Abstract
Recognising that the codes uncovered during a Grounded Theory analysis of semi-structured interview data can be interpreted as policy attributes, this paper describes how a Qualitative Research-based methodology can be extended to elicit Attribute Based Access Control style policies. In this methodology, user-participants are interviewed, and machine-learning is used to build a Bayesian Network based policy from the subsequent (Grounded Theory) analysis of the interview data.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
was chosen for expediency.
References
Adams, A., Lunt, P., Cairns, P.: A qualititative approach to HCI research. In: Cairns, P., Cox, A. (eds.) Research Methods for Human-Computer Interaction. Cambridge University Press (2008)
Adams, A., Sasse, M.: Users are not the enemy. CACM 42(12), 40–46 (1999)
Ahern, S., Eckles, D., Good, N.S., King, S., Naaman, M.: Over-exposed? Privacy patterns and considerations in online and mobile photo sharing. In: SIGCHI Conference on Human Factors in Computing Systems, pp. 357–366 (2007)
Basin, D., Doser, J., Lodderstedt, T.: Model driven security for process-oriented systems. In: Symposium on Access control Models and Technologies (2003)
Bellotti, V., Sellen, A.: Design for privacy in ubiquitous computing environments. In: de Michelis, G., Simone, C., Schmidt, K. (eds.) European Conference on Computer Supported Cooperative Work, pp. 77–92. Springer, Dordrecht (1993). https://doi.org/10.1007/978-94-011-2094-4_6
Breaux, T., Antón, A.: Analyzing regulatory rules for privacy and security requirements. IEEE Trans. Softw. Eng. 34(1), 5–20 (2008)
Cadiz, J., Gupta, A.: Privacy interfaces for collaboration. Technical report MSR-TR-2001-82, Microsoft Research, Redmond, WA (2001)
Caputo, D.D., Pfleeger, S.L., Sasse, M.A., Ammann, P., Offutt, J., Deng, L.: Barriers to usable security? Three organizational case studies. IEEE Secur. Priv. 14(5), 22–32 (2016). https://doi.org/10.1109/MSP.2016.95
Charmaz, K.: Constructing Grounded Theory. Sage Publications, London (2006)
Charmaz, K.: Disclosing illness and disability in the workplace. J. Int. Educ. Bus. 3(1/2), 6–19 (2010)
Darwiche, A., et al.: SamIam: Sensitivity Analysis, Modeling, Inference and More. UCLA Automated Reasoning Group. http://reasoning.cs.ucla.edu/samiam/. Accessed 07 July 2017
Dodier-Lazaro, S., Abu-Salma, R., Becker, I., Sasse, M.A.: From paternalistic to user-centred security: putting users first with value-sensitive design. In: Proceedings of the 3rd CHI Workshop on Values in Computing (2017)
Dourish, P., Grinter, E., de la Flor, J.D., Joseph, M.: Security in the wild: user strategies for managing security as an everyday, practical problem. Pers. Ubiquit. Comput. 8(6), 391–401 (2004)
Firesmith, D.: Security use cases. J. Object Technol. 2(3), 53–64 (2003)
Flechais, I., Mascolo, C., Sasse, M.: Integrating security and usability into the requirements and design process. Int. J. Electron. Secur. Digit. Forensic 1(1), 12–26 (2007)
Foley, S.N., Rooney, V.M.: Qualitative analysis for trust management. In: Christianson, B., Malcolm, J.A., Matyáš, V., Roe, M. (eds.) Security Protocols 2009. LNCS, vol. 7028, pp. 298–307. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36213-2_33
Hakkila, J., Chatfield, C.: It’s like if you opened someone else’s letter: user perceived privacy and social practices with SMS communication. In: CHI 05: MobileCHI, 7th International Conference on Human Computer Interaction with Mobile Devices and Services, pp. 357–366 (2005)
Inglesant, P., Sasse, A., Chadwick, D., Shi, L.: Expressions of expertness: the virtuous circle of natural language for access control policy specification. In: Symposium on Usable Privacy and Security (SOUPS) 2008, Pittsburg, PA, USA (2008)
Jendricke, U., Gerd tom Markotten, D.: Usability meets security - the identity-manager as your personal security assistant for the internet. In: 16th Annual Computer Security Applications Conference (2000)
