A Comprehensive Review of Techniques, Methods, Processes, Frameworks, and Tools for Privacy Requirements

Authors

DOI:

https://doi.org/10.5753/jisa.2025.5252

Keywords:

Privacy Requirements, Techniques, Methods, Processes, Frameworks, Tools

Abstract

Context: Requirements Engineering (RE) relies on the collaboration of various roles—such as requirements engineers, stakeholders, and developers—and various techniques, methods, processes, frameworks, and tools. This makes RE a highly human-dependent process that benefits greatly from tool support. Understanding how these techniques, methods, processes, frameworks, and tools are applied across RE phases could provide valuable insights into ways to enhance the RE process, contributing to more successful outcomes. Objective: The primary objective of this study is to identify the techniques, methods, processes, frameworks, and tools applied across different requirements engineering phases—such as elicitation, analysis, specification, validation, and management—to address privacy requirements. Method: We conducted a systematic literature review (SLR) and identified 125 primary studies, and we also conducted a survey with 37 practitioners. Results: Our review identified a range of techniques, methods, processes, frameworks, and tools for addressing privacy requirements. Most studies were conducted in academic contexts, with the most frequently used tools being: PriS Method, Secure Tropos, LINDDUN, i* (i-star), STRAP (Structured Analysis for Privacy), Privacy by Design (PbD), and SQUARE. Additionally, over 75% of the studies applied these tools in the privacy requirements elicitation phase. In the industry, most of the techniques identified in the literature are not known or used by practitioners. Conclusion:This study provides a comprehensive analysis of techniques and tools for privacy requirements in RE, revealing a strong focus on academic contexts with limited industry application. Future research should explore the scalability and effectiveness of these tools in real-world environments, as well as the reasons why practitioners do not use them.

Downloads

Download data is not yet available.

References

Achimugu, P., Selamat, A., Ibrahim, R., and Mahrin, M. N. (2014). A systematic literature review of software requirements prioritization research. Inf. Softw. Technol., 56(6):568-585. DOI: 10.1016/J.INFSOF.2014.02.001.

Ahmadian, A. S., Strüber, D., and Jürjens, J. (2019). Privacy-enhanced system design modeling based on privacy features. In Proceedings of the 34th ACM/SIGAPP Symposium on Applied Computing, pages 1492-1499. DOI: 10.1145/3297280.3297431.

Alkubaisy, D., Cox, K., and Mouratidis, H. (2019). Towards detecting and mitigating conflicts for privacy and security requirements. In 2019 13th International Conference on Research Challenges in Information Science (RCIS), pages 1-6. IEEE. DOI: 10.1109/rcis.2019.8876999.

Alkubaisy, D., Piras, L., Al-Obeidallah, M. G., Cox, K., and Mouratidis, H. (2021a). Confis: a tool for privacy and security analysis and conflict resolution for supporting gdpr compliance through privacy-by-design. In International Conference on Evaluation of Novel Approaches to Software Engineering, ENASE-Proceedings, volume 2021, pages 80-91. SCITEPRESS-Science and Technology Publications. DOI: 10.5220/0010406100800091.

Alkubaisy, D., Piras, L., Al-Obeidallah, M. G., Cox, K., and Mouratidis, H. (2021b). A framework for privacy and security requirements analysis and conflict resolution for supporting gdpr compliance through privacy-by-design. In International Conference on Evaluation of Novel Approaches to Software Engineering, pages 67-87. Springer. DOI: 10.1007/978-3-030-96648-5_4.

Alves, C. and Neves, M. (2021). Especificação de requisitos de privacidade em conformidade com a lgpd: Resultados de um estudo de caso. In WER. Available at:[link].

Amaral, O., Abualhaija, S., and Briand, L. (2023). Ml-based compliance verification of data processing agreements against gdpr. In 2023 IEEE 31st international requirements engineering conference (RE), pages 53-64. IEEE. DOI: 10.1109/re57278.2023.00015.

Anish, P. R., Verma, A., Venkatesan, S., V., L., and Ghaisas, S. (2024). Governance-focused classification of security and privacy requirements from obligations in software engineering contracts. In Mendez, D. and Moreira, A., editors, Requirements Engineering: Foundation for Software Quality, pages 92-108, Cham. Springer Nature Switzerland. DOI: 10.1007/978-3-031-57327-9_6.

Ansari, M. T. J., Baz, A., Alhakami, H., Alhakami, W., Kumar, R., and Khan, R. A. (2021). P-store: Extension of store methodology to elicit privacy requirements. Arabian Journal for Science and Engineering, 46:8287-8310. DOI: 10.1007/s13369-021-05476-z.

Anthonysamy, P., Rashid, A., and Chitchyan, R. (2017). Privacy requirements: present & future. In 2017 IEEE/ACM 39th international conference on software engineering: software engineering in society track (ICSE-SEIS), pages 13-22. IEEE. Book.

Anwar, M. J. and Gill, A. (2021). Developing an integrated iso 27701 and gdpr based information privacy compliance requirements model. In Australasian Conference on Information Systems 2020. Available at:[link].

Argyropoulos, N., Shei, S., Kalloniatis, C., Mouratidis, H., Delaney, A. J., Fish, A., and Gritzalis, S. (2017). A semi-automatic approach for eliciting cloud security and privacy requirements. In Bui, T., editor, 50th Hawaii International Conference on System Sciences, HICSS 2017, Hilton Waikoloa Village, Hawaii, USA, January 4-7, 2017, pages 1-10. ScholarSpace / AIS Electronic Library (AISeL). DOI: 10.24251/hicss.2017.587.

