ways to achieve them [51].
Approaches for modelling laws and regulations using goal-oriented and non-goal-oriented modelling methods
Simplified GRL model of the structure of airport security regulations
Both goal-oriented modelling (24 articles), non-goal-oriented modelling (54 articles) methods and the integration of both methods (1 article) were used for modelling the intent of the law. An example of a goal-oriented modelling approach for modelling the intent of the law is Nòmos 3 by Ingolfo et al. [28]. Nòmos 3 is a language used for evaluating the compliance of a set of requirements (represented with goals) to fragments of laws (represented with norms, situations and domain assumptions). Norms exploit the Hohfeldian Taxonomy (mainly duties or rights) to specify semantic aspects of legal fragments. Legal actors and goals can hold Norms by social roles. A rich set of relationships, including and/or decomposition, further enable one to establish compliance (accidental or not) through argumentation and satisfaction label propagation (Fig. 7).
Simplified Nòmos 3 model enabling the compliance checking of teacher goals with regulations about the notification and publication of students results
Similarly, an example of a non-goal-oriented approach for modelling the intent of the law is the use of the logic programming-based production rule model, a knowledge representation technique used in artificial intelligence and adapted by Maxwell and Antón [34]. Here, the production rule model is used to validate software requirements for legal compliance. Rules can be encoded in Prolog (Fig. 8), and queries can be written to check existing requirements or find missing ones.
Simplified example of the representation of HIPPA §164.312(e) (1) with a production rule model in Prolog
Overall, out of 98 articles covering compliance modelling tasks, 81% (79 articles) of the methods were modelling the intent of the law while 19% (19 articles) were modelling the structure of the law (see Fig. 5). While there appears to be more non-goal-oriented modelling methods in use, their focus is basically on the intent of the law, i.e. what the law means or says. In contrast, goal-oriented modelling methods’ focus on the structure of the law, where relationships between laws and processes they address determine if compliance was achieved or not (and often to what extent, if quantitative indicators are present), appears to be its major benefit [13, 14]. This is because such methods tend to provide a broader picture of the law and activities involved. Also, their ability to address the intent of the law (mainly with use of the Hohfeldian Taxonomy), if needed, shows their versatility in comparison to non-goal-oriented requirements modelling methods, which currently only focus on the intent of the law.
The visual nature of goal-oriented modelling methods and their ability to map compliance requirements facilitate the creation of goal models for many compliance contexts [16, 24]. The visual modelling of the law puts different compliance contexts in proper perspectives for all stakeholders involved when exploring trade-offs, often with one integrated model [17, 25]. In addition, goal modelling enables the identification and presentation of collections of related laws as families of goal models, leading to better reusability and customization across different domains and contexts [5, 40, 46].
Goal modelling terminologies can be difficult to grasp for some categories of stakeholders, leading to difficulties in reading goal models and often leading to the need for lawyers and domain experts to verify goal models [28, 51]. Determining whether a goal model is consistent with the source legal text is also made difficult by having to deal with two types of languages (goals and natural language), especially in the absence of explicit traceability. In contrast, techniques based on natural language often exploit explicit cross-referencing to help identify inconsistencies between legal texts and requirements needing compliance [35, 36].
3.2 Benefits and drawbacks: compliance checking tasks
In compliance checking, we ensure that the models in the respective context correspond to the relevant parts of laws and regulations (i.e. the compliance requirements). This is done at design time through validation and verification activities. In this respect, the approach used in modelling (the intent or structure of the law) influences how the models are checked with goal-oriented modelling, non-goal-oriented modelling or the integration of both methods. If the modelling approach focuses on the intent of the law, the emphasis of the compliance checking task is to identify ambiguities and establish consistency between the model and its source text. If the modelling approach focuses on the structure of the law, the emphasis is on the satisfiability of the respective goal model elements, often through measurement.
