What Users Want: Adapting Qualitative Research Methods to Security Policy Elicitation

Recognising that the codes uncovered during a Grounded Theory analysis of semi-structured interview data can be interpreted as policy attributes, this paper describes how a Qualitative Research-based methodology can be extended to elicit Attribute Based Access Control style policies. In this methodology, user-participants are interviewed, and machine-learning is used to build a Bayesian Network based policy from the subsequent (Grounded Theory) analysis of the interview data.

[1]  Yang Wang,et al.  "I regretted the minute I pressed share": a qualitative study of regrets on Facebook , 2011, SOUPS.

[2]  Ruzanna Chitchyan,et al.  Discovering "Unknown Known" Security Requirements , 2016, 2016 IEEE/ACM 38th International Conference on Software Engineering (ICSE).

[3]  Abigail Sellen,et al.  Design for Privacy in Ubiquitous Computing Environments , 1993, ECSCW.

[4]  Peter Twining,et al.  Some guidance on conducting and reporting qualitative studies , 2017, Comput. Educ..

[5]  Daniel C. O'Connell,et al.  Basic Principles of Transcription , 1995 .

[6]  Paul Dourish,et al.  Security in the wild: user strategies for managing security as an everyday, practical problem , 2004, Personal and Ubiquitous Computing.

[7]  Eleni Berki,et al.  Action-oriented classification of families' information and communication actions: exploring mothers' viewpoints , 2009, Behav. Inf. Technol..

[8]  Mary Ellen Zurko,et al.  User-centered security , 1996, NSPW '96.

[9]  Jonna Häkkilä,et al.  'It's like if you opened someone else's letter': user perceived privacy and social practices with SMS communication , 2005, Mobile HCI.

[10]  A. Hyde Interviews , 2016 .

[11]  David A. Basin,et al.  Model driven security for process-oriented systems , 2003, SACMAT '03.

[12]  Carolyn B. Seaman,et al.  Qualitative Methods in Empirical Studies of Software Engineering , 1999, IEEE Trans. Software Eng..

[13]  A. Adams,et al.  A qualititative approach to HCI research , 2008 .

[14]  Shari Lawrence Pfleeger,et al.  Barriers to Usable Security? Three Organizational Case Studies , 2016, IEEE Security & Privacy.

[15]  Cecilia Mascolo,et al.  Integrating security and usability into the requirements and design process , 2007, Int. J. Electron. Secur. Digit. Forensics.

[16]  Jens H. Weber,et al.  Properties of Confidentiality Requirements , 2006, 19th IEEE Symposium on Computer-Based Medical Systems (CBMS'06).

[17]  David W. Chadwick,et al.  Expressions of expertness: the virtuous circle of natural language for access control policy specification , 2008, SOUPS '08.

[18]  M. Sasse,et al.  From Paternalistic to User-Centred Security: Putting Users First with Value-Sensitive Design , 2017 .

[19]  Simon N. Foley,et al.  Qualitative Analysis for Trust Management : Towards a Model of Photograph Sharing Indiscretion , 2009 .

[20]  S. Kvale,et al.  InterViews: Learning the Craft of Qualitative Research Interviewing , 1996 .

[21]  Annie I. Antón,et al.  Analyzing Regulatory Rules for Privacy and Security Requirements , 2008, IEEE Transactions on Software Engineering.

[22]  L. Srivastava,et al.  Mobile phones and the evolution of social behaviour , 2005, Behav. Inf. Technol..

[23]  Haralambos Mouratidis,et al.  Secure Tropos: a Security-Oriented Extension of the Tropos Methodology , 2007, Int. J. Softw. Eng. Knowl. Eng..

[24]  S. Lauritzen The EM algorithm for graphical association models with missing data , 1995 .

[25]  K. Charmaz,et al.  Constructing Grounded Theory , 2014 .

[26]  Mor Naaman,et al.  Over-exposed?: privacy patterns and considerations in online and mobile photo sharing , 2007, CHI.

[27]  John Mylopoulos,et al.  Security Requirements Engineering: The SI* Modeling Language and the Secure Tropos Methodology , 2010, Advances in Intelligent Information Systems.

[28]  Bashar Nuseibeh,et al.  Distilling privacy requirements for mobile applications , 2014, ICSE.

[29]  K. Charmaz,et al.  Disclosing illness and disability in the workplace , 2010 .

[30]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[31]  Daniela Gerd tom Markotten,et al.  Usability meets security - the Identity-Manager as your personal security assistant for the Internet , 2000, Proceedings 16th Annual Computer Security Applications Conference (ACSAC'00).

[32]  Simon N. Foley Qualitative Analysis for Trust Management , 2009, Security Protocols Workshop.

[33]  Donald Firesmith,et al.  Security Use Cases , 2003, J. Object Technol..

[34]  Jonathan J. Cadiz,et al.  Privacy Interfaces for Collaboration , 2001 .