Aslam, S., Tošić, A., and Mrissa, M. (2021). Secure and privacy-aware blockchain design: Requirements, challenges and solutions. Journal of Cybersecurity and Privacy, 1(1):164-194. DOI: 10.3390/jcp1010009.

Ayala-Rivera, V. and Pasquale, L. (2018). The grace period has ended: An approach to operationalize gdpr requirements. In 2018 IEEE 26th International Requirements Engineering Conference (RE), pages 136-146. IEEE. DOI: 10.1109/re.2018.00023.

Beckers, K. (2012). Comparing privacy requirements engineering approaches. In 2012 Seventh International Conference on Availability, Reliability and Security, pages 574-581. IEEE. DOI: 10.1109/ares.2012.29.

Beckers, K. and Heisel, M. (2012). A foundation for requirements analysis of privacy preserving software. In Quirchmayr, G., Basl, J., You, I., Xu, L., and Weippl, E., editors, Multidisciplinary Research and Practice for Information Systems, pages 93-107, Berlin, Heidelberg. Springer Berlin Heidelberg. DOI: 10.1007/978-3-642-32498-7_8.

Belhajjame, K., Faci, N., Maamar, Z., Burégio, V., Soares, E., and Barhamgi, M. (2020). On privacy-aware escience workflows. Computing, 102:1171-1185. DOI: 10.1007/s00607-019-00783-8.

Benthall, S. and Cummings, R. (2024). Integrating differential privacy and contextual integrity. In Proceedings of the Symposium on Computer Science and Law, pages 9-15. DOI: 10.1145/3614407.3643702.

Bijwe, A. and Mead, N. R. (2010). Adapting the square process for privacy requirements engineering. Software Engineering Institute: Pittsburgh, PA, USA. DOI: 10.1184/R1/6571826.v1.

Bondel, G., Garrido, G. M., Baumer, K., and Matthes, F. (2020a). Towards a privacy-enhancing tool based on de- identification methods. In Vogel, D., Shen, K. N., Ling, P. S., Hsu, C., Thong, J. Y. L., Marco, M. D., Limayem, M., and Xu, S. X., editors, 24th Pacific Asia Conference on Information Systems, PACIS 2020, Dubai, UAE, June 22-24, 2020, page 157. Available at:[link].

Bondel, G., Garrido, G. M., Baumer, K., and Matthes, F. (2020b). The use of de-identification methods for secure and privacy-enhancing big data analytics in cloud environments. In ICEIS (2), pages 338-344.

Brasil (2018). Lei nº 13.709, de 14 de agosto de 2018. Lei Geral de Proteção de Dados Pessoais (LGPD). Diário Oficial da República Federativa do Brasil. [link].

Breaux, T. D., Hibshi, H., and Rao, A. (2014). Eddy, a formal language for specifying and analyzing data flow specifications for conflicting privacy requirements. Requirements Engineering, 19:281-307. DOI: 10.1007/s00766-013-0190-7.

Caiza, J. C., Martín, Y. S., Guamán, D. S., del álamo, J. M., and Yelmo, J. C. (2019). Reusable elements for the systematic design of privacy-friendly information systems: A mapping study. IEEE Access, 7:66512-66535. DOI: 10.1109/ACCESS.2019.2918003.

Campanile, L., Iacono, M., and Mastroianni, M. (2022). Towards privacy-aware software design in small and medium enterprises. In 2022 IEEE Intl Conf on Dependable, Autonomic and Secure Computing, Intl Conf on Pervasive Intelligence and Computing, Intl Conf on Cloud and Big Data Computing, Intl Conf on Cyber Science and Technology Congress (DASC/PiCom/CBDCom/CyberSciTech), pages 1-8. IEEE. DOI: 10.1109/dasc/picom/cbdcom/cy55231.2022.9927958.

Camêlo, M. N. and Alves, C. (2023). G-priv: Um guia para apoiar a especificação de requisitos de privacidade em conformidade com a LGPD. Braz. J. Inf. Syst., 16(1). DOI: 10.5753/ISYS.2023.2743.

Canedo, E. D., Bandeira, I. N., Calazans, A. T. S., Costa, P. H. T., Cançado, E. C. R., and Bonifácio, R. (2023). Privacy requirements elicitation: a systematic literature review and perception analysis of IT practitioners. Requir. Eng., 28(2):177-194. DOI: 10.1007/S00766-022-00382-8.

Canedo, E. D., Calazans, A. T. S., Bandeira, I. N., Costa, P. H. T., and Masson, E. T. S. (2022). Guidelines adopted by agile teams in privacy requirements elicitation after the brazilian general data protection law (LGPD) implementation. Requir. Eng., 27(4):545-567. DOI: 10.1007/S00766-022-00391-7.

Canedo, E. D., Calazans, A. T. S., Cerqueira, A. J., Costa, P. H. T., and Masson, E. T. S. (2020). Using the design thinking empathy phase as a facilitator in privacy requirements elicitation. In Anderson, B. B., Thatcher, J., Meservy, R. D., Chudoba, K., Fadel, K. J., and Brown, S., editors, 26th Americas Conference on Information Systems, AMCIS 2020, Virtual Conference, August 15-17, 2020. Association for Information Systems. Available at:[link].

Canedo, E. D., Calazans, A. T. S., Cerqueira, A. J., Costa, P. H. T., and Masson, E. T. S. (2021a). Agile teamsâ perception in privacy requirements elicitation: Lgpdâs compliance in brazil. In 2021 IEEE 29th International Requirements Engineering Conference (RE), pages 58-69. IEEE. DOI: 10.1109/re51729.2021.00013.