All 103 articles reviewed addressed compliance checking tasks, with goal-oriented modelling methods having 43, non-goal-oriented modelling methods having 59 and the integration of both methods having one (Table 7). Regarding benefits, the sole benefit of goal-oriented modelling methods over non-goal-oriented modelling methods for compliance checking resides in the fact that some of the former can represent respective laws and processes in one integrated model. This makes establishing traceability links and resultant tool support easily automated for use to track compliance as a whole or item by item [12, 48]. Although non-goal-oriented modelling does not provide the whole compliance picture, and not in one integrated model, the ability to make direct comparisons between regulatory texts is an interesting benefit [18]. Hence, we observed that the drawback of goal-oriented models here is their ability to only compare models generated from legal texts (e.g. [12, 48]) and not the legal texts themselves [18].
3.3 Benefits and drawbacks: compliance analysis tasks
Compliance analysis tasks involve activities that provide insight into the state of compliance because of the fulfilment or violation of the compliance requirements. Herein, we explore which compliance requirements were satisfied or not by an organization, a process or a product, as well as events or conditions that caused violations. Analysis can be done proactively based on models (e.g. of the organization, process or product compared to the model of the law/regulation) or reactively based on run-time information [32, 44]. Also, explored in analysis is the level to which compliance was attained as well as available alternatives in achieving compliance and their impact. This is achieved with activities such as measurements, calculations, resolutions, explanations or reports made by exploring traceability links between models and compliance requirements, cross-referencing relationships between different provisions in legal texts or establishing and assessing indicators. The emphasis is on determining compliance outcomes because of changing requirements in laws, processes or objectives involved. Among the articles reviewed, 31 addressed compliance analysis tasks. Of these, 24 were done using goal-oriented modelling methods, six used non-goal-oriented modelling methods and one used the integration of both methods, as indicated in Table 7.
Goal-oriented modelling methods offer more benefits than non-goal-oriented modelling methods here since the former offer a simpler compliance perspective, in one integrated model. The inherent goal refinement capabilities they possess allow addressing scalability of the often-complex nature of regulations [16, 43]. Robust tool support also facilitates the dynamic exploration and visual presentations of different kinds of analyses facilitated by traceability links between goals, processes and respective laws or regulations. With this, stakeholders can explore alternatives that best match their preference towards compliance [10, 16, 26]. In addition, goal-oriented modelling methods enable quantitative and qualitative measures of compliance to offer insight on compliance outcomes [12, 45]. There are currently no identified drawbacks of the use of goal-oriented modelling methods. There are, however, limitations regarding the substantial effort required for carrying out certain analyses. With most laws and regulations being prescriptive and not outcome based, the technical infrastructure and required input data to support regulatory reasoning is substantive [5].
3.4 Benefits and drawbacks: compliance enactment tasks
Compliance enactment tasks include activities to re-establishing compliance. The emphasis is on identifying potentially changing or already changed laws and their dependent laws and relationships. Compliance enactment tasks result from having determined through analysis what changes needs to be made to the organization, process or (software) products system to ensure compliance to the new law. With the concentration in the legal and regulatory compliance domain on compliance modelling and checking tasks and little progress on compliance analysis tasks, little effort has been devoted to enactment. Only five of the 103 articles reviewed addressed compliance enactment tasks, including four that exploit goal-oriented modelling methods.
The non-goal-oriented modelling method that addressed compliance enactment tasks enabled software engineers to predict areas of a law likely to evolve and supported their design decisions in re-establishing compliance of their software products [37]. The framework applied explored why regulations change, how they change and proposed heuristics to predict which regulation would change. In contrast, the focus of goal-oriented modelling methods in this domain has been on modelling and analysing the satisfiability of laws, their dependent laws and processes or objectives, rather than on predicting and responding to change. However, answers from compliance questionnaires generated from goal models and their evaluation across multiple regulated parties can trigger the evolution of regulations (e.g. to better align regulations with efficient practices), enabling some predictive capabilities [8, 51]. In addition, the exploration of alternatives towards compliance, facilitated by (exploratory) evaluation strategies in goal models [3], can trigger changes in regulations and dependent laws or processes leading to knowledge on where, how and when to re-establish compliance.
