Systematic Literature Review on Security Access Control Policies and Techniques Based on Privacy Requirements in a BYOD Environment: State of the Art and Future Directions

: The number of devices connected within organisational networks through ”Bring Your Own Device” (BYOD) initiatives has steadily increased. BYOD security risks have resulted in signiﬁ-cant privacy and security issues impacting organisational security. Many researchers have reviewed security and privacy issues in BYOD policies. However, not all of them have fully investigated security and privacy requirements. In addition to describing a system’s capabilities and functions, these requirements also reﬂect the system’s ability to eliminate various threats. This paper aims to conduct a comprehensive review of privacy and security criteria in BYOD security policies, as well as the various technical policy methods used to mitigate these threats, to identify future research opportunities. This study reviews existing research and highlights the following points: (1) classiﬁcation of privacy and security requirements in the context of BYOD policies; (2) comprehensive analyses of proposed state-of-the-art security policy technologies based on three layers of security BYOD policies, followed by analyses of these technologies in terms of the privacy requirements they satisfy; (3) technological trends; (4) measures employed to assess the efﬁcacy of techniques to enhance privacy and security; and (5) future research in the area of BYOD security and privacy.


Introduction
The bring your own device (BYOD) paradigm, which allows employees to connect their mobile devices to the organization's network, rapidly changes organisational operations by enhancing flexibility, productivity, and effectiveness [1].Despite these advantages, security concerns continue to affect organisational environments [2] and introduce security challenges and significant security risks [2].One of the primary concerns with BYOD is the need for more control over employee devices.Personal devices have different security measures and software updates from company-issued devices.This disparity exposes vulnerabilities that attackers could exploit, resulting in data breaches or unauthorized access to sensitive information [3].In addition, the variety of devices in a BYOD environment complicates the implementation of standard security policies.Different operating systems, versions, and security configurations must be considered by organizations, making it challenging to implement uniform security measures across all devices [4].This variation heightens the possibility that cybercriminals will exploit security gaps or obsolete security software.
Furthermore, when personal devices are used for work-related purposes, the possibility of mixing personal and business information increases.This mixing of data poses the risk of data leakage or inadvertent disclosure.It becomes more difficult for organizations on these devices to ensure that sensitive information is adequately protected and segregated from personal files.The BYOD direction also raises concerns about the possibility of device loss or theft.If an employee's device containing sensitive company information is lost or stolen, the risk of unauthorised access to that information increases [5].
To address these risks, organisations can effectively manage BYOD usage by implementing security access control and security policy technologies that address these vulnerabilities and obstacles [6].However, there are significant gaps between the security offered by current BYOD access control policies and the desired outcomes [7].Rhee et al. [8] provide fundamental access control policies that address security and privacy issues in three primary categories: authenticity, confidentiality, and integrity.These policies encompass network access control policies, mobile access control policies, mobile information management policies, mobile application management policies, and enterprise mobility management policies.Initially, these policies assisted organisations in managing and governing BYOD devices effectively.Nonetheless, the increasing complexity of attacks targeting BYOD devices and networks [8][9][10] has rendered these policies and the security requirements they fulfil insufficient [11,12].To adequately meet the security and privacy requirements of BYOD, it is essential to adopt integrated and comprehensive BYOD security policies, emphasising the implementation of three-tiered policies and a thorough understanding of security and privacy requirements, as mentioned by Bello et al. [13] in their work on consumerization.
There have been few systematic reviews of the security of BYOD, as seen in Table 1.However, most earlier research has systematically ignored examining security and privacy needs in the BYOD context.Additionally, previous survey studies have yet to investigate the most commonly used security policy techniques based on a three-tiered BYOD policy architecture with the appropriate technology to fulfill security and privacy requirements.For instance, in [14], Oktavia et al. presented a survey on privacy concerns and BYOD challenges.This study examined these issues in depth.However, the analysis of policy mechanisms based on security and privacy requirements was not included and was limited to raising concerns.
Similarly, Jamal et al. [15] surveyed BYOD authentication techniques, focusing on authenticity criteria while giving less attention to other security and privacy criteria.The term "other security and privacy criteria*" indicates additional privacy requirements in BYOD security, such as confidentiality, integrity, availability, authenticity, privacy preservation, non-repudiation, and attack detection.Furthermore, Palanisamy et al. [16] presented a thorough review of compliance theories that are used to interpret and predict security practices in the Bring Your Own Device (BYOD) sector.However, they did not conduct an assessment of technologies in relation to security and privacy standards.Instead, their primary focus was largely on the theoretical aspects of the subject.Additionally, Wani et al. [17] highlighted significant security problems associated with hospital BYOD practices but did not extensively address the identified concerns by analyzing technologies.While several survey studies have contributed to understanding BYOD's privacy and security challenges, most of them have provided limited information on the inherent privacy and security concerns of BYOD.Furthermore, many of these studies examined only a subset of the problem or conducted a review during the early stages of BYOD adoption.In [18], the researchers conducted a comprehensive review of attack detection strategies that utilize machine learning.However, they did not delve into other aspects related to privacy needs.To put it another way, while they extensively studied how machine learning can be used to identify cyber attacks, they did not explore other crucial components of privacy, such as data protection, anonymity, and user consent.Table 1 provides an overview of the main focus and limitations of some of the earliest (pre-2023) literature on BYOD security.Overall, while these studies have made strides in offering access control solutions and risk analyses, they exhibit limitations.Particularly, they do not critically evaluate the studies in terms of their contribution to satisfying the privacy requirements essential for BYOD systems.
Table 1.Focus and limitations of some of the key older (pre-2023) publications.[14,17,19,20] Focused on discussing risks and security issues related to BYOD.

Concentrate on Limitations
Not comprehensive for all security and privacy requirements and access control based on three layers.[15] Focused on techniques connected to the authenticity criteria.
Other * security and privacy criteria received less attention.
Not analysing technologies based on privacy criteria.[21] Classification scheme for proposed solutions based on identified security issues.
Not analysing technologies based on privacy criteria.[18] Mapping review of attack detection strategy based on machine learning.
Other * security and privacy requirements were ignored.
* indicates additional privacy requirements in BYOD security.
Therefore, this paper extensively reviews security policies and access control in three security policy layers.It evaluates the effectiveness of existing security policies and access control mechanisms in meeting privacy requirements.The study contributes to understanding privacy-focused security measures in BYOD environments and informs future research and improvements in security policies and access control strategies.To ensure a systematic approach, we developed a review protocol that outlines the critical phases necessary to achieve the objectives of this study.The paper focuses on seven critical security and privacy criteria within the three layers of secure BYOD control policies designed for enterprises adopting BYOD practices.These criteria include confidentiality, integrity, availability, authenticity, privacy preservation, non-repudiation, and attack detection.Achieving these criteria ensures the system can eliminate potential privacy and security vulnerabilities and comply with regulatory guidelines [5,22].The process of this study will ensure unbiased data retrieval and thorough search procedures.The contributions of this study to the overall review can be summarized as follows: • Identifies privacy and security criteria needed in the BYOD policy setting.

•
Analyses existing policy techniques based on privacy and security requirements in three security policy layers.• Introduces a novel taxonomy that categorizes policy techniques into three layers according to their alignment with privacy and security requirements.This taxonomy provides a structured framework for understanding and organizing policy techniques, contributing to the existing knowledge in the field.

•
Identifies and discusses the current trends in technology related to policy techniques by examining the technological advancements within each layer.

•
Addresses the measures used to evaluate the effectiveness of policy techniques, mainly through performance analysis, by discussing these evaluation measures.

•
Presents a comprehensive evaluation of policy techniques' technical advantages and limitations by highlighting the strengths and weaknesses of each technique.

•
Identifies potential areas for future research and improvement in policy techniques.By pointing out the gaps and limitations in the existing techniques, the paper stimulates further exploration and encourages researchers to develop innovative approaches to address the identified challenges.
The remainder of the article is divided into the following sections: Section 2 presents the background information, while Section 3 compares the conventional BYOD security approach with the desired state and examines BYOD security policies across the three layers of BYOD architecture policy.Section 4 provides an overview of the privacy and security requirements for the development of security policies.The methodology for conducting a systematic literature review is presented in Section 5.The data analysis process is detailed in Section 6, followed by a discussion of critical findings in Section 7. Section 8 highlights open research issues, and Section 9 concludes the paper.

Background and Related Concepts
This section examines the security and privacy challenges posed by the bring your own device (BYOD) environment and introduces the fundamental concepts that will be investigated in this study.