Canedo, E. D., Cerqueira, A. J., Gravina, R. M., Ribeiro, V. C., Camões, R., dos Reis, V. E., de Mendonça, F. L. L., and de Sousa Jr, R. T. (2021b). Proposal of an implementation process for the brazilian general data protection law (lgpd). In ICEIS (1), pages 19-30. DOI: 10.5220/0010398200190030.

Casillo, F., Deufemia, V., and Gravino, C. (2022). Detecting privacy requirements from user stories with nlp transfer learning models. Information and Software Technology, 146:106853. DOI: 10.1016/j.infsof.2022.106853.

Castro, J., Kolp, M., and Mylopoulos, J. (2001). A requirements-driven development methodology. In Advanced Information Systems Engineering: 13th International Conference, CAiSE 2001 Interlaken, Switzerland, June 4-8, 2001 Proceedings 13, pages 108-123. Springer. DOI: 10.1007/3-540-45341-5_8.

Cavoukian, A. et al. (2021). Privacy by design: The seven foundational principles. IAPP Resource Center. Available at: [link].

Cheung, M. Y. M. and Liu, H. (2023). Information privacy concerns in generative AI. In Australasian Conference on Information Systems, ACIS 2023, Wellington, New Zealand, December 5-8, 2023. Avaialble at:[link].

Coles, J., Faily, S., and Ki-Aries, D. (2018). Tool-supporting data protection impact assessments with cairis. In 2018 IEEE 5th International Workshop on Evolving Security & Privacy Requirements Engineering (ESPRE), pages 21-27. IEEE. DOI: 10.1109/espre.2018.00010.

da Silva, M., Viterbo, J., Bernardini, F., and Maciel, C. (2018). Identifying privacy functional requirements for crowdsourcing applications in smart cities. In 2018 IEEE International Conference on Intelligence and Security Informatics (ISI), pages 106-111. DOI: 10.1109/ISI.2018.8587316.

de Jesus, E. D. B., Vilela, J., and Silva, C. (2024). Requisitos de segurança e privacidade em startups: Um estudo empírico em uma aplicação de governança de dados. In Lucena, M., Lencastre, M., and Ballejos, L. C., editors, Anais do WER24 - Workshop em Engenharia de Requisitos, Buenos Aires, Argentina, August 7-9, 2024. Even3, Brasil. DOI: 10.29327/1407529.27-13.

de Melo, R. O. P., Vilela, J., and Silva, C. (2024). Do entendimento à aplicação: Requisitos de privacidade e a visão dos usuários sobre a LGPD. In Lucena, M., Lencastre, M., and Ballejos, L. C., editors, Anais do WER24 - Workshop em Engenharia de Requisitos, Buenos Aires, Argentina, August 7-9, 2024. Even3, Brasil. DOI: 10.29327/1407529.27-27.

de Sá Sousa, H. P., Almentero, E. K., de Classe, T. M., dos Santos, R. J., and Leite, J. C. S. P. (2023). Uma abordagem baseada no catálogo de requisitos não funcionais para conformidade à lgpd. In WER. Available at:[link].

Deng, M., Wuyts, K., Scandariato, R., Preneel, B., and Joosen, W. (2011). A privacy threat analysis framework: supporting the elicitation and fulfillment of privacy requirements. Requirements Engineering, 16(1):3-32. DOI: 10.1007/s00766-010-0115-7.

Diamantopoulou, V., Androutsopoulou, A., Gritzalis, S., and Charalabidis, Y. (2020). Preserving digital privacy in e-participation environments: Towards gdpr compliance.

Diamantopoulou, V., Argyropoulos, N., Kalloniatis, C., and Gritzalis, S. (2017). Supporting the design of privacy-aware business processes via privacy process patterns. In 2017 11th International Conference on Research Challenges in Information Science (RCIS), pages 187-198. IEEE. DOI: 10.1109/rcis.2017.7956536.

Diamantopoulou, V., Pavlidis, M., and Mouratidis, H. (2018). Evaluation of a security and privacy requirements methodology using the physics of notation. In Computer Security: ESORICS 2017 International Workshops, CyberICPS 2017 and SECPRE 2017, Oslo, Norway, September 14-15, 2017, Revised Selected Papers 3, pages 210-225. Springer. DOI: 10.1007/978-3-319-72817-9_14.

Dias Canedo, E., Toffano Seidel Calazans, A., Toffano Seidel Masson, E., Teixeira Costa, P. H., and Lima, F. (2020). Perceptions of ict practitioners regarding software privacy. Entropy, 22(4):429. DOI: 10.3390/e22040429.

Ebrahimi, F., Tushev, M., and Mahmoud, A. (2021). Mobile app privacy in software engineering research: A systematic mapping study. Information and Software Technology, 133:106466. DOI: 10.1016/j.infsof.2020.106466.

Ferrao, S. E. R. and Canedo, E. D. (2022). Uma taxonomia para requisitos de privacidade e sua aplicação no open banking brasil. In WER. Available at:[link].

Ferraris, D. and Gago, M. C. F. (2020). Trustapis: a trust requirements elicitation method for iot. Int. J. Inf. Sec., 19(1):111-127. DOI: 10.1007/S10207-019-00438-X.

Ferrão, S. Ã. R., Silva, G. R. S., Canedo, E. D., and Mendes, F. F. (2024). Towards a taxonomy of privacy requirements based on the lgpd and iso/iec 29100. Information and Software Technology, page 107396. DOI: 10.1016/j.infsof.2024.107396.

Frej, M., Neto, I. P. G., Ferreira, W., and Soares, S. (2024). Um sistema web para auxiliar soluções na conformidade com a LGPD. In Proceedings of the 38th Brazilian Symposium on Software Engineering, SBES 2024, Curitiba, Brazil, September 30 - October 4, 2024, pages 713-719. DOI: 10.5753/SBES.2024.3558.