Goal models offer a holistic view of regulations and their compliance status, with a good understanding of their relationships. Goal pattern families, which capture knowledge about regulations and goal models, give methods for reuse and customization across domains and contexts, as well as for the evolution of the patterns themselves [7]. In addition, legal texts can be analysed as sources for parameter and indicators needed to support adaptation, and these can be captured with goal models [27].
4 Threats to validity
There exist several threats to the validity of this systematic literature map. These threats are influences that affected our ability to obtain, interpret and draw conclusions from the search results [41]. We did a validity analysis to identify these threats and discussed ways of addressing them [9]. The main threats relate to construct, internal, conclusion and external validity.
4.1 Construct validity
Construct validity refers to how well the parameters we studied in the systematic review and their outcomes are relevant to the research questions. To address this issue, we ensured the resulting search strategy was comprehensive enough to address the essence of the systematic review: goal-oriented and non-goal-oriented modelling methods in legal or regulatory compliance, with non-goal-oriented methods mainly proposed by the requirements engineering community. This strategy enabled us to obtain relevant articles from multiple sources including journals, conference proceedings and databases. However, one could always cover more sources of articles, especially for non-goal-oriented modelling methods. In addition, we did not assess the quality of the papers based on their coverage of formal case studies or other empirical evidence, so some papers that are simply proposals of approaches have been included in our review on equal terms with evidence-supported approaches independently of rigour or credibility. To mitigate partially this threat, we only selected peer-reviewed articles where a real law or regulation was used for illustration or validation.
4.2 Conclusion validity
Conclusion validity refers to the certainty that the systematic review used is relevant to obtaining significant understanding on benefits and drawbacks of goal-oriented and non-goal-oriented modelling methods. To address this, we ensured the research questions were concise enough to address the benefits and drawbacks of these methods, with goal-oriented modelling methods as a comparison point. We also used a robust search strategy, which enabled us to obtain appropriate articles for a variety of sources. To mitigate any bias with this approach, publication age was not an excluding factor in the selection of articles from these sources. In addition, the results obtained corroborate observations in another review, which indicated that compliance enactment tasks are the least addressed task in legal and regulatory compliance [2]. However, the benefits and drawbacks reported here are mainly the ones claimed by the articles reviewed. There was no attempt to quantify the strength of the evidence, for example through the number of papers citing particular benefits or drawbacks. Deeper and more valid conclusions could be obtained by identifying and reviewing more empirical evidence. For instance, the benefits and drawbacks could be measured through comparative analysis of the application of the various methods to compliance modelling, checking, analysis and enactment on a representative set of sample laws and regulations. In addition, results expressed in terms of numbers of articles may not reflect how frequently particular methods are used in practice.
4.3 Internal validity
Internal validity refers to how well the review was performed. Guidelines from Kitchenham and Charters [33] and Sweet and Moynihan [50] were followed, and the intermediate steps and decisions taken documented in a way that makes the review repeatable and extensible. However, there may remain some bias in the application of the inclusion and exclusion factors and in the encoding of the compliance tasks covered by the review, as mainly one author only (the first author) performed these steps. In addition, the authors of this literature map have a history of work and publications related to goal modelling that could have influenced this study. A more robust approach to mitigate such bias would be to involve more people of both goal-oriented and of non-goal-oriented modelling orientations to do these steps independently, and then resolve conflicts through consensus.
4.4 External validity
External validity refers to the generalization of the outcome of the systematic literature mapping approach. The results we obtained show the benefit and drawbacks of goal-oriented and non-goal-oriented modelling methods specific to legal and regulatory compliance. As such, these results might not be applicable to other areas where these methods are applied and compliance is not required. Other compliance methods exist that are not model-based, but a comparison with such methods remains outside the scope of the current study.
5 Related work
Several systematic literature reviews and studies have explored methods for legal or regulatory compliance. Akhigbe et al. [2] did a meta-analysis of the results of 14 literature reviews on this topic that were published between 2007 and 2014. This meta-analysis highlighted the overabundance of methods and guidelines over other types of artefacts (e.g. algorithms and metrics). It also highlighted that analysis and especially enactment compliance tasks are often neglected, and not only in modelling methods.
