A grounded theory approach to security policy elicitation

In this paper, the authors consider how qualitative research techniques that are used in applied psychology to understand a person’s feelings and needs provides a means to elicit their security needs.,Recognizing that the codes uncovered during a grounded theory analysis of semi-structured interview data can be interpreted as policy attributes, the paper develops a grounded theory-based methodology that can be extended to elicit attribute-based access control style policies. In this methodology, user-participants are interviewed and machine learning is used to build a Bayesian network-based policy from the subsequent (grounded theory) analysis of the interview data.,Using a running example – based on a social psychology research study centered around photograph sharing – the paper demonstrates that in principle, qualitative research techniques can be used in a systematic manner to elicit security policy requirements.,While in principle qualitative research techniques can be used to elicit user requirements, the originality of this paper is a systematic methodology and its mapping into what is actionable, that is, providing a means to generate a machine-interpretable security policy at the end of the elicitation process.

[1]  Shari Lawrence Pfleeger,et al.  Barriers to Usable Security? Three Organizational Case Studies , 2016, IEEE Security & Privacy.

[2]  Cecilia Mascolo,et al.  Integrating security and usability into the requirements and design process , 2007, Int. J. Electron. Secur. Digit. Forensics.

[3]  Jens H. Weber,et al.  Properties of Confidentiality Requirements , 2006, 19th IEEE Symposium on Computer-Based Medical Systems (CBMS'06).

[4]  Yang Wang,et al.  "I regretted the minute I pressed share": a qualitative study of regrets on Facebook , 2011, SOUPS.

[5]  Peter Twining,et al.  Some guidance on conducting and reporting qualitative studies , 2017, Comput. Educ..

[6]  M. Sasse,et al.  From Paternalistic to User-Centred Security: Putting Users First with Value-Sensitive Design , 2017 .

[7]  Donald Firesmith,et al.  Security Use Cases , 2003, J. Object Technol..

[8]  Jonathan J. Cadiz,et al.  Privacy Interfaces for Collaboration , 2001 .

[9]  Ruzanna Chitchyan,et al.  Discovering "Unknown Known" Security Requirements , 2016, 2016 IEEE/ACM 38th International Conference on Software Engineering (ICSE).

[10]  Annie I. Antón,et al.  Analyzing Regulatory Rules for Privacy and Security Requirements , 2008, IEEE Transactions on Software Engineering.

[11]  Haralambos Mouratidis,et al.  Secure Tropos: a Security-Oriented Extension of the Tropos Methodology , 2007, Int. J. Softw. Eng. Knowl. Eng..

[12]  L. Srivastava,et al.  Mobile phones and the evolution of social behaviour , 2005, Behav. Inf. Technol..

[13]  Paul Dourish,et al.  Security in the wild: user strategies for managing security as an everyday, practical problem , 2004, Personal and Ubiquitous Computing.

[14]  Dan Boneh,et al.  Stickler: Defending against Malicious Content Distribution Networks in an Unmodified Browser , 2016, IEEE Security & Privacy.

[15]  David W. Chadwick,et al.  Expressions of expertness: the virtuous circle of natural language for access control policy specification , 2008, SOUPS '08.

[16]  Luc De Raedt,et al.  kProbLog: An Algebraic Prolog for Kernel Programming , 2015, ILP.

[17]  S. Lauritzen The EM algorithm for graphical association models with missing data , 1995 .

[18]  K. Charmaz,et al.  Constructing Grounded Theory , 2014 .

[19]  Abigail Sellen,et al.  Design for Privacy in Ubiquitous Computing Environments , 1993, ECSCW.

[20]  Mor Naaman,et al.  Over-exposed?: privacy patterns and considerations in online and mobile photo sharing , 2007, CHI.

[21]  Daniela Gerd tom Markotten,et al.  Usability meets security - the Identity-Manager as your personal security assistant for the Internet , 2000, Proceedings 16th Annual Computer Security Applications Conference (ACSAC'00).

[22]  Simon N. Foley Qualitative Analysis for Trust Management , 2009, Security Protocols Workshop.

[23]  Bashar Nuseibeh,et al.  Distilling privacy requirements for mobile applications , 2014, ICSE.

[24]  Eleni Berki,et al.  Action-oriented classification of families' information and communication actions: exploring mothers' viewpoints , 2009, Behav. Inf. Technol..

[25]  David A. Basin,et al.  Model driven security for process-oriented systems , 2003, SACMAT '03.

[26]  Carolyn B. Seaman,et al.  Qualitative Methods in Empirical Studies of Software Engineering , 1999, IEEE Trans. Software Eng..

[27]  John Mylopoulos,et al.  Security Requirements Engineering: The SI* Modeling Language and the Secure Tropos Methodology , 2010, Advances in Intelligent Information Systems.

[28]  Mary Ellen Zurko,et al.  User-centered security , 1996, NSPW '96.

[29]  K. Charmaz,et al.  Disclosing illness and disability in the workplace , 2010 .

[30]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.