Freund, G. P., Macedo, D. D. J. d., and Fagundes, P. B. (2023). Data protection and privacy: a model for evidence management. Em Questão, 29:e-128009. DOI: 10.1590/1808-5245.29.128009.

Ganji, D., Mouratidis, H., Gheytassi, S. M., and Petridis, M. (2015). Conflicts between security and privacy measures in software requirements engineering. In Global Security, Safety and Sustainability: Tomorrow's Challenges of Cyber Security: 10th International Conference, ICGS3 2015, London, UK, September 15-17, 2015. Proceedings 10, pages 323-334. Springer. DOI: 10.1007/978-3-319-23276-8_29.

Gharib, M., Giorgini, P., and Mylopoulos, J. (2017). Towards an ontology for privacy requirements via a systematic literature review. In Conceptual Modeling: 36th International Conference, ER 2017, Valencia, Spain, November 6-9, 2017, Proceedings 36, pages 193-208. Springer. DOI: 10.1007/978-3-319-69904-2_16.

Gharib, M., Giorgini, P., and Mylopoulos, J. (2021). Copri v. 2âa core ontology for privacy requirements. Data & Knowledge Engineering, 133:101888. DOI: 10.1016/j.datak.2021.101888.

Gharib, M., Mylopoulos, J., and Giorgini, P. (2020). Copri-a core ontology for privacy requirements engineering. In Research Challenges in Information Science: 14th International Conference, RCIS 2020, Limassol, Cyprus, September 23-25, 2020, Proceedings 14, pages 472-489. Springer. Book.

Gharib, M., Salnitri, M., Paja, E., Giorgini, P., Mouratidis, H., Pavlidis, M., Ruiz, J. F., Fernandez, S., and Della Siria, A. (2016). Privacy requirements: findings and lessons learned in developing a privacy platform. In 2016 IEEE 24th International Requirements Engineering Conference (RE), pages 256-265. IEEE. DOI: 10.1109/re.2016.13.

Gjermundrød, H., Dionysiou, I., and Costa, K. (2016). privacytracker: a privacy-by-design gdpr-compliant framework with verifiable data traceability controls. In Current Trends in Web Engineering: ICWE 2016 International Workshops, DUI, TELERISE, SoWeMine, and Liquid Web, Lugano, Switzerland, June 6-9, 2016. Revised Selected Papers 16, pages 3-15. Springer. DOI: 10.1007/978-3-319-46963-8_1.

Golda, A., Mekonen, K., Pandey, A., Singh, A., Hassija, V., Chamola, V., and Sikdar, B. (2024). Privacy and security concerns in generative AI: A comprehensive survey. IEEE Access, 12:48126-48144. DOI: 10.1109/ACCESS.2024.3381611.

Gopi, G., Maddi, A., Arasaratnam, O., and Fanti, G. (2024). Privacy requirements and realities of digital public goods. In Twentieth Symposium on Usable Privacy and Security (SOUPS 2024), pages 159-177. DOI: 10.48550/arxiv.2406.15842.

Gramajo, M. G., Ballejos, L. C., and Ale, M. (2020). Hacia la evaluación automática de la calidad de los requerimientos de software usando redes neuronales long short term memory. In WER. Available at:[link].

Hansen, M., Jensen, M., and Rost, M. (2015). Protection goals for privacy engineering. In 2015 IEEE Symposium on Security and Privacy Workshops, SPW 2015, San Jose, CA, USA, May 21-22, 2015, pages 159-166. IEEE Computer Society. DOI: 10.1109/SPW.2015.13.

He, Y., Bahirat, P., Knijnenburg, B. P., and Menon, A. (2019). A data-driven approach to designing for privacy in household iot. ACM Trans. Interact. Intell. Syst., 10(1). DOI: 10.1145/3241378.

Herwanto, G. B., Ekaputra, F. J., Quirchmayr, G., and Tjoa, A. M. (2024a). Towards a holistic privacy requirements engineering process: Insights from a systematic literature review. IEEE Access. DOI: 10.1109/ACCESS.2024.3380888.

Herwanto, G. B., Putri, D. U. K., Ningtyas, A. M., Fuad, A., Quirchmayr, G., and Tjoa, A. M. (2024b). Integrating contextual integrity in privacy requirements engineering: A study case in personal e-health applications. In International Conference on Innovations for Community Services, pages 237-256. Springer. DOI: 10.1007/978-3-031-60433-1_14.

Herwanto, G. B., Quirchmayr, G., and Tjoa, A. M. (2022). From user stories to data flow diagrams for privacy awareness: A research preview. In International Working Conference on Requirements Engineering: Foundation for Software Quality, pages 148-155. Springer. DOI: 10.1007/978-3-030-98464-9_12.

Herwanto, G. B., Quirchmayr, G., and Tjoa, A. M. (2024c). Learning to rank privacy design patterns: A semantic approach to meeting privacy requirements. In Mendez, D. and Moreira, A., editors, Requirements Engineering: Foundation for Software Quality, pages 57-73, Cham. Springer Nature Switzerland. DOI: 10.1007/978-3-031-57327-9_4.

Herwanto, G. B., Quirchmayr, G., and Tjoa, A. M. (2024d). Leveraging nlp techniques for privacy requirements engineering in user stories. IEEE Access. DOI: 10.1109/access.2024.3364533.

Hidellaarachchi, D., Grundy, J., Hoda, R., and Madampe, K. (2021). The effects of human aspects on the requirements engineering process: A systematic literature review. IEEE Transactions on Software Engineering, 48(6):2105-2127. DOI: 10.1109/tse.2021.3051898.

