The University of Southampton
University of Southampton Institutional Repository

Regulatory compliance modelling using risk management techniques

Regulatory compliance modelling using risk management techniques
Regulatory compliance modelling using risk management techniques
We describe a novel approach to regulatory compliance decision support that leverages an asset-based cyber security risk management approach following ISO 27005, and illustrate this with an example based on the General Data Protection Regulation (GDPR). Previous work in regulatory compliance modelling and decision support utilises semantic vocabularies and reasoning techniques, and our approach has the primary benefit that regulatory compliance is integrated with other domains of risk management, so that insight from domains such as cyber security combined with regulatory compliance for privacy can be gained based on a single model of the user's sociotechnical infrastructure. The main contributions of this paper are: to show how regulatory requirements may be modelled as “compliance threats” in an asset-based risk management framework; to illustrate mapping from the GDPR's legal text to domain assets, processes and relationships, compliance threats and control strategies to mitigate the threats; to show how the threats are triggered via recognition patterns based on asset configurations; to illustrate how the different types of regulatory requirement, e.g. obligations, prohibitions and derogating conditions, are represented in such a scheme; and finally to describe how to model causal dependencies between choices made to address a compliance threat and downstream additional compliance requirements.
Compliance Threat, Cyber Security, Decision Support, GDPR, Modelling, Regulatory Compliance, Risk Management
0474-0481
IEEE
Taylor, Steve
9ee68548-2096-4d91-a122-bbde65f91efb
Surridge, Michael
3bd360fa-1962-4992-bb16-12fc4dd7d9a9
Pickering, Brian
225088d0-729e-4f17-afe2-1ad1193ccae6
Taylor, Steve
9ee68548-2096-4d91-a122-bbde65f91efb
Surridge, Michael
3bd360fa-1962-4992-bb16-12fc4dd7d9a9
Pickering, Brian
225088d0-729e-4f17-afe2-1ad1193ccae6

Taylor, Steve, Surridge, Michael and Pickering, Brian (2021) Regulatory compliance modelling using risk management techniques. In 2021 IEEE World AI IoT Congress (AIIoT). IEEE. 0474-0481 . (doi:10.1109/AIIoT52608.2021.9454188).

Record type: Conference or Workshop Item (Paper)

Abstract

We describe a novel approach to regulatory compliance decision support that leverages an asset-based cyber security risk management approach following ISO 27005, and illustrate this with an example based on the General Data Protection Regulation (GDPR). Previous work in regulatory compliance modelling and decision support utilises semantic vocabularies and reasoning techniques, and our approach has the primary benefit that regulatory compliance is integrated with other domains of risk management, so that insight from domains such as cyber security combined with regulatory compliance for privacy can be gained based on a single model of the user's sociotechnical infrastructure. The main contributions of this paper are: to show how regulatory requirements may be modelled as “compliance threats” in an asset-based risk management framework; to illustrate mapping from the GDPR's legal text to domain assets, processes and relationships, compliance threats and control strategies to mitigate the threats; to show how the threats are triggered via recognition patterns based on asset configurations; to illustrate how the different types of regulatory requirement, e.g. obligations, prohibitions and derogating conditions, are represented in such a scheme; and finally to describe how to model causal dependencies between choices made to address a compliance threat and downstream additional compliance requirements.

This record has no associated files available for download.

More information

Published date: 21 June 2021
Additional Information: Funding Information: ACKNOWLEDGMENT The work presented in this paper was funded by the European Union’s H2020 research and innovation programme under grant agreements 727301 (SHiELD) and 732638 (Fed4FIREplus).
Keywords: Compliance Threat, Cyber Security, Decision Support, GDPR, Modelling, Regulatory Compliance, Risk Management

Identifiers

Local EPrints ID: 450064
URI: http://eprints.soton.ac.uk/id/eprint/450064
PURE UUID: 125ab939-d3c3-4e08-aeeb-8409eb248549
ORCID for Steve Taylor: ORCID iD orcid.org/0000-0002-9937-1762
ORCID for Michael Surridge: ORCID iD orcid.org/0000-0003-1485-7024
ORCID for Brian Pickering: ORCID iD orcid.org/0000-0002-6815-2938

Catalogue record

Date deposited: 07 Jul 2021 16:31
Last modified: 26 Aug 2024 01:32

Export record

Altmetrics

Contributors

Author: Steve Taylor ORCID iD
Author: Michael Surridge ORCID iD
Author: Brian Pickering ORCID iD

Download statistics

Downloads from ePrints over the past year. Other digital versions may also be available to download e.g. from the publisher's website.

View more statistics

Atom RSS 1.0 RSS 2.0

Contact ePrints Soton: eprints@soton.ac.uk

ePrints Soton supports OAI 2.0 with a base URL of http://eprints.soton.ac.uk/cgi/oai2

This repository has been built using EPrints software, developed at the University of Southampton, but available to everyone to use.

We use cookies to ensure that we give you the best experience on our website. If you continue without changing your settings, we will assume that you are happy to receive cookies on the University of Southampton website.

×