Requirements for evaluating security policies in security organizations

The purpose of this research is to formulate the requirements for evaluating security policies in security organizations and to answer the main question: What are the requirements for evaluating security policies in these organizations? The research is applied in nature and is considered a descriptive-contextual study in terms of method. Data collection was conducted through library and field methods and using in-depth and targeted interviews with 30 experts familiar with the subject. To confirm the validity of the interview, the formal and content methods were used, and to confirm its reliability, the holistic method was used. Data analysis was conducted using the open coding method and through the Maxqda2020 software. From the interviews conducted, 170 common components were obtained between the two coders, and after analysis by the software, 43 components (in the field of evaluating security policies) were categorized and confirmed. Based on the results of the research, the evaluation of security policies was categorized into two areas: the evaluation of the method of implementing security policies and the evaluation of the impact of security policies. In the area of the evaluation of the method of implementing security policies, 14 components were identified, and in the area of the evaluation of the impact of security policies, 29 components were identified.