Huang, T., Kaulagi, V., Hosseini, M. B., and Breaux, T. (2023). Mobile application privacy risk assessments from user-authored scenarios. In 2023 IEEE 31st International Requirements Engineering Conference (RE), pages 17-28. IEEE. DOI: 10.1109/re57278.2023.00012.

Hung, P. C. K., Fantinato, M., and Rafferty, L. (2016). A study of privacy requirements for smart toys. In Liang, T., Hung, S., Chau, P. Y. K., and Chang, S., editors, 20th Pacific Asia Conference on Information Systems, PACIS 2016, Chiayi, Taiwan, June 27 - July 1, 2016, page 71. Available at:[link].

Huth, D. and Matthes, F. (2019). "appropriate technical and organizational measures": Identifying privacy engineering approaches to meet GDPR requirements. In 25th Americas Conference on Information Systems, AMCIS 2019, Cancún, Mexico, August 15-17, 2019. Association for Information Systems. Available at:[link].

Hörbe, R. and Hötzendorfer, W. (2015). Privacy by design in federated identity management. In 2015 IEEE Security and Privacy Workshops, pages 167-174. IEEE. DOI: 10.1109/spw.2015.24.

Islam, S., Mouratidis, H., and Wagner, S. (2010). Towards a framework to elicit and manage security and privacy requirements from laws and regulations. In Requirements Engineering: Foundation for Software Quality: 16th International Working Conference, REFSQ 2010, Essen, Germany, June 30-July 2, 2010. Proceedings 16, pages 255-261. Springer. DOI: 10.1007/978-3-642-14192-8_23.

Islam, S., Ouedraogo, M., Kalloniatis, C., Mouratidis, H., and Gritzalis, S. (2015). Assurance of security and privacy requirements for cloud deployment models. IEEE Transactions on Cloud Computing, 6(2):387-400. DOI: 10.1109/tcc.2015.2511719.

Jensen, C., Tullio, J., Potts, C., and Mynatt, E. D. (2005). Strap: a structured analysis framework for privacy. Georgia Institute of Technology, 1. Available at:[link].

Kalloniatis, C., Belsis, P., Kavakli, E., and Gritzalis, S. (2012). Applying soft computing technologies for implementing privacy-aware systems. In Advanced Information Systems Engineering Workshops: CAiSE 2012 International Workshops, Gdańsk, Poland, June 25-26, 2012. Proceedings 24, pages 31-45. Springer. DOI: 10.1007/978-3-642-31069-0_3.

Kalloniatis, C., Kavakli, E., and Gritzalis, S. (2005). Dealing with privacy issues during the system design process. In Proceedings of the Fifth IEEE International Symposium on Signal Processing and Information Technology, 2005., pages 546-551. IEEE. DOI: 10.1109/isspit.2005.1577156.

Kalloniatis, C., Kavakli, E., and Gritzalis, S. (2007). Using privacy process patterns for incorporating privacy requirements into the system design process. In The Second International Conference on Availability, Reliability and Security (ARES'07), pages 1009-1017. IEEE. DOI: 10.1109/ares.2007.156.

Kalloniatis, C., Kavakli, E., and Gritzalis, S. (2008). Addressing privacy requirements in system design: the pris method. Requirements Engineering, 13:241-255. DOI: 10.1007/s00766-008-0067-3.

Kalloniatis, C., Kavakli, E., and Kontellis, E. (2009). Pris tool: A case tool for privacy-oriented requirements engineering. In Poulymenakou, A., Pouloudi, N., and Pramatari, K., editors, The 4th Mediterranean Conference on Information Systems, MCIS 2009, Athens University of Economics and Business, AUEB, Athens, Greece, 25-27 September 2009, page 71. Athens University of Economics and Business / AISeL. Available at:[link].

Kalloniatis, C., Mouratidis, H., and Islam, S. (2013). Evaluating cloud deployment scenarios based on security and privacy requirements. Requirements Engineering, 18:299-319. DOI: 10.1007/s00766-013-0166-7.

Kang, G., Koo, J., and Kim, Y.-G. (2023). Security and privacy requirements for the metaverse: A metaverse applications perspective. IEEE Communications Magazine, 62(1):148-154. DOI: 10.1109/mcom.014.2200620.

Kanwal, T., Anjum, A., and Khan, A. (2021). Privacy preservation in e-health cloud: taxonomy, privacy requirements, feasibility analysis, and opportunities. Cluster Computing, 24(1):293-317. DOI: 10.1007/s10586-020-03106-1.

Kavakli, E., Gritzalis, S., and Christos, K. (2007). Protecting privacy in system design: the electronic voting case. Transforming Government: People, Process and Policy, 1(4):307-332. DOI: 10.1108/17506160710839150.

Kavakli, E., Kalloniatis, C., Loucopoulos, P., and Gritzalis, S. (2006). Incorporating privacy requirements into the system design process: the pris conceptual framework. Internet research, 16(2):140-158. DOI: 10.1108/10662240610656483.

Keele, S. et al. (2007). Guidelines for performing systematic literature reviews in software engineering. Available at:[link].

Krishnan, P. and Vorobyov, K. (2015). Enforcement of privacy requirements. Computers & Security, 52:164-177. DOI: 10.1016/j.cose.2015.03.004.

Liang, W., Chen, H., Liu, R., Wu, Y., and Li, C. (2020). A pufferfish privacy mechanism for monitoring web browsing behavior under temporal correlations. Computers & Security, 92:101754. DOI: 10.1016/j.cose.2020.101754.