Using seven qualitative criteria, Ghanavati et al. [11] did a comparative analysis of the usefulness of document-based and model-based compliance management methods. Different from our work, their approach compared the effort to model, comprehend, document and manage evolution of compliance needs as well the level of coverage of the model, compliance documentation and evolution management required. Our work identified the benefits and drawbacks of using goal-oriented and non-goal-oriented methods, which could fall under their document or model-based methods, for legal or regulatory compliance.
Kharbili et al. [31] recommended eight characteristics to assess the value of a compliance management approach. The characteristics described as “requirements” include change management for addressing change in laws or regulations, traceability and accountability for discovering and documenting actions and complexity involved in modelling. There are also functionalities and elements to check and enhance efficiency of designed laws or regulations. Other characteristics include cost of the method, mechanisms for enforcement and scalability, and support for predictive impact analysis. Our work instead explores value in terms of claimed benefits when particular compliance tasks are carried out, within a compliance context, in a specific domain, against one or more particular laws or regulations.
Drawing from experiences obtained in addressing laws and regulations in privacy and security compliance contexts, Jureta et al. [29] proposed eight benchmarks that represent important challenges in legal and compliance modelling. Separation and extensibility allow distinguishing between concepts shared across different laws from those unique to a specific law. Minimality and conservativeness require formalisms in this domain to be minimal in the number of modal verbs in the laws modelled and conservative in inferences made. Entity classification requires identification of the different entity classes or categories present and their relationships. Reference tracing requires precise mapping of atomic model fragments to their originating legal text fragment and preserving the hierarchal paragraph structure of the legal text. Exceptions allow for identifying which subsets of actions require satisfaction if more than one law fragment places constraints on the same action making satisfaction by both intolerable. Compliance alternatives require representations of alternative compliance conditions a law expresses that is applicable and a comparison of alternatives. Dialect reasoning requires formalisms to represent evidence that upholds or refutes choices. Finally, applicability and verification require formalized models to have the capability to verify which fragment(s) of a law applies to a given organization, process or product, and to what extent. Our work differs in addressing, in addition to privacy and security compliance contexts, other compliance contexts mentioned in the literature. Our work also extends the motivations towards further research by providing the current state of research in legal and regulatory compliance in terms of the different laws and regulations used, the domains that have been addressed, the audience, goal-oriented and non-goal-oriented modelling methods that have been used, and when they were used.
The recent thesis of Hashmi [20] provides a formal framework to determine whether a compliance management framework correctly represents the normative requirements that a system has to comply with. His review targets a classification of normative requirements and focuses on the evaluation of several non-goal-oriented modelling methods for business process compliance. Business process compliance is actually the topic of most of the recent surveys and reviews studied in Akhigbe et al. [2], including the review from Ghanavati et al. [15].
6 Conclusion and future work
6.1 Conclusion
Modelling methods continue to be applied to address compliance needs of regulators and regulated parties across a variety of domains. As posited in our three research questions described in Sect. 2.1, using a systematic literature mapping approach, we explored modelling methods used for legal and regulatory compliance relative to the requirements engineering field. In addition, having identified these modelling methods to be either goal-oriented or non-goal-oriented, we explored their main claimed benefits and drawbacks. To do this, we identified four different compliance tasks for which these methods are used and collected claimed benefits and drawbacks from a selection of 103 relevant scientific articles that used their methods on laws and/or regulations.
Our primary observation is that both types of methods vary in the way they relate with laws or regulations. This fundamental difference determines how their benefits are accessed. While non-goal-oriented modelling methods primarily address the intent of the law, goal-oriented modelling methods often address the structure of the law. The former seek to directly understand and represent what the law means, often by identifying deontic norms (obligations and permissions) or Hohfeldian norms (e.g. duties and rights). The latter seek to abstract from semantics of the law and explore intended relationships between structural parts of the law, and between the law and processes it regulates. These results in goal-oriented modelling methods are placing different compliance contexts in proper perspectives for all stakeholders involved to visualize respective laws and their dependent laws, processes and objectives. We show summaries of the claimed benefits and drawbacks of goal-oriented methods collected during the review in Table 8 and of non-goal-oriented methods in Table 9. These tables only use the two groups of methods in order to get a general overview. Note that a single, specific method may not offer all of the benefits mentioned here, but it will likely suffer from all the drawbacks. We also provide, in Tables 8 and 9, some examples of articles (with paper numbers between accolades coming from Table 10 in Appendix A) where these benefits and drawbacks are specifically claimed. Note that these references are not exhaustive and should not be used as an indication of evidence strength.
