To read the full version of this content please select one of the options below:

A grounded theory approach to security policy elicitation

Simon N. Foley (LabSTICC, IMT Atlantique Bretagne – Pays de Loire, Cesson Sevigne, France)
Vivien Rooney (LabSTICC, IMT Atlantique Bretagne – Pays de Loire, Cesson Sevigne, France)

Information and Computer Security

ISSN: 2056-4961

Article publication date: 8 October 2018

Downloads
167

Abstract

Purpose

In this paper, the authors consider how qualitative research techniques that are used in applied psychology to understand a person’s feelings and needs provides a means to elicit their security needs.

Design/methodology/approach

Recognizing that the codes uncovered during a grounded theory analysis of semi-structured interview data can be interpreted as policy attributes, the paper develops a grounded theory-based methodology that can be extended to elicit attribute-based access control style policies. In this methodology, user-participants are interviewed and machine learning is used to build a Bayesian network-based policy from the subsequent (grounded theory) analysis of the interview data.

Findings

Using a running example – based on a social psychology research study centered around photograph sharing – the paper demonstrates that in principle, qualitative research techniques can be used in a systematic manner to elicit security policy requirements.

Originality/value

While in principle qualitative research techniques can be used to elicit user requirements, the originality of this paper is a systematic methodology and its mapping into what is actionable, that is, providing a means to generate a machine-interpretable security policy at the end of the elicitation process.

Keywords

Acknowledgements

The authors thank Simon O’Donovan who prototyped the Android photograph sharing assistant for his UCC bachelor’s degree project. This work was supported, in part, by Science Foundation Ireland grant SFI/12/RC/2289 and by the Cyber CNI Chair of Institute Mines-Télécom, which is held by IMT Atlantique and supported by Airbus Defence and Space, Amossys, EDF, Orange, La Poste, Nokia, Société Générale and the Regional Council of Brittany; it has been acknowledged by the French Centre of Excellence in Cybersecurity.

Citation

Foley, S.N. and Rooney, V. (2018), "A grounded theory approach to security policy elicitation", Information and Computer Security, Vol. 26 No. 4, pp. 454-471. https://doi.org/10.1108/ICS-12-2017-0086

Publisher

:

Emerald Publishing Limited

Copyright © 2018, Emerald Publishing Limited