BYOD Risks
The expanding adoption of BYOD raises notable privacy and security concerns.According to a report by Hewlett-Packard [13], employees now utilize multiple mobile devices at work, creating a situation where their activities are invisible and untraceable to the IT department.Consequently, this trend poses various challenges and security threats for enterprises.
Firstly, the need for clear security expectations is a primary challenge, resulting in costly consequences, particularly when inexperienced personnel are entrusted with data security.Moreover, phishing attacks pose a serious risk by compromising employee devices and company information.Using unsecured Wi-Fi networks outside the office further amplifies security risks, as highlighted by Kaspersky Lab [23].Additionally, malware infections and unauthorized app installations pose additional threats [23,24].Lastly, the BYOD trend raises concerns about employees accessing social media during work hours, potentially violating company policies.
These risks associated with BYOD significantly impact organizational security, giving rise to various challenges.These challenges include implementing security policies across different BYOD operating systems and devices, effectively managing numerous BYOD devices within the organization, securing BYOD devices, tracking their activities, and monitoring their usage outside of work hours [24].To address the above challenges, access control policies and technologies play a crucial role in mitigating risks and meeting the privacy requirements of the BYOD environment.
As a result, this study aims to investigate appropriate access control solutions and privacy requirements within the three layers of the BYOD security architecture.The objective is to effectively tackle the privacy and security issues associated with BYOD.

Security Challenges
The term "security", in the context of an organization, pertains to the safeguarding of valuable assets, including information, resources, processes, and records [13].Companies that prioritise security allocate significant resources to establish an effective information security system to protect their data.However, despite these efforts, they remain a target for various threats [25].
Managing security poses challenges for large corporations with multiple departments or small branches sharing the same network.In the latter scenario, this structure makes it easier for cybercriminals to target small branches before moving on to headquarters.Security plays a crucial role in supporting organizational operational processes and methods.Therefore, organizations must protect confidential information from potential threats or harm resulting in damage, loss, modification, or unauthorized disclosure.
According to Whitman and Mattord [26], an organisation's security should be a complex system that includes computer systems supporting the organisational environment, software applications and databases securing data, as well as policies, procedures, training, and other human-reliant components.The primary objective of securing an organization's critical information resources and assets is to implement security policies across three layers: onboarding access control, authentication access control, and risk access control policies utilizing related technologies [13].
Whitman and Mattord further suggest that the objectives of security policies should encompass the protection of confidentiality, integrity, and availability of information-reliant entities and information-delivering systems, ultimately fulfilling privacy requirements [26].
Hence, confidentiality, integrity, and availability objectives are essential for accomplishing security policy objectives.

Privacy Challenges
Privacy is the behaviour or attitude of a company toward protecting its information resources and the personally identifiable information of its customers [27].Organisations are increasingly leaking personal information, either deliberately or due to compromised information systems.Users of BYOD devices express concerns about their ability to manage personal data and trust organizations to protect their users.According to Johnston and Anna [28], there has been an ongoing debate on whether individuals should sign contracts with organizations to manage and safeguard their information or if it should be the responsibility of the enterprise to protect individual privacy.According to various publications, organisations devote regular financial resources to implementing safeguards and information privacy programmes to protect information from leaks and other threats.However, they fail to effectively utilise these protections and programmes [29].This strategy can easily result in privacy breaches, which have historically been a significant concern.The primary objective of these hacking attacks is to steal, delete, or alter sensitive information.Organisations must recognise the significance and necessity of protecting personal data because it presents various privacy issues, risks, and other data breaches.New, difficult-to-detect vulnerabilities are generated for hackers as technology progresses and becomes more sophisticated [30].BYOD has and will continue to raise concerns about data and user privacy.

Security Policies
Security policies refer to the rules established by organizational leaders to ensure the appropriate level of security is aligned with the organization's needs.The access control policy is crucial in safeguarding the organization's data and resources against internal and external threats, reducing vulnerability to cyber and physical attacks.Each access control type employs specific security techniques to meet the organization's security and privacy requirements, which will be discussed in detail in Section 3.2.

Security Technologies
Security technologies encompass control policies across various technological components to fulfil privacy and security requirements within the BYOD organizational environment.These technologies cover devices, information, applications, and communication.Each layer of the BYOD security architecture incorporates access policies and technologies that address specific security and privacy needs.For instance, the identification access control policy employs a variety of mechanisms, such as authentication algorithms or other technologies, to carry out authentication and authorization functions.Section 3.2 will comprehensively explain these techniques, where the control policies and techniques associated with each access control policy will be discussed.

Privacy and Security Requirements
Privacy and security requirements define the security standards that policies and technologies in the BYOD context should meet.Standard terms include confidentiality, integrity, availability, non-repudiation, authentication, privacy preservation, and attack detection.The rationale for selecting these requirements and the underlying concepts will be discussed in Section 4.

Comparison Traditional Access Control vs. Security Access Control Based on Three Layers
This section will highlight the primary differentiation between traditional BYOD security policies and contemporary approaches to BYOD security, as depicted in Figure 1.According to Macaraeg [31], traditional security policies primarily focus on protecting devices, networks, data, and applications.These policies encompass network access control, mobile device management, mobile application management, and enterprise mobility management policies, as described in more detail in Section 3.1.While these access control policies may provide security mechanisms and solutions to protect the company's network, data, and devices, they often overlook risk control access policies.Consequently, they fail to meet the requirement for attack detection.To address this limitation, Bello et al. [1] proposed an enhanced BYOD access control approach based on three security layers, aiming to comprehensively address security and privacy requirements that fulfill organizational security needs and user privacy.This three-layered protection approach, as described in Section 3.2, includes an access control policy and corresponding mechanism within each layer.A comparison between this security approach and traditional security policies and their respective shortcomings is outlined in Table 2: • Traditional security approaches are often deemed insufficient and potentially vulnerable in providing the required level of protection [1,31].For example, network access control policies in traditional security heavily rely on mobile device management (MDM) technology for authenticating and managing BYOD devices within the organization.In contrast, ideal BYOD security emphasizes identification access control methods, such as biometrics and two-factor authentication.Additionally, ideal security policies for information protection encompass advanced measures like communication access control, encryption, virtual private networks (VPNs), and data wiping.On the other hand, traditional security approaches utilize mobile information management (MIM) to enforce information management policies.

•
Traditional security policies lack the inclusion of risk access control policies, despite their importance in BYOD security, as recommended by Bello et al. [1].

•
Traditional security policies fall short in adequately addressing all privacy requirements due to limitations in policy techniques and defense mechanisms [31].These limitations serve as a motivation to address the challenges surrounding privacy and security and enhance security policies through the implementation of three layers of security policies, thus meeting the privacy requirements of BYOD security.Comprehensive for the privacy requirements that the BYOD needs.

Traditional Security-Based Fundamental Access Control Policy Approaches
This section highlights and discusses several traditional management approaches and techniques utilised to control the security of organisational resources and avoid security risks to manage employee devices at work effectively.These management approaches can assist as security mechanisms, or solutions, that protect corporate networks, data, and devices while considering employees' privacy rights.The fundamental security policy approach for BYOD includes network access control policies, mobile device management policies, mobile application management policies, and enterprise mobility management policies.These access control policies may provide security mechanisms or solutions.Their shortcomings are detailed below.

Network Access Control Policy (NAC)
This technique focuses on the management and control of access to enterprise networks.NAC controls the devices that access the corporate network and provides secure and regulated network access to various devices from various locations.In addition, NAC can implement authentication and encryption security controls and integrate MDM tools into the network infrastructure to manage network services and resources and monitor the entire network.This strategy uses virtual local area network (LANs)to reduce network traffic by classifying users according to access control policies or functions [13].Some network BYOD solutions, such as those developed by Cisco and Meru Networks, recommend BYOD management through network methods [13].However, NAC is subject to the following limitations: MDM, which manages and controls mobile devices, is based on a product or software platform [32].MDM controls apps, cameras and the cloud on staff devices.Google Device Manager, Apple Profile Manager and Microsoft Exchange ActiveSync are among MDM technologies [13,33].Organisations may use MDM to monitor, manage and secure mobile devices in the workplace by enforcing security requirements and ensuring devices conform to these regulations.The MDM approach can manage desktops, mobile devices and servers using the same tools.In addition, it can enforce device access regulations for all devices attached to the MDM platform.However, it has certain limitations, including:

•
There is a limit on the number of devices and operating systems.• Personal and corporate data might be combined.• Third-party apps are required to utilise MDM functionalities fully.