Mai, P. X., Goknil, A., Shar, L. K., Pastore, F., Briand, L. C., and Shaame, S. (2018). Modeling security and privacy requirements: a use case-driven approach. Information and Software Technology, 100:165-182. DOI: 10.1016/j.infsof.2018.04.007.

Makri, E.-L., Georgiopoulou, Z., and Lambrinoudakis, C. (2020). Utilizing a privacy impact assessment method using metrics in the healthcare sector. Information & Computer Security, 28(4):503-529. DOI: 10.1108/ics-01-2020-0007.

Manna, A., Sengupta, A., and Mazumdar, C. (2022). A risk-based methodology for privacy requirements elicitation and control selection. SECURITY AND PRIVACY, 5(1):e188. DOI: 10.1002/spy2.188.

Martin, Y.-S., Del Alamo, J. M., and Yelmo, J. C. (2014). Engineering privacy requirements valuable lessons from another realm. In 2014 IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering (ESPRE), pages 19-24. IEEE. DOI: 10.1109/espre.2014.6890523.

Mashaly, B., Selim, S., Yousef, A. H., and Fouad, K. M. (2022). Privacy by design: A microservices-based software architecture approach. In 2022 2nd International Mobile, Intelligent, and Ubiquitous Computing Conference (MIUCC), pages 357-364. IEEE. DOI: 10.1109/miucc55081.2022.9781685.

McDonald, N. and Forte, A. (2020). The politics of privacy theories: Moving from norms to vulnerabilities. In Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems, pages 1-14. DOI: 10.1145/3313831.3376167.

Mead, N. R., Miyazaki, S., and Zhan, J. (2011). Integrating privacy requirements considerations into a security requirements engineering method and tool. International Journal of Information Privacy, Security and Integrity, 1(1):106-126. DOI: 10.1504/ijipsi.2011.043733.

Miyazaki, S., Mead, N., and Zhan, J. (2008). Computer-aided privacy requirements elicitation technique. In 2008 IEEE Asia-Pacific Services Computing Conference, pages 367-372. IEEE. DOI: 10.1109/apscc.2008.263.

Mouratidis, H. and Giorgini, P. (2007). Secure tropos: a security-oriented extension of the tropos methodology. International Journal of Software Engineering and Knowledge Engineering, 17(02):285-309. DOI: 10.1142/s0218194007003240.

Mouratidis, H., Kalloniatis, C., Islam, S., Huget, M.-P., and Gritzalis, S. (2012). Aligning security and privacy to support the development of secure information systems. J. Univers. Comput. Sci., 18(12):1608-1627. DOI: 10.3217/jucs-018-12-1608.

Mouratidis, H., Shei, S., and Delaney, A. (2020). A security requirements modelling language for cloud computing environments. Software and Systems Modeling, 19(2):271-295. DOI: 10.1007/s10270-019-00747-8.

Notario, N., Crespo, A., Martín, Y. S., del Álamo, J. M., Métayer, D. L., Antignac, T., Kung, A., Kroener, I., and Wright, D. (2015). PRIPARE: integrating privacy best practices into a privacy engineering methodology. In 2015 IEEE Symposium on Security and Privacy Workshops, SPW 2015, San Jose, CA, USA, May 21-22, 2015, pages 151-158. IEEE Computer Society. DOI: 10.1109/SPW.2015.22.

Olukoya, O. (2022). Assessing frameworks for eliciting privacy & security requirements from laws and regulations. Computers & Security, 117:102697. DOI: 10.1016/j.cose.2022.102697.

Omitola, T., Tsakalakis, N., Wills, G., Gomer, R., Waterson, B., Cherret, T., and Stalla-Bourdillon, S. (2022). User configurable privacy requirements elicitation in cyber-physical systems. In Adjunct Proceedings of the 30th ACM Conference on User Modeling, Adaptation and Personalization, pages 109-119. DOI: 10.1145/3511047.3537683.

Parliament, T. E. and Council, T. (2018). General Data Protection Regulation (GDPR). Intersoft Consulting. Available at:[link].

Pattakou, A., Kalloniatis, C., and Gritzalis, S. (2017). Security and privacy requirements engineering methods for traditional and cloud-based systems: a review. Cloud Comput, 2017:155. Available at:[link].

Pattakou, A., Mavroeidi, A.-G., Diamantopoulou, V., Kalloniatis, C., and Gritzalis, S. (2018). Towards the design of usable privacy by design methodologies. In 2018 IEEE 5th International Workshop on Evolving Security & Privacy Requirements Engineering (ESPRE), pages 1-8. IEEE. DOI: 10.1109/espre.2018.00007.

Peixoto, M., Gorschek, T., Mendez, D., Fucci, D., and Silva, C. (2024). A natural language-based method to specify privacy requirements: an evaluation with practitioners. Requirements Engineering, pages 1-23. DOI: 10.1007/s00766-024-00428-z.

Peixoto, M., Silva, C., Araújo, J., Gorschek, T., Vasconcelos, A., and Vilela, J. (2023). Evaluating a privacy requirements specification method by using a mixed-method approach: results and lessons learned. Requirements Engineering, 28(2):229-255. DOI: 10.1007/s00766-022-00388-2.

Peixoto, M., Silva, C., Lima, R., Araújo, J., Gorschek, T., and Silva, J. (2019). Pcm tool: Privacy requirements specification in agile software development. In Anais Estendidos do X Congresso Brasileiro de Software: Teoria e Prática, pages 108-113. SBC. DOI: 10.5753/cbsoft_estendido.2019.7666.

Peixoto, M. M. and Silva, C. (2018). Specifying privacy requirements with goal-oriented modeling languages. In Proceedings of the XXXII Brazilian symposium on software engineering, pages 112-121. DOI: 10.1145/3266237.3266270.