The results of this review also provide an overview of the state of the research in the use of modelling for compliance:
-
(a)
The healthcare domain is the most frequently covered by modelling methods with 55% of reviewed articles in this domain followed by the government and financial sector, with 13 and 12%, respectively.
-
(b)
Of the 16 contexts, whose concerns were addressed by these methods, the privacy and security contexts are the most frequently addressed with 54 and 13% of articles focused on them. The other 14 contexts share the remaining 33%.
-
(c)
About 60 different laws and regulations, from 14 different countries, have been used in the reviewed articles. Of their 128 applications in the selected articles, 62% addressed the privacy context.
-
(d)
The USA’s Health Insurance Portability and Accountability Act (HIPAA) was the most frequently used law with 36 applications. Luxembourg’s Income Tax Law and Canada’s Personal Health Information Protection Act (PHIPA) are next in line with a distant five applications each.
-
(e)
Compliance concerns of the regulated parties were addressed the most with 82% of the articles. Regulators had their concerns addressed by 12% of the reviewed articles, while 6% of the articles addressed concerns of a combination of both regulators and regulated parties.
With this review and its results, we hope researchers will more systematically highlight their benefits and drawbacks (in comparison with goal-oriented modelling methods and others) in their future contributions, in addition to addressing the issues we have identified in terms of technical drawbacks and limited domains/contexts of applications.
This review will also raise awareness and generate interest in the use of modelling for legal and regulatory compliance. Practitioners interested in selecting a modelling method can make use of Tables 8 and 9 to get a high-level overview of claimed potential benefits and claimed common drawbacks and then infer evaluation and comparison criteria based on the compliance tasks of interest to them. In addition, the articles reviewed and listed in Table 10 provide specific examples of state-of-the-art approaches.
6.2 Future work
Given these observations, we recommend that future research efforts consider the following work items:
-
(a)
Perform empirical experiments to compare modelling methods in order to verify the claimed benefits and drawbacks documented in Tables 8 and 9.
-
(b)
Address a wider variety of domains (beside healthcare) and contexts (beside privacy) with both types of methods to further explore and quantify existing benefits and drawbacks (and additional ones, if any).
-
(c)
Further explore modelling methods for the support of analysis and enactment compliance tasks, which are too infrequently considered.
-
(d)
Address compliance concerns of regulators to enable them to assess and enforce compliance more effectively and to evolve their regulations in order to better reflect best practices. Irrespective of how well regulated parties tend to comply with laws or regulations, as custodians of the regulatory ecosystem, regulators determine who complies or not.
-
(e)
Survey the usage in practice of both types of modelling methods.
-
(f)
Survey potential correlations between benefits/drawbacks and the particular domains or contexts where they are observed, possibly with the aim of developing evidence-based guidelines for providing appropriate modelling solutions in a specific context or domain.
-
(g)
Develop a maturity model used to position these methods and their perceived benefits towards improving the performance of organizations.