Mobile Application Management Policy (MAM)
This differs from the MDM approach in that it controls, manages, and secures only specific enterprise software instead of the entire device.Consequently, a corporation may utilise MAM to protect and control email apps and other corporate applications on the mobile devices of its workers [33].For instance, ZixOne is a mobile application that offers a BYOD solution, providing management access to business email via secure email encryption features [34].

Enterprise Mobility Management Policy (EMM)
This integrates MDM, MAM, and MIM capabilities.It is a solution for BYOD security that handles all devices, apps and data [34].Enterprise mobility management EMM distinctive characteristics include separating work and personal data on the same device, managing threats proactively, and providing an application store for business apps.However, the EMM strategy has drawbacks such as:

•
It combines all of the limitations and challenges of the strategies previously discussed.

•
The user experience and satisfaction with BYOD may be compromised by this solution.• By employing data separation techniques such as containers, corporate data can be vulnerable to security threats.

Mobile Information Management Policy (MIM)
MIM focused on managing BYOD-based data and documents that synchronise across many devices [33].Mobile information management (MIM) is a device-independent security strategy that encrypts sensitive data and permits only authorised applications to access or transmit it.Mobile information management faces significant obstacles in enterprise mobility management.

Security Access Control Based on Three Layers (Ideal Security Policy)
This section will introduce the architecture of security policy layers and the control mechanisms present at each layer.According to Bello et al. [1], the security policy of BYOD is divided into three layers that organisations can manage to support comprehensive BYOD device management and security.These layers consist of the operational, tactical, and strategic layers.Figure 2 shows the three-layer BYOD policy.Each layer has a security control function and works with the other layers to manage BYOD information security and privacy.In addition, the protection function of each layer has many security control mechanisms.Bello et al. confirm in [1] that the three layers should be considered when implementing access control solutions between an organization's resources and BYOD devices in order to protect the environment from security and privacy threats, where each layer function is complementary to the function of the other layer to obtain optimal and comprehensive security, in addition to achieving the privacy and security requirements that the BYOD strategy needs, which include confidentiality, integrity, availability, authenticity, privacy preservation, non-repudiation, and attack detection.The operational layer is the primary layer, which focuses on the service level agreement (SLA) that the system owner proposes for the agreement's policies; also, BYOD users register their devices as an initial step.Following that, secure BYOD access control should be added to the tactical layer of policies concerned with authentication and confidentiality of the communication channel between the organization's resources and devices.Finally, applications should be subject to safe control policies.In addition, the strategic layer, an essential addition to the previous two, is responsible for detecting and monitoring employee-device-based attacks.Therefore, if organisations adopt a three-layer policy approach, they will achieve a more secure, competitive environment than traditional policies.

Operational Layer
This layer encompasses onboarding access control, which facilitates the identification of authorized users who can access the organization's resources and network through their BYOD devices [1].Within this layer, two key security functions are performed.Firstly, device account registration control allows users to create and register their accounts, requiring verifiable information such as employee ID, job role, and assigned services.Secondly, a service level agreement (SLA) is established, requiring BYOD users to agree to the terms of use and assume responsibility for the information and services provided by the corporate system.

Tactical Layer
The second layer, known as the tactical layer, encompasses a BYOD policy that focuses on authentication through access control, consisting of three key functions [1].Firstly, the identification access control policy establishes access controls for BYOD devices to safeguard an organization's information services and resources from unauthorized access.Within BYOD ecosystems, activities such as illegal use or inappropriate communication in information-sensitive applications, including password authentication, authorization, and network segmentation, are strictly prohibited.
The second function is the security communication policy, also known as data protection.Its objective is to ensure the protection of confidential data while enabling secure and protected access, sharing, and transfer between BYOD devices and the organizational infrastructure.Various security control mechanisms, such as encryption, virtual private networks (VPN), data wiping, and data backup, are employed to achieve data confidentiality.
Thirdly, the application control policy is responsible for safeguarding organizations that adopt BYOD from malicious applications.The application management policy aims to prevent any confusion between personal and business data, allowing the exchange of data between personal and company applications on BYOD devices.Control mechanisms such as virtualization, licensing, application blocklisting, application whitelisting, and containerization support this layer.
Overall, the tactical layer addresses multiple security requirements, including confidentiality, integrity, and prevention of unauthorized access.

Strategic Layer
The third layer, referred to as the strategic layer, encompasses a risk control policy known as risk-based access control.This policy focuses on safeguarding both BYOD devices and organizational resources from malware attacks, unauthorized access, and attacks originating from or transmitted through BYOD devices.It plays a critical role in detecting, preventing, and monitoring risks.Intrusion prevention systems (IPS) and intrusion detection systems (IDS) are examples of systems utilized within this layer to achieve these objectives [1].

Overview of the Privacy and Security Requirements in a BYOD Environment
Privacy requirements are the set of security and privacy requirements that BYOD security policies should achieve to provide sufficient security.Every decision made by BYOD users within an organisation is influenced by security and privacy, including permitting email on a personal device.However, this could expose the organisation to numerous risks and data loss.Employees are also concerned about how much personal data employers can access and use to control their devices, although enterprises are authorised to protect company data.Therefore, privacy requirements are insufficient for the organization's and BYOD users' security.The security access control in BYOD should consider the privacy and security requirements of both the organisation and BYOD users.Several security models have been proposed to overcome these challenges and concerns, including the CIA triad, which refers to confidentiality, integrity, and availability and is designed to guide information security policies that include confidentiality, integrity, and availability within an organisation.Also, the IAS-Octave has confidentiality, integrity, availability, accountability, auditability, authenticity, trustworthiness, non-repudiation, and privacy preservation.
The conventional CIA triad framework is inadequate for addressing emerging threats in shared environments such as BYOD, as evidenced by Mosenia and Ioannis's research [35].The introduction of BYOD exposes organizations to various security risks, including email phishing attacks, embedded viruses in applications, and denial-of-service incidents.Consequently, the CIA triad framework fails to meet evolving security and privacy requirements, necessitating an upgrade to the more comprehensive IAS-Octave standard.Yahuza et al. [22] propose a combined approach that integrates the privacy requirements of the CIA triad model and the IAS-Octave model, as depicted in Figure 3.This upgraded model incorporates the IAS-Octave security requirements and introduces additional attack detection requirements.Muktar et al. [22] further suggest enhancing security and privacy requirements in edge computing, comprising eight essential privacy requirements, including the CIA and IAS-Octave standards, attack detection, and reliability.Adopting this same model while excluding the reliability requirement is advisable for BYOD security, as previous studies have not emphasized its significance, prioritizing other security and privacy requirements [1].In the forthcoming sections, we will investigate each component of this model to improve privacy requirements and investigate their relevance to BYOD security.

CIA Triad Criteria Security and Privacy Requirements
The CIA triad, which encompasses the principles of confidentiality, integrity, and availability, serves as a fundamental model for the development of security systems [16].These three categories, confidentiality, integrity, and availability, have traditionally formed a classification system for security and privacy requirements [16].For several reasons, it is essential to include these requirements within the privacy guidelines for BYOD.Firstly, confidentiality plays a critical role in ensuring security and privacy [36].Its primary objective is to prevent unauthorized access to sensitive company information.Cybersecurity issues may arise because BYOD devices and enterprises are connected to the internet.For instance, the man-in-the-middle (MITM) attack represents one of the threats targeting the security of BYOD users.This attack aims to intercept and steal information exchanged between two parties.Secondly, the integrity requirement ensures that data is only accessible to authorized BYOD devices and remains unmodified.Preserving data integrity becomes challenging in BYOD scenarios, as the organization loses visibility and control when a BYOD device operates outside its network, leading to potential data corruption or loss [37].Therefore, integrity is a fundamental security requirement for organizations employing BYOD devices [38].Lastly, availability emphasizes the continuous accessibility of devices, data, and resources, ensuring that BYOD devices always have secure access to services.In cases of an unexpected surge in data traffic volume, client-server communications may suffer from data loss [39].