Peixoto, M. M., Silva, C., Maia, H., and Araújo, J. (2020). Towards a catalog of privacy related concepts. In REFSQ Workshops. Available at:[link].

Perera, C., Barhamgi, M., Bandara, A. K., Ajmal, M., Price, B., and Nuseibeh, B. (2020). Designing privacy-aware internet of things applications. Information Sciences, 512:238-257. DOI: 10.1016/j.ins.2019.09.061.

Piras, L., Calabrese, F., and Giorgini, P. (2020). Applying acceptance requirements to requirements modeling tools via gamification: a case study on privacy and security. In The Practice of Enterprise Modeling: 13th IFIP Working Conference, PoEM 2020, Riga, Latvia, November 25-27, 2020, Proceedings 13, pages 366-376. Springer. DOI: 10.1007/978-3-030-63479-7_25.

Pullonen, P., Tom, J., Matulevičius, R., and Toots, A. (2019). Privacy-enhanced bpmn: enabling data privacy analysis in business processes models. Software and Systems Modeling, 18:3235-3264. DOI: 10.1007/s10270-019-00718-z.

Radics, P. J., Gracanin, D., and Kafura, D. (2013). Preprocess before you build: Introducing a framework for privacy requirements engineering. In 2013 International Conference on Social Computing, pages 564-569. IEEE. DOI: 10.1109/socialcom.2013.85.

Rafiei, M. and van der Aalst, W. M. (2021). Privacy-preserving continuous event data publishing. In Business Process Management Forum: BPM Forum 2021, Rome, Italy, September 06-10, 2021, Proceedings 19, pages 178-194. Springer. DOI: 10.1007/978-3-030-85440-9_11.

Roberts, J. D., DeFranco, J. F., and Kuhn, D. R. (2023). Data block matrix and hyperledger implementation: extending distributed ledger technology for privacy requirements. Distributed Ledger Technologies: Research and Practice, 2(2):1-11. DOI: 10.1145/3585539.

Rösch, D., Schuster, T., Waidelich, L., and Alpers, S. (2019). Privacy control patterns for compliant application of GDPR. In 25th Americas Conference on Information Systems, AMCIS 2019, Cancún, Mexico, August 15-17, 2019. Association for Information Systems. Available at:[link].

Salnitri, M., Angelopoulos, K., Pavlidis, M., Diamantopoulou, V., Mouratidis, H., and Giorgini, P. (2020). Modelling the interplay of security, privacy and trust in sociotechnical systems: a computer-aided design approach. Software and Systems Modeling, 19(2):467-491. DOI: 10.1007/s10270-019-00744-x.

Sangaroonsilp, P., Choetkiertikul, M., Dam, H. K., and Ghose, A. (2023a). An empirical study of automated privacy requirements classification in issue reports. Automated Software Engineering, 30(2):20. DOI: 10.1007/s10515-023-00387-9.

Sangaroonsilp, P., Dam, H. K., Choetkiertikul, M., Ragkhitwetsagul, C., and Ghose, A. (2023b). A taxonomy for mining and classifying privacy requirements in issue reports. Information and Software Technology, 157:107162. DOI: 10.1016/j.infsof.2023.107162.

Santana, E., Vilela, J., and Peixoto, M. M. (2022). Diretrizes para apresentação de políticas de privacidade voltadas à experiência do usuário. In WER. DOI: 10.29327/1298262.25-17.

Santos, S., Haghighi, S., Ghanavati, S., Breaux, T. D., and Norton, T. B. (2024). Patterns of inquiry in a community forum for legal compliance with privacy law. In 2024 IEEE 32nd International Requirements Engineering Conference Workshops (REW), pages 251-259. IEEE. DOI: 10.1109/rew61692.2024.00039.

Savola, R. M. (2010). Towards a risk-driven methodology for privacy metrics development. In 2010 IEEE Second International Conference on Social Computing, pages 1086-1092. IEEE. DOI: 10.1109/socialcom.2010.161.

Schlehahn, E. and Wenning, R. (2018). GDPR transparency requirements and data privacy vocabularies. In Kosta, E., Pierson, J., Slamanig, D., Fischer-Hübner, S., and Krenn, S., editors, Privacy and Identity Management. Fairness, Accountability, and Transparency in the Age of Big Data - 13th IFIP WG 9.2, 9.6/11.7, 11.6/SIG 9.2.2 International Summer School, Vienna, Austria, August 20-24, 2018, Revised Selected Papers, volume 547 of IFIP Advances in Information and Communication Technology, pages 95-113. Springer. DOI: 10.1007/978-3-030-16744-8_7.

Shah, T. and Patel, P. (2023). Design of a privacy taxonomy in requirement engineering. In International Conference on IoT Based Control Networks and Intelligent Systems, pages 703-716. Springer. DOI: 10.1007/978-981-99-6586-1_47.

Shelby, L. B. and Vaske, J. J. (2008). Understanding meta-analysis: A review of the methodological literature. Leisure Sciences, 30(2):96-110. DOI: 10.1080/01490400701881366.

Sheth, S., Kaiser, G., and Maalej, W. (2014). Us and them: a study of privacy requirements across north america, asia, and europe. In Proceedings of the 36th International Conference on Software Engineering, pages 859-870. DOI: 10.1145/2568225.2568244.

Silva, D. P., de Souza, P. C., and de Jesus Gonçalves, T. A. (2018). Early privacy: Approximating mental models in the definition of privacy requirements in systems design. In Proceedings of the 17th Brazilian Symposium on Human Factors in Computing Systems, pages 1-10. DOI: 10.1145/3274192.3274211.