Kvale, S., Brinkmann, S.: InterViews. Learning the Craft of Qualitative Research Interviewing, 2nd edn. Sage Publications, London (2009)
Lauritzen, S.: The EM algorithm for graphical association models with missing data. Comput. Stat. Data Anal. 19, 191–201 (1995)
Massacci, F., Mylopoulos, J., Zannone, N.: Security requirements engineering: the SI* modeling language and the secure tropos methodology. In: Ras, Z.W., Tsay, L.S. (eds.) Advances in Intelligent Information Systems. Studies in Computational Intelligence, vol. 265, pp. 147–174. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-05183-8_6
Mouratidis, H., Giorgini, P.: Secure tropos: a security-oriented extension of the tropos methodology. Int. J. Softw. Eng. Knowl. Eng. 17(2), 285–309 (2007)
O’Connell, D.C., Kowal, S.: Basic principles of transcription. In: Smith, J.A., Harre, R., Van Langenhove, L. (eds.) Rethinking Methods in Psychology. Part II, Discourse as Topic, Chap. 7. Sage Publications, London (1995)
Onabajo, A., Jahnke, J.: Properties of confidentiality requirements. In: 19th IEEE Symposium on Computer-Based Medical Systems (2006)
Parkkola, H., Saariluoma, P., Berki, E.: Action-oriented classification of families’ information and communication actions: exploring mothers’ viewpoints. Behaviour and Information Technology 28(6), 525–536 (2009)
Rashid, A., et al.: Discovering “unknown known” security requirements. In: International Conference on Software Engineering. ACM Press (2016)
Seaman, C.: Qualitative methods in empirical studies of software engineering. IEEE Trans. Softw. Eng. 25(4), 557–572 (1999)
Srivastava, S.: Mobile phones and the evolution of social behaviour. Behav. Inf. Technol. 24(2), 111–129 (2005)
Thomas, K., Bandara, A., Price, B., Nuseibeh, B.: Distilling privacy requirements for mobile applications. In: 36th International Conference on Software Engineering (ICSE2014), 31 May-7 June, 2014, Hyderabad, India, pp. 871–882 (2014)
Twining, P., et al.: Some guidance on conducting and reporting qualitative studies. Comput. Educ. 106, A1–A9 (2017)
Wang, Y., et al.: I regretted the minute I pressed share: a qualitative study of regrets on Facebook. In: 2011 Symposium on Usable Privacy and Security (SOUPS), Pittsburg, PA, USA (2011)
Zurko, M.E., Simon, R.T.: User-centered security. In: 1996 Workshop on New Security Paradigms, NSPW 1996, pp. 27–33. ACM (1996)
Acknowledgements
Thanks to Simon O’Donovan who prototyped the Android photograph sharing assistant for his UCC Bachelor’s degree project. This work was supported, in part, by Science Foundation Ireland grant SFI/12/RC/2289 and by the Cyber CNI Chair of Institute Mines-Télécom which is held by IMT Atlantique and supported by Airbus Defence and Space, Amossys, EDF, Orange, La Poste, Nokia, Société Générale and the Regional Council of Brittany; it has been acknowledged by the French Centre of Excellence in Cybersecurity.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Sample policy
A Sample policy
1.1 A.1 Marked up interview text
1.2 A.2 Generated Bayesian Network Policy
The above Bayesian network, in Hugin .net format, was generated by SamIam [11] using EM-learning on the dataset given in Fig. 5. Note that in this implemented policy, each complementary state ! v is encoded as literal XXXNOT v.
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG
About this paper
Cite this paper
Rooney, V.M., Foley, S.N. (2018). What Users Want: Adapting Qualitative Research Methods to Security Policy Elicitation. In: Katsikas, S., et al. Computer Security. SECPRE CyberICPS 2017 2017. Lecture Notes in Computer Science(), vol 10683. Springer, Cham. https://doi.org/10.1007/978-3-319-72817-9_15
Download citation
DOI: https://doi.org/10.1007/978-3-319-72817-9_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-72816-2
Online ISBN: 978-3-319-72817-9
eBook Packages: Computer ScienceComputer Science (R0)