IAS-Octave Security Criteria and Privacy Requirements
The IAS-Octave classification extends the CIA triad framework by introducing additional security requirements: accountability, auditability, trustworthiness, non-repudiation, and privacy preservation [22].Accountability and auditability contribute to establishing trustworthiness, which is closely associated with the authenticity requirement.Alternatively, it has been proposed that these three requirements can be combined to form the concept of authenticity [22].Therefore, authenticity is essential to the standard set of privacy and security requirements for BYOD.It ensures accurate monitoring and verification of BYOD users' identities, establishing trust between BYOD devices, organizations, and their resources.Additionally, including privacy-preservation and non-repudiation requirements is crucial as part of the BYOD security framework.Privacy preservation ensures the security and monitoring of all information, end users, networks, and resources involved in the organization's BYOD implementation.On the other hand, non-repudiation guarantees that a BYOD device cannot later deny its signature's validity or an event that occurred within the organization.This requirement aids in tracing the origin of any BYOD device that poses security issues [40].Thus, the privacy requirements for BYOD are derived from the CIA triad model and supplemented with three additional standards from the IAS-Octave framework: privacy preservation, non-repudiation, and authenticity.

Addition of Attack Detection Requirements
In the context of BYOD devices, "attack detection" refers to identifying and mitigating potential threats.When employees bring their devices to the office and connect them to the wireless network, there is a risk of theft and other malicious activities.Security threats such as phishing, malware, and potentially spreading infected devices through BYOD can compromise a company's security [41].Hence, the security and privacy requirements for BYOD should include provisions for attack detection.Attack detection requirements are necessary to meet the required level of security by identifying and preventing attacks before they occur [42].Also, Bello et al. [1] highlight the importance of incorporating attack detection requirements into BYOD security policies, particularly concerning risk access control policies discussed in a previous section.Attack detection requirements are intrinsically linked to risk-based access control policies, as illustrated in Figure 3.The attack detection criteria should be integrated into the existing privacy requirements and are crucial as they address the negative aspects of implementing the BYOD concept in organizations.This helps mitigate significant challenges such as attacks, risks, unauthorized access, data leakage, and user privacy concerns.By incorporating attack detection along with privacy and security requirements, organizations can effectively tackle these challenges and enhance the security of their BYOD environments.This study examines access control policies and techniques in the context of BYOD based on the privacy requirements that have been met.The aim is to determine the privacy requirements that have been thoroughly examined and to encourage researchers to enhance and propose techniques that align with privacy requirements that may need more attention and require further investigation.Table 3 comprehensively describes the privacy criteria that will be evaluated during the review process.Furthermore, Figure 3 illustrates the advancements in privacy and security requirements for BYOD security.Table 3. Security and privacy requirements in the BYOD environment [22].

Confidentiality
Ensures that unauthorized individuals are prevented from accessing shared data within BYOD-enabled organizations.

Integrity
Ensures that data is delivered exclusively to authorized BYOD devices without any unauthorized modifications.

Authenticity
Ensures accurate monitoring and verification of BYOD users' identities, fostering trust between the BYOD devices, organizations, and their resources.

Nonrepudiation
Ensures accurate monitoring and verification of BYOD users' identities, fostering trust between the BYOD devices, organizations, and their resources.

Privacy-Preservation
Ensures the secure and monitored storage of all confidential information related to BYOD devices, including end users.
Attack Detection ensures the timely identification and effective mitigation of any security breaches or threats targeting BYOD devices.

SLR Methodology
This study has conducted a systemic literature review (SLR) following Kitchenham's recommendations [43].The literature analysis process consisted of five steps before the review: Step 1: Define research questions and objectives to give the study a broad scope.
Step 2: Determine a search strategy for published research in available digital libraries.
Step 3: Employ a screening process that uses inclusion and exclusion criteria to decide which studies to include.
Step 4: Perform classification and data extraction, aided by keywording.
Step 5: Extract and map data.
In addition, the preparation, collection, retrieval and implementation processes were conducted to identify any study discrepancies in the previous literature and thereby contribute to the subsequent study.The primary purpose of this search was to find publications that investigated BYOD security policy techniques based on security and privacy requirements.Figure 4 illustrates the measures taken in the methodology of the analysis work.

Research Questions and Objectives
This study aims to highlight the results of existing primary studies published on security policy techniques and privacy in the BYOD environment to identify current trends and open issues in the domain.Table 4 shows our research questions and the objectives of each research question.To identify the currently open issues for privacy and policy issues in BYOD.

Data Search Strategy
All defense policy research, including analysis and technical studies, was thoroughly searched in the BYOD environment.Five major electronic databases, including the Web of Science, IEEE Explore, Wiley, Science Direct and Scopus, were used in the research.The quest was limited to technology, computer technology, informatics, and engineering.In addition, the boundaries of the analysis were limited by the subject areas.The first search was conducted by screening conference papers and journals published between 2015 and June 2022.The search was restricted to the five online electronic databases.To build a search query, specific keywords with similar meanings were used.The queries were then followed up in three phases: title, abstract scanning and reading of the full text.The three phases of an inquiry are detailed below: • "Bring your own device" OR "BYOD" AND "Security Policy" OR "Policy" AND "Security and Privacy" • "Secure*" AND "Policy Techniques " AND "Bring your own device" OR "BYOD" • "Access control" AND "BYOD" OR "Bring your own device" AND "BYOD" OR "Bring your own device"

Criteria for Study Selection
The inclusion criteria were established to ensure well-defined boundaries of the review topics and to facilitate article selection.The search criteria included collecting applicable data from journal articles and conference papers published in public databases from 2015 to June 2022 (see Table 5).There were a total of 2208 posts found initially.These were from Science (485), IEEE Explore (225), Science Direct (727), Scopus (757) and Wiley (16).Next, the title and abstract of the papers were scanned.Following the scan, 2118 papers were found to be outside the scope of the review and were excluded.The remaining 90 papers were subsequently selected through inclusion and exclusion procedures.If an article met the criteria of inclusion set out in Table 5, it was eligible for inclusion.Otherwise, it was excluded.The remaining 92 publications were scrutinised after the full-text review.Several articles were subsequently removed, leaving 74 articles for inclusion.The reason for including these articles was that they addressed the study's objectives, which were access control and policy techniques in terms of three layers and privacy requirements, and they met the established inclusion criteria.

Data Extraction
The 74 papers that met the inclusion criteria were reviewed to summarise relevant data that addressed the research questions.As a result, the following are documented: the authors, the publication year, the type of article, the policy technique under a specific category of security and privacy requirement, the category of technological approaches used and the performance metrics used in evaluating the proposed technique's performance.Additionally, the flaws of each recognised technique provided research opportunities.

Data Analysis
This section examines all the research that fulfilled the inclusion requirements.Section 6.1 describes general data analysis.In addition, Section 6.2 conducts an analysis to address the research questions.According to RQ1,the classification of privacy and security criteria is examined and discussed in this Section 4. This study found that seven security and privacy requirements identified to meet the needs of the BYOD organization's security and privacy users include confidentiality, integrity, availability, non-repudiation, authentication, privacy preservation, and attack detection.The RQ2 is related to analyzing access control techniques based on security and privacy requirements.These were then divided into three categories.The first are techniques that meet one of the security and privacy requirements; the second are techniques that meet more than one requirement; and the third are techniques that do not meet any requirement.In addition to RQ3, which identified policy techniques used to ensure security and privacy requirements that achieved RQ4, evaluate performance measurement, and RQ5, related to performance evaluation metrics, are discussed in detail.

Analysis of General Data
The review included 74 papers from various journals and conference proceedings indexed in five electronic databases.The percentage of papers published from 2015 to 2022 is shown in Figure 5.According to the review results, research on security policy techniques in the BYOD environment only gained popularity in 2017.Fifteen percent and 17 percent of all publications in 2017 and 2018, respectively, were found in journals.Journal articles accounted for 17 percent of all publications identified from review efforts in 2020.From 2021 to December 2022, this rose to 20 percent, suggesting more researchers had become interested in the field.Figure 6 illustrates the distribution of publications throughout the various databases covering a wide range of subjects.WOS provided the majority of the articles, followed by the IEEE database.Scopus was the second most popular database, followed by Science Direct and Wiley, with the lowest percentages.