References
Akhigbe O, Alhaj M, Amyot D, Badreddin O, Braun E, Cartwright N, Richards G, Mussbacher G (2014) Creating quantitative goal models: governmental experience. In: 33rd international conference on conceptual modeling (ER’14). LNCS, vol 8824, Springer, Berlin, pp 466–473
Akhigbe O, Amyot D, Richards G (2015) Information technology artifacts in the regulatory compliance of business processes: a meta-analysis. In: 6th international MCETECH conference on E-technologies. LNBIP, vol 209, Springer, pp 89–104
Amyot D, Ghanavati S, Horkoff J, Mussbacher G, Peyton L, Yu E (2010) Evaluating goal models within the goal-oriented requirement language. Int J Intell Syst 25(8):841–877
Amyot D, Mussbacher G (2011) User requirements notation: the first ten years, the next ten years. Invited paper, J Softw (JSW), Academy Publisher, 6(5): 747–768
Badreddin O, Mussbacher G, Amyot D, Behnam SA, Rashidi-Tabrizi R, Braun E, Richards G (2013) Regulation-based dimensional modeling for regulatory intelligence. In: 6th International Workshop on Requirements Engineering and Law (RELAW), pp 1–10
Bano M, Zowghi D, Ikram N (2014) Systematic reviews in requirements engineering: a tertiary study. In: 2014 IEEE 4th international workshop on empirical requirements engineering (EmpiRE), IEEE CS, pp 9–16
Behnam SA, Amyot D, Mussbacher G, Braun E, Cartwright N, Saucier M (2012) Using the goal-oriented pattern family framework for modelling outcome-based regulations. In: 2nd international workshop on requirements patterns (RePa’12), IEEE CS, pp 35–40
Braun E, Cartwright N, Shamsaei A, Behnam SA, Richards G, Mussbacher G, Alhaj M, Tawhid R (2012) Drafting and modeling of regulations: Is it being done backwards? In: Fifth international workshop on requirements engineering and law (RELAW), IEEE CS, pp 1–6
Feldt R, Magazinius A (2010) Validity threats in empirical software engineering research—an initial survey. In: Proceedings of the 22nd international conference on software engineering and knowledge engineering (SEKE). Knowledge Systems Institute Graduate School, pp 374–379
Ghanavati S, Amyot D, Peyton L (2007) A requirements management framework for privacy compliance. In: Proceedings of the 10th workshop on requirements engineering (WER’07), pp 149–159
Ghanavati S, Amyot D, Peyton L (2008) Comparative analysis between document-based and model-based compliance management approaches. In: Requirements engineering and law (RELAW’08), IEEE CS, pp 35–39
Ghanavati S, Amyot D, Peyton L (2009) Compliance analysis based on a goal-oriented requirement language evaluation methodology. In: 17th IEEE international conference on requirements engineering (RE), IEEE CS, pp 133–142
Ghanavati S, Amyot D, Siena A, Susi A, Perini A (2010a) Making business processes law compliant. In: First workshop on law compliancy issues in organisational systems and strategies (iComply’10). Retrieved 05 Feb 2016 from http://jucmnav.softwareengineering.ca/ucm/pub/UCM/VirLibiComply2010/iComply2010-GASSP.pdf
Ghanavati S, Amyot D, Peyton L, Siena A, Perini A, Susi A (2010) Integrating business strategies with requirement models of legal compliance. Int J Electron Bus 8(3):260–280
Ghanavati S, Amyot D, Peyton L (2011) A systematic review of goal-oriented requirements management frameworks for business process compliance. In: Fourth international workshop on requirements engineering and law (RELAW), IEEE CS, pp 25–34
Ghanavati S, Amyot D, Rifaut, A (2014a) Legal goal-oriented requirement language (legal GRL) for modeling regulations. In: 6th international workshop on modeling in software engineering (MiSE), ACM, pp 1–6
Ghanavati S, Amyot D, Rifaut A, Dubois E (2014b) Goal-oriented compliance with multiple regulations. In: 22nd IEEE international on requirements engineering conference (RE’14), IEEE CS, pp 73–82
Gordon G, Breaux T (2013) A cross-domain empirical study and legal evaluation of the requirements water marking method. Requir Eng 18(2):147–173
Governatori G, Hoffmann J, Sadiq S, Weber I (2008) Detecting regulatory compliance for business process models through semantic annotations. In: BPD-08: 4th international workshop on business process designm, LNBIP, vol 17, Springer, Berlin Heidelberg, pp 5–17
