A grounded theory approach to security policy elicitation

• Published in: Information and computer security Vol. 26; no. 4; pp. 454 - 471
• Main Authors: Foley, Simon N., Rooney, Vivien
• Format: Journal Article
• Language: English
• Published: Bingley Emerald Publishing Limited 08.10.2018; Emerald Group Publishing Limited
• Subjects: Access control; Bayesian analysis; Chronic illnesses; Interviews; Machine learning; Methodology; Privacy; Psychology; Researchers; Security; Social networks; Usability; User behavior; User needs; User requirements; Access control; Computer security; Computer users; Psychology; Computer privacy
• ISSN: 2056-4961; 2056-497X
• DOI: 10.1108/ICS-12-2017-0086

Purpose In this paper, the authors consider how qualitative research techniques that are used in applied psychology to understand a person’s feelings and needs provides a means to elicit their security needs. Design/methodology/approach Recognizing that the codes uncovered during a grounded theory analysis of semi-structured interview data can be interpreted as policy attributes, the paper develops a grounded theory-based methodology that can be extended to elicit attribute-based access control style policies. In this methodology, user-participants are interviewed and machine learning is used to build a Bayesian network-based policy from the subsequent (grounded theory) analysis of the interview data. Findings Using a running example – based on a social psychology research study centered around photograph sharing – the paper demonstrates that in principle, qualitative research techniques can be used in a systematic manner to elicit security policy requirements. Originality/value While in principle qualitative research techniques can be used to elicit user requirements, the originality of this paper is a systematic methodology and its mapping into what is actionable, that is, providing a means to generate a machine-interpretable security policy at the end of the elicitation process.