Analysis of BYOD Security Policy Techniques Based on Privacy and Security Requirements
The purpose of this section is to present an analysis of the results.Firstly, we analysed existing policy techniques based on privacy and security requirements to ensure specific criteria were met.Then, we examined the trends in technical approaches used by the methodologies identified.According to the prior studies of policy techniques in BYOD security, the analysis was divided into three categories based on the privacy requirements they fulfilled.The first group includes technologies that meet one of the privacy requirements, such as techniques that achieve authenticity, confidentiality, and attack detection, as discussed in Section 6.2.1.In the second group, some techniques address more than one requirement, such as confidentiality and authentication, confidentiality and attack detection, and others that combine the requirements for authentication, attack detection, and confidentiality as explained in Section 6.2.2.The third group relates to security policy methods that did not address any of the suggested privacy requirements as stated in Section 6.2.3.Finally, our analysis identifies the performance measures and metrics that evaluate the effectiveness of the techniques discussed in Section 6.2.4.In addition, the tables summarize techniques within specific categories of privacy and security requirements, providing a brief overview of the methodology, the technology used, the performance assessment analysis, the main advantages and the limitations.Table 6 summarises the techniques that address the authenticity requirement.Moreover, the techniques that address confidentiality requirements based on cryptography are summarised in Table 7. Table 8 summarises the techniques that address confidentiality requirements based on isolation.The techniques that address the attack detection requirement are investigated in Tables 9 and 10.Table 11 focuses on approaches that address more than one criterion.Table 12 summarises the technologies that do not meet the privacy as mentioned above and security standards.Finally, Tables 13 and 14 summarises the performance measures and evaluation metrics used to evaluate the effectiveness of the techniques mentioned.Only a limited number of devices and operating systems.
Experiment analysis and real dataset.
Protect against side-channel, shoulder-surfing and single-recording threats.
Experimental analyses, case study.
It eliminates shared password risks.
Increase processing power.
Case study of a Greek school.
Introduces security issues and their resolution.
Secure but vulnerable if authentication policies are simple. [48] Co-proximity authentication protocol(fingerprint sensors and biometric).

Prototype implementation and behavioural, biometric
dataset.
Complex and time-intensive.
Experimental analysis, Case study on campus.
Low-cost, high-performance.Each user's monthly authentication time is limited. [50] Lightweight network access control (NAC) module.

Improves administrator management and
OpenWrt is a free wireless router.
Unsuitable for all systems.
Mathematical analysis.Simple to implement and inexpensive.
It is difficult to do while utilising a mobile phone rather than a laptop because the keyboard is different.

Simulation (computer simulation experimental).
More secure, fast and convenient authentication.

Prototype implementation, synthetic dataset (1000 data access operations).
Most secure BYOD infrastructure control.

Complicated and time-consuming. [54]
Fine-grained security policies (set policy as an individual, group for user and device).

Prototype implementation.
Very low cost.Network address interpretation is weak.

Prototype implementation, (Encryption and decryption for Several files).
Effective in data storage units in enterprises that use BYOD.
Mathematical analyses, a scyther tool for verification.
Secure enterprise network access.

Prototype implementation.
Sets policy rules in the endpoint and achieves confidentiality.
Makes use of the shared key.
Time increase due to sensor data collection and processing to determine attributes.

Prototype implementation and
Private cloud.
It reduces authentication time and information exchange from 3000 ms to 2000 ms using TLS.
It transfers data slowly.

BYODENCE is low-cost
and delivers high accuracy and speed.More complex.

Ref Technology Employed Performance Analysis Advantage Limitation
[61] VNF scheme-based virtualization technique.

Prototype implementation and testing in real word
network.
Improved security, mobility, and response time with virtual and dynamic networks.

Synchronization of physical and virtual
security. [62] Remote mobile screen (RMS) system based virtualization method.

Experimental analysis.
RMS ensures data confidentiality, policy compliance and space isolation.
It poses numerous security risks.
Data confidentiality and isolation.
Limited availability of BYOD/mobile devices.
[64] Multi-level architecture for isolation.Experimental analyses.Provided privacy for android end-user.
The solution is only for android.
Privacy.Less security.

SDN can enhance NFV
performance with virtualization.
SSDN and NFV are independent.
Experimental analysis.

MSS secures sensitive data and security activities in a separate
domain.
The MSS is only for one environment.
Table 9. Summary of the attack detection techniques.

Ref Technology Employed Performance Analysis
Advantage Limitation [69] Risk access scheme, NGFW technique based deep-packet inspection firewall.
Experiment analyses and Case study (Tokyo University).
Reduces costs while increasing security.
It is weaker because package content should be verified instead of only filtered network traffic.
Works well to detect and analyse BYOD malware.
Only deal with log files without applications.
Simulation performed in three stages (computer, simulation, and experimental) tracked BYOD user's traffic.
Forensic investigation requires an end-to-end ecosystem.
[ The dataset quantity is large. [79] Behaviour-based abnormality detection model, Pattern Analysis (data mining).

Mathematical analysis.
Analyzing user behaviour to detect abnormal behaviour.
High false alarm rate.
Self-adaptive network can defend against internal threats and reduce attack reaction time.
Should be extended and improved to detect sophisticated APTs. [81] Malware identification scheme based supervised classification algorithms/ML.Prototype implemented-android applications dataset.High accuracy.
The decision limit may be overtrained.

Prototype implementation.
Enhanced security and provided intrusion detection systems.

Difficult interpretation.
Table 10.Summary of the attack detection techniques.

Ref Technology Employed Performance Analysis
Advantage Limitation [83] ANN algorithm (deep learning).
Experimental analysis, Real data from the Media Lab of MIT dataset (incoming, outgoing, type of call).
Precision and accuracy of over 99%.
ANN has difficulty converting data into numerical values.

Prototype implementation, 2000 apps of Google Play
an android emulator.
Introduced new policies for corporate networks to manage organised activities.
Limited ability to block malicious apps. [85] Anomaly detection method based ML algorithms.
Prototype implementation, a proof-of-concept and Spark dataset.
Detecting intrusions and anomalies.Need more verification. [86] CVSS system-based decision engine logic algorithm.

Simulation (Computer simulation and experimental).
Privacy for the infrastructure layer.
The assessment time is still a major concern.
[87] IFT technique based on a clustering algorithm/ML.
Experimental analyses, Public data set containing packet IAT features.
Employed the packet inter-arrival time feature to detect abnormal behaviour.
Need to improve the algorithm within large datasets. [88] Real-time traffic classification system based on ML.
Experimental analyses, proof of concept and real dataset.
Employed a fine-grained, real-time traffic classification.
Required a change in the entire network infrastructure to implement SDN protocol.The analysis should include traffic instead of just the login log.

Prototype implementation.
Benefits both end-users and organisational use.

Prototype implementation.
Efficient method.limited in digital evidence.

DFR improves BYOD security and reduces
issues.
Honeypots only gather data when attacked.
Prototype implementation and SMS spam dataset.
Efficient with a small dataset.
Need more work on a massive dataset.
Useful for the network administrator.
Only classifies cyber-attack patterns and not types. [95] Based on dynamic decision tree algorithm (ML).
Experimentation and IBM's internal network dataset.
Reducing enterprise risk.Limited application installation. [96] Network scanning technique-based algorithm.

Proof-of-concept, Experimental analysis and Public dataset(Attack)
Preventing network eavesdropping and spoofing.
It should be implemented on the switch for better security.
Validate up to 99% and help to detect zero-day malware.
Should be applied to various attacks to ensure effectiveness.
[  Only provides an initial model.
Safe-Logic experts evaluated based on particular criteria.
Excellent awareness of BYOD threats and solutions.

NA
Creating benchmarks for BYOD security protocols.
Only identified security metric.