Hashmi M (2015) Evaluating business process compliance management frameworks. PhD Thesis, Information Systems School, Queensland University of Technology, Australia, December, 2015. Retrieved 2 Feb 2016, from http://ssrg.nicta.com.au/publications/nictaabstracts/9138.pdf
Hohfeld WN (1913) Some fundamental legal conceptions as applied in judicial reasoning. Yale Law J 23(1):16–59. Retrieved 2 Feb 2016, from http://www.jstor.org/stable/785533
Horkoff J, Aydemir FB, Cardoso E, Li T, Maté A, Paja E, Salnitri M, Piras L, Mylopoulos J, Giorgini P (2017) Goal-oriented requirements engineering: an extended systematic mapping study. Requir Eng (online first) pp 1–28. https://doi.org/10.1007/s00766-017-0280-z
Horkoff J, Yu ESK (2013) Comparison and evaluation of goal-oriented satisfaction analysis techniques. Requir Eng 18(3):199–222
Ingolfo S, Siena A, Mylopoulos J (2011) Establishing regulatory compliance for software requirements. In: Conceptual modeling—ER 2011. LNCS, vol 6998, Springer, Heidelberg, pp 47–61
Ingolfo S, Siena A, Mylopoulos J, Susi A, Perini A (2013) Arguing regulatory compliance of software requirements. Data Knowl Eng 87:279–296
Ingolfo S, Siena A, Jureta I, Susi A, Perini A, Mylopoulos J (2013b) Choosing compliance solutions through stakeholder preferences. In: Requirements engineering: foundation for software quality (REFSQ 2013). LNCS, vol 7830, Springer, Heidelberg, pp 206–220
Ingolfo S, Souza VES (2013) Law and adaptivity in requirements engineering. In: 8th international symposium on software engineering for adaptive and self-managing systems, IEEE Press, pp 163–168
Ingolfo S, Jureta I, Siena A, Perini A, Susi A (2014) Nòmos 3: legal compliance of roles and requirements. In: 33rd international conference on conceptual modeling. LNCS, vol 8824, Springer, Switzerland, pp 275–288
Jureta I, Breaux T, Siena A, Gordon D (2013) Toward benchmarks to assess advancement in legal requirements modeling. In: Sixth international workshop on requirements engineering and law workshop (RELAW), IEEE CS, pp 25–33
Kavakli E (2002) Goal-oriented requirements engineering: a unifying framework. Requir Eng 6(4):237–251
Kharbili ME, Stein S, Markovic I, Pulvermüller E (2008a) Towards a framework for semantic business process compliance management. In: Proceedings of the 1st international workshop on governance, risk and compliance (GRCIS’08), CEUR-WS, vol 339, pp 1–15
Kharbili ME, de Medeiros AKA, Stein S, van der Aalst WMP (2008b) Business process compliance checking: Current state and future challenges. In: MobIS 2008. LNI, vol 141, GI, pp 107–113
Kitchenham B, Charters S (2007) Guidelines for performing systematic literature reviews in software engineering, version 2.3. Tech. rep., Keele Univ. and Univ. of Durham, UK
Maxwell JC, Antón AI (2009) Checking existing requirements for compliance with law using a production rule model. In: Second international workshop on requirements engineering and law (RELAW), IEEE CS, pp 1–6
Maxwell J, Anton AI, Swire P (2011) A legal cross-references taxonomy for identifying conflicting software requirements. In: 19th IEEE international requirements engineering conference (RE’11), IEEE CS, pp 197–206
Maxwell JC, Antón AI, Swire P, Riaz M, McCraw CM (2012) A legal cross-references taxonomy for reasoning about compliance requirements. Requir Eng 17(2):9–115
Maxwell JC, Antón AI, Swire P (2012b) Managing changing compliance requirements by predicting regulatory evolution: an adaptability framework. In: 20th IEEE international requirements engineering conference (RE’12), IEEE CS, pp 101–110
OMG (2008) Software process engineering meta-model specification, version 2.0. Document formal/2008-04-01
Otto PN, Antón AI (2007) Addressing legal requirements in requirements engineering. In: 15th IEEE international requirements engineering conference (RE’07), IEEE, pp 5–14
Palmieri A, Collet P, Amyot D (2015) Handling regulatory goal model families as software product lines. In: Advanced information systems engineering (CAiSE’15). LNCS, vol 9097, Springer, pp 181–196
