Scientific Understanding of Policy Complexity - July 2015

Submitted by drwright on Wed, 06/17/2015 - 9:29am

Public Audience
Purpose: To highlight project progress. Information is generally at a higher level which is accessible to the interested public. All information contained in the report (regions 1-3) is a Government Deliverable/CDRL.

PI(s): Ninghui Li, Robert Proctor, Emerson Murphy-Hill
Researchers: Jing Chen, Haining Chen, Manish Singh

HARD PROBLEM(S) ADDRESSED

Policy-Governed Secure Collaboration - Security policies can be very complex, in the sense that they are difficult for humans to understand and update. We are interested in two kinds of complexity measures. The first is a measure of the inherent complexity of a policy. The second is a measure of the representational complexity, which is the complexity of a particular way to encode the policy. It is desirable to have a scientific understanding of both kinds of complexity.
Human Behavior - Our policy complexity is based on how easy for humans to understand and write policies. There is thus a human behavior aspect to it.

PUBLICATIONS
Report papers written as a results of this research. If accepted by or submitted to a journal, which journal. If presented at a conference, which conference.

ACCOMPLISHMENT HIGHLIGHTS

We have conducted a human subject study on understanding firewall policies presented in four different forms, including our proposed modularized form for policies. Analysis of the results demonstrate the benefit of our proposed modular language for expressing firewall policies, that is, users have an enhanced understanding of firewall policies.
We are in the midst of inspecting real policy misconfigurations from GitHub, and have found several interesting ways policies are misconfigured. With this greater understanding of the ways humans misconfigure security policies, we can create policy specifications that are less prone to misconfiguration.

Groups:

NCSU Science of Security Lablet Research Initiative