Integrating trust and risk management mechanisms with threat analysis
Only provides an initial model.
[ Only provides a starting point.
Case study (Interview domain experts at the Ottawa Hospital to validate).
Identify key BYOD risk assessment metamodel concepts.
Initial and limited architecture.[114,115] Other methods (middleboxes and alert systems).
Accurate transparency, usability, and performance with HTTPS security.
It is only a preliminary proposal that needs implementation.[116] Plugin Framework Based fine-grained security policy.
Allows correct security policy execution on any device connection network organisation.
No other systems (only Android).
[117] BYOD security framework Case study (Australian, questionnaire instrument) Building new framework to improve attack and threat defence.
Discusses only the theoretical aspect.
Table 13.Summary of evaluation metrics.
To evaluate the functionalities of the authentication policy.Access Response (Deny or Permit).
To evaluate the possibility of an authentication policy for preventing unauthorized access.
Authentication Time, Access Response and Error Rate.
To evaluate the performance of biometric authentication.
Accuracy and Frequency Detection Latency.
To evaluate the functionalities of the authentication policy.
To evaluate the performance of the authentication system.
Performance, Memory Consumption, CPU consumption, Time overhead and Code Size [55] Confidentiality.
To reduce the time when switching the key.Execution Time.
To evaluate the performance measurement of the MSS system.Time and Performance Measurement.
To evaluate the possibility of reducing management costs for Wireless Network Monitoring. Cost.
To evaluate the possibility of reducing costs and improving detection accuracy and efficiency.
Detection Accuracy and Cost.
To evaluate the accuracy of detecting a specific malware and abnormal application class. Accuracy.
To evaluate the risk value associated with each access request.
Risk Value, Scalability and Context Awareness [76] Attack detection.
To determine the impact of threat and opportunity estimations on the risk.threat probability.
To evaluate the rate of detection and accuracy.
Accuracy and rate of detection [78] Attack detection.
To evaluate the model's accuracy for detecting peer-to-peer traffic from torrent clients.
Accuracy and usability.
To evaluate the ability to classify abnormal behavior.Behaviour occurrence probability.
To evaluate response time against internal threats.Delay time.
[83] Attack detection.To evaluate the system's ability to detect unauthorized access.
To evaluate the ability to block unwanted application functions selectively.Overhead and latency [85] Attack detection.
To evaluate RAM and CPU consumption over time.RAM usage over time.CPU usage over time.
To evaluate time duration and vulnerability assessment against the cyber threat.Time and score assessment.
Table 14.Summary of evaluation metrics.

Ref Requirement under Consideration Purpose for the Evaluation Evaluation Metrics
[56] Confidentiality.
To evaluate the performance of PTA protocol.
To evaluate the response time for each subsequent request.
Execution time, complexity of the access policy and block size.
Protecting BYOD users and network privacy with practical effect on communication performance.
Time complexity, communication costs and communications complexity.
To ensure the proper handshaking time between clients and serves.
To reduce the delay in access time and run time.
Access time, power consumption and switching cost.
To evaluate the scalability of the approach.
CPU usage, memory usage and boot time.
To evaluate memory resource usage and power consumption due to virtualization.
Run-time memory usage and power consumption.

Techniques that Satisfy Only One of the Privacy and Security Requirements
This section describes the findings of previous studies related to proposed policy technologies based on how well they meet privacy and security criteria.As stated in Section 3.2, the requirements for BYOD security were classified into seven categories.These are confidentiality, integrity, availability, non-repudiation, authentication, privacy preservation, and attack detection.These requirements contributed to the creation of the review-related taxonomy.Figure 7 illustrates the taxonomy of security policies and privacy techniques based on the security requirements in BYOD environments, which include the seven categories described above.It can be seen that some techniques address one aspect of privacy and security criteria.For instance, confidentiality requirements have been met through cryptographic techniques and isolation techniques.Authentication algorithms can address authenticity requirements.Machine learning algorithms, deep learning algorithms, and SDN techniques have accomplished attack detection requirements.According to the review's findings, a technique that satisfies integrity, privacy, availability and nonrepudiation requirements alone cannot be produced.As seen in Figure 7, we labelled this with the symbol NA, indicating non-availability.After analysing and categorising previous research results, we failed to identify any research that addressed just these categories.Other researchers have focused on the privacy and security needs of authenticity, confidentiality, and attack detection but failed to consider all the privacy and security requirements that BYOD demands.In the following section, we will examine security policy strategies that only address a single privacy and security criterion and summarize previous research.

A. Techniques Based on Authenticity Requirements:
Authenticity requirements refer to verifying the identification of a user, process, or BYOD device and are frequently required before granting access to resources in an environment [118].Many companies believe that the BYOD concept benefits both individuals and enterprises.However, the primary security issue is how to restrict BYOD device access to organisational information.As a result, when a BYOD client accesses a company network via their device, the device must be authenticated in some way.Lee et al. [44] proposed a secure authentication for BYOD devices that would be able to select disablers and enablers, determining if a BYOD device is either a disabler or an enabler.The proposed solution involved a mobile application acting as an MDM client, connecting to a server-side MDM server.However, the proposed method is only compatible with a limited number of devices and a specific operating system.Guerar et al. [45] presented CirclePIN, a novel authentication technique geared towards BYOD, particularly smart watches, that is both resilient to most common threats and was highly rated in actual tests with real users.It enhanced authentication between BYOD and the company network and gave protection against unauthorised access.However, it still performed at a similar level to other less secure alternatives.The review also showed that previous researchers had put much effort into achieving authenticity based on authentication techniques.In Table 6, a summary of the technology used, performance analysis, advantages and limitations is presented.

B. Cryptographic Techniques Based on Confidentiality Requirements:
Confidentiality requirement refers to the protection of organisational data from unauthorised parties' access to records.In other words, it ensures that no unauthorised users can access the data shared in BYOD-enabled enterprises.Therefore, in BYOD situations, encryption mechanisms should be seen as the first line of defence that must be in place to protect company data.Previous researchers have studied confidentiality requirements based on cryptographic techniques.For example, Vinh et al. [56] implemented property-based token attestation (PTA) to protect users and company networks in BYOD environments.These data are processed as binary and property-based attestation and the method is effective in data storage units in enterprises.Nevertheless, the PTA protocol must be changed to make a more secure BYOD model based on the Cloudlet idea.Rahardjo et al. [55] implemented the self encryption algorithm into various applications.However, the proposed method has limitations in terms of execution time and compression.Catuogno et al. [57] addressed the problem of preserving data access control over a mobile device's storage space while running different and distinct third-party applications.To that end, they proposed a general-purpose protected file system capable of providing fine-grained data protection at the operating system level.Facilities for trusted execution environments (TEE) are used for data encryption, critical protection, and policy compliance, providing safe access to corporate networks.Table 7 represents additional efforts made by researchers to accomplish confidentiality requirements using cryptographic techniques.

C. Isolation Techniques Based on Confidentiality Requirements:
There are numerous methods for achieving confidentiality, such as encryption, which we discussed previously, and isolation strategies.The difference is that cryptographic techniques based on confidentiality aim to protect the confidentiality of data stored in systems or transmitted over the organisation's network and BYOD.However, isolation techniques based on confidentiality are utilised to isolate corporate space, enforce security policies, and protect corporate data when using BYOD.In addition, security isolation methods allow users to separate personal data from corporate space.In these various ways, cryptographic and isolation techniques constitute a requirement for confidentiality.
In a BYOD scenario, personal and company data are stored on the same device.There are numerous benefits to integrating BYOD devices into the company infrastructure.However, this causes safety issues such as space isolation, data confidentiality, policy compliance and vulnerabilities since small and medium-sized enterprises cannot afford a suitable product solution that allows personal and professional data to coexist securely on employees' devices.Previous research has suggested isolation-based methods.Ocano et al. [62] proposed a remote mobile screen (RMS) based on the virtualization method to solve these problems.RMS allows for data confidentiality and space isolation.However, the complexity of managing physical roles is challenging.In addition, an essential realworld scenario in BYOD requires individuals to be isolated from the enterprise's privileged information access, according to Kim et al. [61].They proposed an architecture called vNative that builds one foreground virtual machine (FVM), providing data confidentiality and isolation.However, the proposed solution is restricted to a few mobile intelligent devices.The proposed virtual network function (VNF) scheme is described in [63].
The suggested approach enables users to take advantage of the NFV server's more powerful corporate resources and increases service quality regarding security, mobility, and response time.It features a prototype technique [64] that takes advantage of virtualization characteristics common in today's mobile processors to fulfill this isolation demand.
In addition, this solution offers typical Android users security and privacy features.Table 8 summarises the isolation strategies discussed in previous studies.

