A grounded theory approach to security policy elicitation
Information and Computer Security
ISSN: 2056-4961
Article publication date: 8 October 2018
Issue publication date: 8 October 2018
Abstract
Purpose
In this paper, the authors consider how qualitative research techniques that are used in applied psychology to understand a person’s feelings and needs provides a means to elicit their security needs.
Design/methodology/approach
Recognizing that the codes uncovered during a grounded theory analysis of semi-structured interview data can be interpreted as policy attributes, the paper develops a grounded theory-based methodology that can be extended to elicit attribute-based access control style policies. In this methodology, user-participants are interviewed and machine learning is used to build a Bayesian network-based policy from the subsequent (grounded theory) analysis of the interview data.
Findings
Using a running example – based on a social psychology research study centered around photograph sharing – the paper demonstrates that in principle, qualitative research techniques can be used in a systematic manner to elicit security policy requirements.
Originality/value
While in principle qualitative research techniques can be used to elicit user requirements, the originality of this paper is a systematic methodology and its mapping into what is actionable, that is, providing a means to generate a machine-interpretable security policy at the end of the elicitation process.
Keywords
Acknowledgements
The authors thank Simon O’Donovan who prototyped the Android photograph sharing assistant for his UCC bachelor’s degree project. This work was supported, in part, by Science Foundation Ireland grant SFI/12/RC/2289 and by the Cyber CNI Chair of Institute Mines-Télécom, which is held by IMT Atlantique and supported by Airbus Defence and Space, Amossys, EDF, Orange, La Poste, Nokia, Société Générale and the Regional Council of Brittany; it has been acknowledged by the French Centre of Excellence in Cybersecurity.
Citation
Foley, S.N. and Rooney, V. (2018), "A grounded theory approach to security policy elicitation", Information and Computer Security, Vol. 26 No. 4, pp. 454-471. https://doi.org/10.1108/ICS-12-2017-0086
Publisher
:Emerald Publishing Limited
Copyright © 2018, Emerald Publishing Limited