Get 20M+ Full-Text Papers For Less Than $1.50/day. Start a 14-Day Trial for You or Your Team.

Learn More →

A grounded theory approach to security policy elicitation

A grounded theory approach to security policy elicitation PurposeIn this paper, the authors consider how qualitative research techniques that are used in applied psychology to understand a person’s feelings and needs provides a means to elicit their security needs.Design/methodology/approachRecognizing that the codes uncovered during a grounded theory analysis of semi-structured interview data can be interpreted as policy attributes, the paper develops a grounded theory-based methodology that can be extended to elicit attribute-based access control style policies. In this methodology, user-participants are interviewed and machine learning is used to build a Bayesian network-based policy from the subsequent (grounded theory) analysis of the interview data.FindingsUsing a running example – based on a social psychology research study centered around photograph sharing – the paper demonstrates that in principle, qualitative research techniques can be used in a systematic manner to elicit security policy requirements.Originality/valueWhile in principle qualitative research techniques can be used to elicit user requirements, the originality of this paper is a systematic methodology and its mapping into what is actionable, that is, providing a means to generate a machine-interpretable security policy at the end of the elicitation process. http://www.deepdyve.com/assets/images/DeepDyve-Logo-lg.png Information & Computer Security Emerald Publishing

A grounded theory approach to security policy elicitation

Foley, Simon N.; Rooney, Vivien
Information & Computer Security , Volume 26 (4): 18 – Oct 8, 2018
Download PDF
18 pages

Loading next page...
 
/lp/emerald-publishing/a-grounded-theory-approach-to-security-policy-elicitation-fvVCG1PaSW
Publisher
Emerald Publishing
Copyright
Copyright © Emerald Group Publishing Limited
ISSN
2056-4961
DOI
10.1108/ICS-12-2017-0086
Publisher site
See Article on Publisher Site

Abstract

PurposeIn this paper, the authors consider how qualitative research techniques that are used in applied psychology to understand a person’s feelings and needs provides a means to elicit their security needs.Design/methodology/approachRecognizing that the codes uncovered during a grounded theory analysis of semi-structured interview data can be interpreted as policy attributes, the paper develops a grounded theory-based methodology that can be extended to elicit attribute-based access control style policies. In this methodology, user-participants are interviewed and machine learning is used to build a Bayesian network-based policy from the subsequent (grounded theory) analysis of the interview data.FindingsUsing a running example – based on a social psychology research study centered around photograph sharing – the paper demonstrates that in principle, qualitative research techniques can be used in a systematic manner to elicit security policy requirements.Originality/valueWhile in principle qualitative research techniques can be used to elicit user requirements, the originality of this paper is a systematic methodology and its mapping into what is actionable, that is, providing a means to generate a machine-interpretable security policy at the end of the elicitation process.

Journal

Information & Computer SecurityEmerald Publishing

Published: Oct 8, 2018

References

  • Users are not the enemy
  • A qualititative approach to HCI research
  • Over-exposed? privacy patterns and considerations in online and mobile photo sharing
  • Model driven security for process-oriented systems
  • Design for privacy in ubiquitous computing environments
  • Analyzing regulatory rules for privacy and security requirements
  • Privacy interfaces for collaboration
  • Barriers to usable security? three organizational case studies