D. Technique-Based Attack Detection Requirement:
According to previous research, there are numerous approaches for identifying attacks and preventing and monitoring risks.Kim and Lee [70] suggested a network-based risk identification tool based on the ML algorithm.The goal was to detect and evaluate malware on infected mobile devices under BYOD.However, this strategy cannot be employed for applications using log files.Aldini et al. [76] improved the method based on a machine learning algorithm to detect denial of service assaults, probing attacks, and torrent traffic in BYOD.The proposed approach is adaptable and flexible, lowering costs.Ammar et al. [80] proposed a supervised classification-based malware detection technique for Android BYOD devices.It provides a self-adaptive network capable of protecting critical services and defending against internal attacks and should be upgraded and expanded to detect advanced APTs.Ref. [72] proposed method based on clustering algorithms that may improve malware detection in BYOD was used with a simulation data set and a public dataset and achieved high precision.Ref. [69] employed a risk access scheme based on NGFW (next-generation firewall) technology, and a deep packet inspection firewall is used to protect a campus network.This method tracks and categorises risk packages.The experiment was analysed using a case study (Tokyo University).It reduced costs while increasing security.However, it is weaker because package content needs to be verified for network traffic filtering.
Furthermore, Ali et al. [71] proposed a risk-based access control model based on a dynamic risk estimation method, using features to analyse each request's security risk.The algorithm evaluates access based on user context, resource sensitivity, action severity, and risk history to represent an end-to-end ecosystem.Zungur et al. [84] presented a framework for detecting anomalous behaviour and unauthorised access to BYOD devices using artificial neural networks (ANN and data mining.A real dataset used in the evaluation had a precision of over 99 percent.One of the study's goals by [90] was to identify anomalous behaviour in BYOD devices connected to a corporate platform and then submit those devices to access control system management (ACSM) for platform access using an intelligent filtering technique.This method can set end-user access control policies and protect against malicious mobile apps, but security testing becomes difficult when apps are constantly attacked.The author in [79] proposed a behaviour-based abnormality detection method based on data mining that examines vulnerabilities and patterns in diverse information use contexts.Finally, ref. [83] provided a methodology using ANN techniques for detecting unusual behaviour and identifying unauthorised access to BYOD devices.It performed well on a real-world dataset, with a precision and accuracy of more than 99%.The experimental analysis assisted organisations in addressing three types of legitimate user behaviour.ANN, on the other hand, has difficulty converting data into numerical values.Previous studies show that many techniques have been developed for detecting risk in BYOD.Some techniques, such as fuzzy models and neural networks, are based on machine learning and deep learning.Tables 9 and 10 summarise previous research on BYOD attack detection techniques.6.2.2.Techniques Based on More Than One Security and Privacy Requirement Some techniques have satisfied more than one of the requirements, as seen in Figure 8, which shows the classification of policy technologies that consider multiple requirements.For example, some technologies fulfil multiple security and privacy requirements, according to previous studies.Firstly, some methods address both confidentiality and authentication.Many businesses have the necessary security access for BYOD to wireless networks.The network enterprise delivers WPA2 based on the 802.1X standard [46,47].It is insufficient and should be strengthened.Pomak and Limpiyakom, proposed encryption-based authentication in [99].They proposed employing near field communication multi-factor authentication (NFC) for secure authentication in combination with hybrid cryptosystems.Chen et al. [100] proposed an authentication scheme for cloud data in IoT/BYOD.Participants can employ ciphertext policy attribute-based encryption to construct fine-grained access control rules (CP-ABE).The approach uses hybrid cloud infrastructure to offload expensive CP-ABE activities while protecting privacy.This way, encryption and optimization methods protect critical data at the item level, preventing leakage.Secondly, some procedures fulfil the criteria for confidentiality and detection of attacks.Zhu et al. [103] employed a new model combining anomaly detection, tracing, and revocation procedures.Partially ordered hierarchical encryption (PHE) is a novel threshold public key-based cryptosystem that implements a partial-order key hierarchy similar to RBAC roles.Tracking and large service interruptions are critical security measures.Thirdly, some techniques combine authentication, attack detection and confidentiality requirements.For instance, the technique proposed by Geber et al. [102] can enable SDNbased authentication in a BYOD setting using OpenFlo-based infrastructure.It uses SDN characteristics to create virtual networks for monitoring dynamically selected BYOD users.By employing the portal and two-factor authentication, the user is provided with a safe and convenient means for enabling access to critical applications only and barring unauthorised requests, thereby limiting the services that a potentially attacking device can access.Changes to switching streaming rules may be deployed quickly, ensuring that users always have the most up-to-date access to the network with attack predictions.Three security and privacy requirements have been fulfilled: the authentication of BYOD devices used two-factor authentication, attack detection was achieved via continuous risk monitoring, and confidentiality was based on virtual networks.Table 11 depicts those techniques that have employed more than one security and privacy requirement in previous studies in the field.

Techniques That Did Not Fulfil Any of the Classified Security and Privacy Requirements
Figure 9 shows methods that did not identify any of the suggested requirements.Most studies in this section focus on enforcing simple policies or security architectures to improve overall security for organisations that support BYOD.These methods are preliminary models or policies, not technologies that address the identified requirements for privacy and security.For example, Selviandro et al. [104] suggested an architectural framework for enforced access control policies to reduce BYOD vulnerabilities.while Armando et al. introduced a reliable and policy-aware architecture for enforcing fine-grained security requirements on BYOD devices [105].They implemented a user and device security policy based on existing NATO CIA guidelines (NCI Agency).Aldini et al. [108] presented an opportunity-enabled risk management (OPPRIM) approach that aimed to balance understanding primary threats with an appreciation of the increased opportunities that may emerge from BYOD.OPPRIM combines risk estimation methods with trust and threat metrics, and the OPPRIM policy and metric formulation paradigm is formalised in this study using logic.The model was checked using qualitative tools.The next Table 12 summarises the studies that address the security of BYOD without focusing on a specific security and privacy requirement.

Performance Evaluation and Metrics Employed by the Techniques
This section reviews the performance evaluation and the metrics used to evaluate the techniques.To categorize the performance evaluation analysis methods, the review distinguishes between techniques with tools (methods utilizing software or hardware in the assessment process) and methods without tools (methods relying on mathematical analysis).Figure 10 illustrates the methods using tools, including case studies, simulations (e.g., MATLAB, NS2, computer simulation experiment, and Anylogic), datasets (e.g., Public, Real, and Synthetic), formal security proofs (e.g., Scyther), and prototype implementations.Conversely, analysis without tools relies solely on mathematical analysis.
Previous research has identified specific evaluation metrics for each security and privacy requirement in technology.These metrics have been replicated in other studies to assess various security requirements.For instance, the authenticity requirement is evaluated based on response time, access response (deny or permit), and cost.The confidentiality requirement is measured using metrics such as execution time, communication costs, communication complexity, exchange key time, CPU usage, memory usage, and boot time.Attack detection requirements are assessed through metrics like accuracy, precision (PPV), recall (TPR), detection rate, RAM usage over time, CPU usage over time, overhead, and time cost.However, it is important to note that performance evaluation matrices may not adequately cover all the security and privacy requirements outlined in BYOD policies, highlighting the need for further exploration in this field.
Overall, performance evaluation and metrics provide invaluable insight into the efficacy, efficiency, and vulnerabilities of security access control systems.By employing these evaluation techniques, organizations can strengthen their access control measures, mitigate security risks, and protect sensitive resources and data.Figure 10 illustrates the classification of the performance evaluation analysis methods adopted by the techniques examined in this review.Furthermore, Tables 13 and 14 provide a summary of the metrics used by the techniques and their respective purposes.

