Scientific Understanding of Policy Complexity - January 2016
Public Audience
Purpose: To highlight project progress. Information is generally at a higher level which is accessible to the interested public. All information contained in the report (regions 1-3) is a Government Deliverable/CDRL.
PI(s): Ninghui Li, Robert Proctor, Emerson Murphy-Hill
Researchers: Jing Chen, Haining Chen, Matt Witte
HARD PROBLEM(S) ADDRESSED
- Policy-Governed Secure Collaboration - Security policies can be very complex, in the sense that they are difficult for humans to understand and update. We are interested in two kinds of complexity measures. The first is a measure of the inherent complexity of a policy. The second is a measure of the representational complexity, which is the complexity of a particular way to encode the policy. It is desirable to have a scientific understanding of both kinds of complexity.
- Human Behavior - Our policy complexity is based on how easy for humans to understand and write policies. There is thus a human behavior aspect to it.
PUBLICATIONS
Report papers written as a results of this research. If accepted by or submitted to a journal, which journal. If presented at a conference, which conference.
ACCOMPLISHMENT HIGHLIGHTS
-
We evaluated the devices measuring EEG signals and the NASA TLX for assessing users' mental workload using pilot studies, and found that the EEG devices were not as good as we expected but the NASA TLX satisfies our needs. We thus decided to use the NASA TLX in our upcoming user study.
-
We developed an automatic tool for converting a firewall policy into modularized form. The tool decompose a monolithic firewall policy into modules. We have evaluated how the tool and the modularized policy improve understanding.
-
We interviewed two developers of the Spring Security framework about the policy misconfigurations they made, which yields some data about why misconfigurations are made in the first place and what can be done to prevent misconfigurations in the future.