Other Projects - January 2017

Public Audience
Purpose: To highlight project progress. Information is generally at a higher level which is accessible to the interested public. All information contained in the report (regions 1-3) is a Government Deliverable/CDRL.

PI(s):  Laurie Williams, Munindar Singh
Researchers: Ozgur Kafali, Pradeep Murukannaiah

HARD PROBLEM(S) ADDRESSED

• Policy-Governed Secure Collaboration - This project addresses how to specify and analyze norms (standards of correct collaborative behavior) and policies (ways of achieving different collaborative behaviors) to understand their relation to security breaches.
• Security Metrics and Models - The project is to develop and analyze metrics that quantify how well security policies account for real breaches, and identify the gaps in between.

PUBLICATIONS
Report papers written as a result of this research. If accepted by or submitted to a journal, which journal. If presented at a conference, which conference.

• Ozgur Kafali, Jasmine Jones, Megan Petruso, Laurie Williams and Munindar P. Singh. How Good is a Security Policy against Real Breaches? A HIPAA Case Study. Proceedings of the 39th International Conference on Software Engineering (ICSE), 2017.
• Ricard López Fogués, Pradeep K. Murukannaiah, Jose M. Such, Munindar P. Singh. Understanding Sharing Policies in Multiparty Scenarios: Incorporating Context, Preferences, and Arguments into Decision Making. ACM Transactions on Computer-Human Interaction (TOCHI), 2017, To appear.

ACCOMPLISHMENT HIGHLIGHTS

• We proposed a systematic and reusable framework called Semaver to understand how well security policies account for real breaches (therefore identify the gaps in between). We differentiate between two types of breaches: malicious misuses where adversaries exploit vulnerabilities and accidental misuses where human factors play an important role. Our investigation of the 1,577 healthcare breaches reported by the HHS shows that 44% of the breaches are accidental misuses. Moreover, we find that HIPAA policies do not account for accidental misuses as well as malicious misuses.
• We have extended the Semaver framework to include additional research questions that would be of practical help to security analysts, such as "How can we automatically propose refinements of requirements based on identified gaps?", and "How can we increase the knowledge of potential threats by consolidating various threat models via a domain model?"
• We investigated multiuser privacy scenarios, namely, those where information is to be shared that concerns two or more users. Specifically, we studied how users decide which sharing policy to adopt in cases where the users have different preferred sharing policies. From an empirical study of nearly 1,000 subjects, we found that contextual factors, user preferences, and arguments influence the optimal sharing policy in a multiuser scenario.