Discussion
The core security policy for BYOD encompasses various policies such as Network Access Control (NAC), Mobile Device Management (MDM), Mobile Application Management (MAM), Mobile Information Management (MIM), and Enterprise Mobility Management (EMM).However, the increasing number of BYOD attacks indicates that these security policies must be revised to develop BYOD security while failing to meet privacy requirements.Instead, a three-tiered security policy framework consisting of operational, tactical, and strategic layers should be implemented, working in harmony.This framework requires critical policies, including on-boarding access control policy, authentication access control policy, communication policy, application control policy, and risk control policy.These policies encompass BYOD devices and the organization's network, resources, communications, and applications while addressing seven essential security and privacy requirements: confidentiality, integrity, availability, non-repudiation, authentication, privacy preservation, and attack detection.Despite previous reviews providing foundational knowledge on the security and privacy challenges associated with BYOD policies, many still need to examine security policy techniques and privacy requirements thoroughly.Additionally, the exploration of technological methods employed to ensure compliance with these requirements still needs to be completed.This review adopts a systematic approach to comprehensively understand security policy techniques and privacy requirements within the context of a three-layered security policy architecture, which is considered ideal for optimizing BYOD security.
The study formulated and addressed five research questions (RQ1-RQ5) to accomplish its objectives.RQ1 focused on identifying the primary criteria that meet the security requirements of bring your own device (BYOD), namely confidentiality, integrity, availability, non-repudiation, authentication, privacy preservation, and attack detection.The results pertaining to RQ1 are discussed in Section 4. Similarly, the findings for RQ2 revealed the effectiveness of security policy techniques in meeting the security and privacy requirements.This analysis is presented in Section 6.The reviewed studies highlighted that among the various criteria, the most attention was given to attack detection, with 30 proposed techniques, followed by authenticity with 11 recommended techniques.Eight techniques focused on confidentiality using isolation techniques, while six techniques centered on confidentiality using cryptography.Additionally, 13 studies did not fall under specific requirements as they presented initial suggestions within the policy architecture framework.Furthermore, five proposed techniques addressed a combination of two or more different requirements, with only three techniques addressing both authenticity and confidentiality, and one technique covering authentication, attack detection, and confidentiality requirements.Additionally, one technique fulfilled the confidentiality and attack detection requirements.However, the review study noted a lack of techniques addressing the integrity, availability, non-repudiation, and privacy preservation requirements.This indicates the need for future research to focus on these aspects.Figure 11 illustrates the distribution of techniques based on the analysed requirements.Following the research review conducted under RQ3, the identified methodologies were further categorised based on their technological approaches.These approaches encompassed software-defined networking (SDN), machine learning (ML) algorithms, digital forensic models, and mobile security solution (MSS) systems.Among these, the most commonly employed technology was cryptography, specifically based on the RSA algorithm.Furthermore, the evaluation of technique effectiveness involved the examination of performance metrics, as explored under RQ4.Each category of requirements employed specific metrics to assess the performance of the techniques.Tables 13 and 14 highlight the purpose of evaluating techniques using these specific metrics.These tables provide valuable guidance for future researchers regarding the appropriate metrics for measuring technique performance.The review indicates that simulation experiments were the most frequently utilized approach for performance analysis in response to RQ4.Among the studies that employed datasets, a particular dataset emerged as the most commonly used.Prototype implementations predominantly employed embedded devices (single-board computers), while only one study utilized the Scyther tool for formal security analysis.Informal security analysis was the prevailing method utilized.Finally, based on the analysis and evaluation conducted, the study also identified significant challenges faced by the field.These challenges hold relevance for future researchers and will be expounded upon in the subsequent section.

Open Issues
This section aims to respond to RQ5 by discussing pertinent open research concerns regarding security policy techniques and privacy requirements.It intends to highlight opportunities for future research in this field.The following are the main open issues that merit further investigation:

Blockchain-Based Authentication Techniques
Academic researchers have proposed a variety of authentication approaches and techniques.These approaches can assist organisations in developing more secure access control between their networks, resources and BYOD.However, most techniques are designed to target either the user or the device individually.BYOD requires both the device and the user to be trusted with access to the organisation's resources.Knowledge-based authentication, possession-based authentication, biometric-based authentication and multi-factor authentication are all vulnerable to attack.As a result, more robust authentication measures are required.Most authentication systems require storing authentication information (password, ID, public key).The issue with consolidating storage is that it might become a single failure point.The initial BYOD solutions proposed by earlier academics are insufficient to secure the BYOD environment.Future research should focus on developing BYOD access control, which will address most of the issues in the BYOD environment and employ blockchain technology for security.

Secure Two-Way Communication
It is challenging to set up secure two-way communication in a BYOD environment.As a result, lightweight key exchange algorithms that suit access control in BYOD should be devised in the future to provide safe two-way communication between companies and BYOD devices.

Real-Time Authorization
BYOD encompasses a wide range of smart devices that contact the organisation's server and depend on providing real-time data access.Therefore, a delay in procuring an access decision within a BYOD environment may lead to unauthorised access to sensitive data, resulting in vulnerabilities to the system.In the scenario mentioned earlier, it can be inferred that access decision-making must remain close to the origin of access requests, which can provide the advantage of real-time data for the access control system, thus enabling access decisions with a minimal end-to-end delay.Moreover, authorised access must be ensured throughout the session, not only at the time of the request.In addition, real-time authorization means continuous access decisions throughout the session, not only when requesting access.

Context-Aware Role-Based Access Control
In security access control, many methods target communication between the organisation's platform and BYOD devices.The method of access control proposed [109] is not sensitive to contexts such as user status, location of the BYOD user, or time.According to the literature, these factors are context-aware elements.These factors are essential because they help identify BYOD devices inside the organisation.Therefore, access control based on context awareness should be given more attention to ensure the privacy of the BYOD environment.This is a major challenge and represents a promising field of study, but changes in context with access control must be adapted iteratively to avoid any risks.

Risk-Adaptive Policy Adjustments
Researchers in the field of BYOD security are interested in detecting and preventing insider attacks.Numerous methods based on behavioural models and anomaly detection approaches for addressing insider risks in BYOD environments have developed, such as [81,82,88,89].While these methodologies do not focus on adapting access control policies to avoid insider assaults, they provide valuable insights into insider threat detection in BYOD situations.However, adaptive policy adjustment approaches pose a significant challenge and are an unexplored study area.

Evaluation Metrics Employed by the Techniques
According to the evaluation metrics, cost reduction concerning policy procedures remains a significant issue, particularly for small and growing businesses.Furthermore, it should be noted that most attack detection techniques [72,73,93] evaluate attack detection accuracy but not adaptive policy adjustment accuracy.As a result, two evaluation metrics, time and adaptive policy adjustment accuracy, were required to evaluate adaptive policy adjustment techniques.Because there has been little research in this area, other security and privacy requirements such as integrity, availability, privacy preservation and nonrepudiation should be measured using evaluation metrics.8.7.More Effort Is Required to Fulfill Specific Privacy and Security Criteria As previously stated, several security and privacy requirements summarised above either need to explore particular technologies fully or include them.For instance, integrity, availability, non-repudiation and privacy-preservation requirements are not taken into account by any technique on a stand-alone basis but integrated with other criteria.Therefore, future research should focus on developing techniques that consider these considerations.

Conclusions and Future Work
BYOD security requires applying access control policies at all three security levels: operational, tactical and strategic, considering privacy requirements.This study is the first systematic review of security policies based on the privacy criteria that they meet.It also examines current research and focuses on the following aspects: (1) categorising privacy and security requirements within bring your own device (BYOD) policies; (2) analysing advanced security policy technologies for BYOD, considering three layers of security, and assessing their alignment with privacy requirements; (3) identifying technological trends in the field; (4) evaluating the effectiveness of techniques to enhance privacy and security through various measures; and (5) identifying potential areas for future BYOD security and privacy research.
In total, 74 articles were analysed based on SLR standard procedures to extract the key findings that underpin this study.Firstly, a taxonomy of security policy techniques and privacy requirements was introduced.According to the survey, BYOD security and privacy requirements can be divided into seven categories: confidentiality, integrity, availability, non-repudiation, authentication, privacy preservation, and attack detection.Secondly, the survey found that every criterion can be fulfilled with a specific technique, except for integrity, availability, non-repudiation, and privacy-preservation requirements, which were combined with other requirements.Third, having identified contemporary trends relevant to BYOD security, the techniques identified were classified according to their associated technological methods.Fourth, there was a discussion of the performance criteria used to evaluate the effectiveness of each technique.The review effort also showed the limitations of each of the methodologies.Lastly, for the benefit of academics interested in working on BYOD security and privacy, potential research areas were identified for future studies.For future studies, researchers are encouraged to focus on developing access control to address most issues in the BYOD environment.Utilising blockchain technology for security and emphasising context-aware access control to protect the privacy of the BYOD environment are recommended.The study also emphasises the need to consider privacy requirements such as integrity, availability, non-repudiation, and privacy preservation.

Figure 1 .
Figure 1.Comparison between traditional security policy and BYOD security.

Figure 4 .
Figure 4. Flowchart of the systematic review process.

Figure 5 .
Figure 5. Percentage of publications related to BYOD security policy techniques per year.

Figure 6 .
Figure 6.Percentages of publications in five databases relevant to security policy in BYOD.

Figure 7 .
Figure 7.The taxonomy security policy and technological trends based on privacy requirements.

Figure 8 .
Figure 8. Techniques based on more than one privacy requirement.

Figure 9 .
Figure 9. Techniques that did not satisfy classified privacy requirements.

Figure 10 .
Figure 10.Classification of the performance analysis methods.

Figure 11 .
Figure 11.Distribution of techniques in relation to Privacy requirements.

Table 2 .
Comparison between traditional security policy and BYOD security.

Table 4 .
Research questions and objectives.

Table 5 .
Inclusion and exclusion criteria.

Table 6 .
Summary of authentication techniques.

Table 11 .
Summary of techniques based on multiple security and privacy requirements.

Table 12 .
Summary of the techniques that did not consider any of the proposed requirements.