Scientific Understanding of Policy Complexity - October 2014

Public Audience
Purpose: To highlight project progress. Information is generally at a higher level which is accessible to the interested public. All information contained in the report (regions 1-3) is a Government Deliverable/CDRL.

PI(s):  Ninghui Li, Robert Proctor, Emerson Murphy-Hill
Researchers: Jing Chen, Haining Chen, Brooke Jordan

HARD PROBLEM(S) ADDRESSED

• Policy-Governed Secure Collaboration -  Security policies can be very complex.  The same policy can also be expressed in ways of different complexity.  It is desirable to have a scientific understanding of measuring how complex a policy and a policy encoding is.  Part of this work includes breaking down complex vulnerabilities into their constituent parts.
• Human Behavior - Our policy complexity is based on how easy for humans to understand and write policies.  There is thus a human behavior aspect to it. 

PUBLICATIONS
Report papers written as a results of this research. If accepted by or submitted to a journal, which journal. If presented at a conference, which conference.

None.

ACCOMPLISHMENT HIGHLIGHTS

• In an effort to break down complex policies, we have investigated ways to break down NIST's Common Weakness Enumeration (CWE), including experimenting with the Protege taxonomy tool (http://protege.stanford.edu/). It appears that the most fruitful route will be to take each vulnerability (there are about 1000), extract one or more code samples from it, then tag it using Protege. This will give an idea of what concepts are necessary to understand the vulnerability.