To read this content please select one of the options below:

A grounded theory approach to security policy elicitation

Simon N. Foley (LabSTICC, IMT Atlantique Bretagne – Pays de Loire, Cesson Sevigne, France)
Vivien Rooney (LabSTICC, IMT Atlantique Bretagne – Pays de Loire, Cesson Sevigne, France)

Information and Computer Security

ISSN: 2056-4961

Article publication date: 8 October 2018

Issue publication date: 8 October 2018




In this paper, the authors consider how qualitative research techniques that are used in applied psychology to understand a person’s feelings and needs provides a means to elicit their security needs.


Recognizing that the codes uncovered during a grounded theory analysis of semi-structured interview data can be interpreted as policy attributes, the paper develops a grounded theory-based methodology that can be extended to elicit attribute-based access control style policies. In this methodology, user-participants are interviewed and machine learning is used to build a Bayesian network-based policy from the subsequent (grounded theory) analysis of the interview data.


Using a running example – based on a social psychology research study centered around photograph sharing – the paper demonstrates that in principle, qualitative research techniques can be used in a systematic manner to elicit security policy requirements.


While in principle qualitative research techniques can be used to elicit user requirements, the originality of this paper is a systematic methodology and its mapping into what is actionable, that is, providing a means to generate a machine-interpretable security policy at the end of the elicitation process.



The authors thank Simon O’Donovan who prototyped the Android photograph sharing assistant for his UCC bachelor’s degree project. This work was supported, in part, by Science Foundation Ireland grant SFI/12/RC/2289 and by the Cyber CNI Chair of Institute Mines-Télécom, which is held by IMT Atlantique and supported by Airbus Defence and Space, Amossys, EDF, Orange, La Poste, Nokia, Société Générale and the Regional Council of Brittany; it has been acknowledged by the French Centre of Excellence in Cybersecurity.


Foley, S.N. and Rooney, V. (2018), "A grounded theory approach to security policy elicitation", Information and Computer Security, Vol. 26 No. 4, pp. 454-471.



Emerald Publishing Limited

Copyright © 2018, Emerald Publishing Limited

Related articles