Properties of Confidentiality Requirements

Abstract

There is a growing concern to ensure personal information is protected in the emerging information society, and this can be attributed to the increasing incident of identity theft and confidentiality breach. There are also potential risks associated with mishandling personal information in the healthcare sector, for example, medical conditions, which should remain confidential, can be disclosed to unauthorized persons, subsequently leading to negative social and psychological effects on the affected individuals. Many governments and international agencies have developed legislations and guidelines to prevent misuse of personal information by organizations in their jurisdictions. However, there is a challenge in properly integrating the complex nature and interaction of confidentiality concerns in many information systems. This is because the concerns involve multiple interests - the data owner, the data custodian, potential users of the system, as well as government agencies, and they can be conflicting. In addition, the requirements are usually specified in free text form, which can be ambiguous and difficult to translate to software systems. A better understanding of confidentiality requirement properties will assist information system designers and developers in specifying and analyzing the requirements, and ultimately result in good "confidentiality-aware" systems. This research is aimed at developing an approach for improved specification, modelling and analysis of confidentiality requirements. In this paper, we describe the study to identify key confidentiality properties, which will enable precise specification of confidentiality requirements