Perry DE, Porter AA, Votta LG (2000) Empirical studies of software engineering: a roadmap. In: Future of software engineering, ICSE 2000, ACM Press, New York, pp 345–355
Petersen K, Feldt R, Mujtaba S, Mattson M (2008) Systematic mapping studies in software engineering. In: 12th Int. conf. on evaluation and assessment in software engineering (EASE’2008). BCS, paper 8
Rashidi-Tabrizi R, Mussbacher G, Amyot D (2013) Transforming regulations into performance models in the context of reasoning for outcome-based compliance. In: Sixth international workshop on requirements engineering and law (RELAW), IEEE CS, pp 34–43
Ramezani E, Fahland D, van Dongen B, van der Aalst W (2013) Diagnostic information for compliance checking of temporal compliance requirements. In: Advanced information systems engineering (CAiSE 2013). LNCS, vol 7908, Springer, Heidelberg, pp 304–320
Shamsaei A, Pourshahid A, Amyot D (2011) Business process compliance tracking using key performance indicators. In: Business process management workshops. LNBIP, vol 66, Springer, Heidelberg, pp 73–84
Shamsaei A, Amyot D, Pourshahid A, Braun E, Yu E, Mussbacher G, Tawhid R, Cartwright N (2013) An approach to specify and analyze goal model families. In: System Analysis and modelling: theory and practice (SAM 2012). LNCS, vol 7744, Springer, Berlin Heidelberg, pp 34–52
Sherman DMA (1987) Prolog model of the Income Tax Act of Canada. In: 1st international conference on artificial intelligence and law, ACM, pp 127–136
Siena A, Ingolfo S, Perini A, Susi A, Mylopoulos J (2013) Automated reasoning for regulatory compliance. In: Conceptual modeling (ER 2013). LNCS, vol 8217, Springer, Heidelberg, pp 47–60
Soltana G, Sabetzadeh M, Briand LC (2016) Model-based simulation of legal requirements: experience from tax policy simulation. In: 24th international requirements engineering conference (RE’16), IEEE CS, pp 303–312
Sweet M, Moynihan R (2007) Improving population health: the uses of systematic reviews. Milbank Memorial Fund, pp 1–84. Retrieved 22 Nov 2014, from http://wwwmilbank.org/uploads/documents/0712populationhealth/populationhealth.html
Tawhid R, Alhaj M, Mussbacher G, Braun E, Cartwright N, Shamsaei A, Amyot D, Behnam SA, Richards G (2012) Towards outcome-based regulatory compliance in aviation security. In: 20th international requirements engineering conference (RE’12), IEEE CS, pp 267–272
Yu E (1997) Towards modelling and reasoning support for early-phase requirements engineering. In: 3rd IEEE int. symp. on requirements engineering (RE’97), IEEE CS, pp 226–235
Zeni N, Kiyavitskaya N, Cordy JR, Mich L, Mylopoulos J (2008) Annotating regulations using Cerno: an application to Italian documents—extended abstract. In: Proceedings of ARES’08, IEEE Press, pp 1437–1442
Acknowledgements
This research was supported by the National Science and Engineering Research Council of Canada (NSERC) Discovery program and by Interis Consulting/BDO. We also thank the anonymous reviewers for their comments and suggestions, which led to many improvements in this paper.
Author information
Authors and Affiliations
Contributions
DA defined the research questions while OA developed the search strategies and carried out the review. DA reviewed the analysis results for consistency and completeness. All authors discussed the results. OA finalized the article with assistance from DA and GR.
Corresponding author
Ethics declarations
Conflict of interest
The authors declare that they have no conflict of interest.
Appendices
Appendix A: List of selected 103 articles
See Table 10.
Appendix B: Frequencies of covered laws and regulations
See Table 11.
Rights and permissions
About this article
Cite this article
Akhigbe, O., Amyot, D. & Richards, G. A systematic literature mapping of goal and non-goal modelling methods for legal and regulatory compliance. Requirements Eng 24, 459–481 (2019). https://doi.org/10.1007/s00766-018-0294-1
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00766-018-0294-1