Governance-Focused Classification of Security and Privacy Requirements from Obligations in Software Engineering Contracts

[Context and Motivation] Security and Privacy (SP) compliance is an important aspect of running businesses successfully. Compliance with SP requirements by Software Engineering (SE) vendors, both in terms of the systems they implement and the practices they follow while implementing, gives customers an assurance that their data is accessed, stored, and processed securely. Failure to comply on the other hand, can entail heavy fines, lawsuits, and may even lead to loss of business through prohibition of those software in corresponding jurisdictions. SE contracts are known to be a useful source for deriving software requirements. [Question/problem] Mining any kind of information from contracts is a dauting task given that contracts are large and complex documents employing Legalese. [Principal ideas/results] We employ an exploratory study to come up with a model for a governance-focused classification of the SP requirements present in SE contracts for governance. Next, we report experiments conducted with Recurrent Neural Networks and Transformer-based models to automate this classification. Experiments conducted on 960 SE contracts received from a large vendor organization indicate that T5 performs best for both SP identification and classification tasks. With T5, we obtained an average F1 score of 0.90 each for identification of SP requirements. For the governance-focused classification, we obtained an average F1 score of 0.81 for the Security class and 0.80 for the Privacy class. [Contribution] Through an exploratory study, we present a model for a governance-focused classification of the SP requirements present in SE contracts. We further automate the extraction and the governance-focused classification of SP requirements by conducting experiments using 960 real-life SE contracts received from a large vendor organization.