Silva, K. and Sarkis, L. (2023). Análise de conformidade da lgpd nas instituições públicas de ensino superior no brasil sob a perspectiva dos profissionais de tic. In WER. Available at:[link].

Sindre, G. and Opdahl, A. L. (2005). Eliciting security requirements with misuse cases. Requirements engineering, 10:34-44. DOI: 10.1007/s00766-004-0194-4.

Spiekermann, S. and Cranor, L. F. (2008). Engineering privacy. IEEE Transactions on software engineering, 35(1):67-82. DOI: 10.1109/tse.2008.88.

Stach, C. and Mitschang, B. (2019). Elicitation of privacy requirements for the internet of things using accessors. In Information Systems Security and Privacy: 4th International Conference, ICISSP 2018, Funchal-Madeira, Portugal, January 22-24, 2018, Revised Selected Papers 4, pages 40-65. Springer. DOI: 10.1007/978-3-030-25109-3_3.

Stach, C. and Steimle, F. (2019). Recommender-based privacy requirements elicitation-epicurean: an approach to simplify privacy settings in iot applications with respect to the gdpr. In Proceedings of the 34th ACM/SIGAPP Symposium on Applied Computing, pages 1500-1507. DOI: 10.1145/3297280.3297432.

Stary, C. and Heininger, R. (2022). Privacy by sharing autonomy-a design-integrating engineering approach. In International Conference on Subject-Oriented Business Process Management, pages 3-22. Springer. DOI: 10.1007/978-3-031-19704-8_1.

Sâmmara ellen Renner Ferrão, Geovana Ramos Sousa Silva, E. D. C. F. F. M. (2024). Towards a taxonomy of privacy requirements based on the LGPD and ISO/IEC 29100. Inf. Softw. Technol., 168:107396. DOI: 10.1016/J.INFSOF.2024.107396.

Terra, A. H., Vilela, J., and Peixoto, M. M. (2022). A catalog of quality criteria to guide the assessment of applications' privacy policies. In WER. Available at:[link].

Thapa, C. and Camtepe, S. (2021). Precision health data: Requirements, challenges and existing techniques for data security and privacy. Computers in biology and medicine, 129:104130. DOI: 10.1016/j.compbiomed.2020.104130.

Tsohou, A., Magkos, E., Mouratidis, H., Chrysoloras, G., Piras, L., Pavlidis, M., Debussche, J., Rotoloni, M., and Gallego-Nicasio Crespo, B. (2020). Privacy, security, legal and technology acceptance elicited and consolidated requirements for a gdpr compliance platform. Information & Computer Security, 28(4):531-553. DOI: 10.1108/ics-01-2020-0002.

Valença, G., Sarinho, M. W., Polito, V., and Lins, F. (2022). Do platforms care about your child's data? a proposal of legal requirements for children's privacy and protection. In WER. DOI: 10.29327/1298262.25-19.

Veseli, F., Olvera, J. S., Pulls, T., and Rannenberg, K. (2019). Engineering privacy by design: lessons from the design and implementation of an identity wallet platform. In Proceedings of the 34th ACM/SIGAPP Symposium on Applied Computing, pages 1475-1483. DOI: 10.1145/3297280.3297429.

Vieira, A., Peixoto, M. M., and Silva, C. (2023). Um modelo de conceitos relacionados à privacidade de dados pessoais. In Antonelli, L., Lucena, M., and Portugal, R. L. Q., editors, Anais do WER23 - Workshop em Engenharia de Requisitos, Porto Alegre, RS, Brasil, August 15-17, 2023. LFS (UFRN, Brasil). DOI: 10.29327/1298356.26-6.

Wohlin, C., Runeson, P., Höst, M., Ohlsson, M. C., Regnell, B., Wesslén, A., Wohlin, C., Runeson, P., Höst, M., Ohlsson, M. C., et al. (2012). Systematic literature reviews. Experimentation in software engineering, pages 45-54. DOI: 10.1007/978-3-642-29044-2_4.

Yu, E., Liu, L., and Mylopoulous, J. (2007). A social ontology for integrating security and software engineering. In Integrating security and software engineering: Advances and future visions, pages 70-106. IGI Global. DOI: 10.4018/9781599041476.ch004.

Zhao, Q., Shu, L., Li, K., Ferrag, M. A., Liu, X., and Li, Y. (2024). Security and privacy in solar insecticidal lamps internet of things: Requirements and challenges. IEEE/CAA Journal of Automatica Sinica, 11(1):58-73. DOI: 10.1109/jas.2023.123870.

Zimmermann, C. (2016). Framework and requirements for reconciling digital services and privacy. In 24th European Conference on Information Systems, ECIS 2016, Istanbul, Turkey, June 12-15, 2016, page Research Paper 31. Available at:[link].

Zinsmaier, S. D., Langweg, H., and Waldvogel, M. (2020). A practical approach to stakeholder-driven determination of security requirements based on the gdpr and common criteria. In ICISSP, pages 473-480. DOI: 10.5220/0008960604730480.

Downloads

Published

2025-08-19

How to Cite

Spósito, S. L., Targino, J. F. G., Silva, G. R. S., Peotta, L., Porto, D. de P., Mendonça, F. L. L., & Canedo, E. D. (2025). A Comprehensive Review of Techniques, Methods, Processes, Frameworks, and Tools for Privacy Requirements. Journal of Internet Services and Applications, 16(1), 508–529. https://doi.org/10.5753/jisa.2025.5252

Issue

Vol. 16 No. 1 (2025)

Section

Research article

License

Copyright (c) 2025 Journal of Internet Services and Applications

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.