As both corporate and consumer-oriented applications continue to introduce new functionality, supporting an ever wider range of usage scenarios and higher levels of customization and delegation, they also inevitably give rise to more complex security and privacy policies. Yet, studies have repeatedly shown that both lay and expert users are not good at configuring policies rendering the human element an important—but often overlooked—potential source of vulnerability. Our research over the past few years has shown that the application of user-centered design principles coupled with new techniques such as dialogue, explanation, visualization, and conflict detection & resolution techniques can lead to the development of substantially more efficient and effective policy authoring and auditing tools.
In this project, we are developing and evaluating a new family of user-controllable policy learning techniques capable of working hand in hand with users (both lay and expert users, including system administrators) and help them more rapidly and more accurately converge towards their intended policies. Target application domains range from the management of privacy policies in mobile, social networking applications all the way to the management of firewall policies, RBAC policies and DLP policies.