Regulatory Compliance Modelling Using Risk Management Techniques

27 Pages Posted: 4 Dec 2020 Last revised: 6 May 2021

See all articles by Steve Taylor

Steve Taylor

ECS, University of Southampton

Mike Surridge

ECS, University of Southampton

Brian Pickering

University of Southampton - School of Electronics and Computer Science (ECS); British Psychological Society (BPS); British Computer Society

Date Written: October 22, 2020

Abstract

We describe a novel approach to regulatory compliance decision support that leverages an asset-based cyber security risk management approach following ISO 27005, and illustrate this with an example based on the General Data Protection Regulation (GDPR). Previous work in regulatory compliance modelling and decision support utilises semantic vocabularies and reasoning techniques, and our approach has the primary benefit that regulatory compliance is integrated with other domains of risk management, so that insight from domains such as cyber security combined with regulatory compliance for privacy can be gained based on a single model of the user’s socio-technical infrastructure. The main contributions of this paper are: to show how regulatory requirements may be modelled as “compliance threats” in an asset-based risk management framework; to illustrate mapping from the GDPR’s legal text to domain assets, processes and relationships, compliance threats and control strategies to mitigate the threats; to show how the threats are trigged via recognition patterns based on asset configurations; to illustrate how the different types of regulatory requirement, e.g. obligations, prohibitions and derogating conditions, are represented in such a scheme; and finally to describe how to model causal dependencies between choices made to address a compliance threat and downstream additional compliance requirements.

Keywords: Regulatory Compliance, Cyber Security, Decision Support, Risk Management, GDPR, Modelling, Compliance Threat

Suggested Citation

Taylor, Steven and Surridge, Michael and Pickering, Brian, Regulatory Compliance Modelling Using Risk Management Techniques (October 22, 2020). Available at SSRN: https://ssrn.com/abstract=3716778 or http://dx.doi.org/10.2139/ssrn.3716778

Steven Taylor (Contact Author)

ECS, University of Southampton ( email )

University Rd.
Southampton SO17 1BJ, Hampshire SO17 1LP
United Kingdom

Michael Surridge

ECS, University of Southampton ( email )

University Rd.
Southampton SO17 1BJ, Hampshire SO17 1LP
United Kingdom

Brian Pickering

University of Southampton - School of Electronics and Computer Science (ECS) ( email )

University Road
Southampton
United Kingdom

British Psychological Society (BPS) ( email )

Leicester
United Kingdom

British Computer Society ( email )

First Floor, Block D
North Star House, North Star Avenue
Swindon
United Kingdom

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
161
Abstract Views
786
Rank
354,196
PlumX Metrics