What Users Want: Adapting Qualitative Research Methods to Security Policy Elicitation

  title={What Users Want: Adapting Qualitative Research Methods to Security Policy Elicitation},
  author={Vivien M. Rooney and Simon N. Foley},
  • V. Rooney, S. Foley
  • Published in CyberICPS/SECPRE@ESORICS 14 September 2017
  • Computer Science
Recognising that the codes uncovered during a Grounded Theory analysis of semi-structured interview data can be interpreted as policy attributes, this paper describes how a Qualitative Research-based methodology can be extended to elicit Attribute Based Access Control style policies. In this methodology, user-participants are interviewed, and machine-learning is used to build a Bayesian Network based policy from the subsequent (Grounded Theory) analysis of the interview data. 



From Paternalistic to User-Centred Security: Putting Users First with Value-Sensitive Design

It is shown that engagement with, and adherence to security, are mediated by user values, and that it is necessary to model those values to understand the nature of security’s failures and to design viable alternatives.

Qualitative Analysis for Trust Management : Towards a Model of Photograph Sharing Indiscretion

Grounded Theory provides a useful approach for eliciting and justifying subjective characteristics of individuals. A Grounded Theory analysis is carried on individuals who share pictures, with a view

InterViews: Learning the Craft of Qualitative Research Interviewing

List of Boxes, Figures, and Tables Preface to the Third Edition Acknowledgments About the Author Introduction 1. Introduction to Interview Research Conversation as Research Three Interview Sequences

Some guidance on conducting and reporting qualitative studies

Action-oriented classification of families' information and communication actions: exploring mothers' viewpoints

This study investigates the nature of their everyday information and communication needs and the different knowledge and information transfer actions that were discovered in their families and generates a taxonomy which can help in providing enhanced individual services and family-centred design models.


I n t e rviews are conducted talking to an informant, either directly or on the telephone. Individual opinions and subjective pre f e rences about p roducts can be collected. The interview can be

Over-exposed?: privacy patterns and considerations in online and mobile photo sharing

In a first-of-its-kind study, context-aware camerephone devices are used to examine privacy decisions in mobile and online photo sharing and identify relationships between location of photo capture and photo privacy settings.

Analyzing Regulatory Rules for Privacy and Security Requirements

The methodology provides statement-level coverage for an entire regulatory document to consistently identify and infer six types of data access constraints, handle complex cross references, resolve ambiguities, and assign required priorities between access rights and obligations to avoid unlawful information disclosures.

Properties of Confidentiality Requirements

  • A. OnabajoJ. Weber
  • Computer Science
    19th IEEE Symposium on Computer-Based Medical Systems (CBMS'06)
  • 2006
The study is described to identify key confidentiality properties, which will enable precise specification of confidentiality requirements, and result in good "confidentiality-aware" systems.

Distilling privacy requirements for mobile applications

A Privacy Requirements Distillation approach is developed that employs a problem analysis framework to extract and refine privacy requirements for mobile applications from raw data gathered through empirical studies involving end users.