As both corporate and consumer-oriented applications introduce new functionality and increased levels of customization and delegation, they inevitably give rise to more complex security and privacy policies. Yet, studies have repeatedly shown that both lay and expert users are not good at configuring policies, rendering the human element an important, yet often overlooked source of vulnerability.
This project aims to develop and evaluate a new family of user-controllable policy learning techniques capable of leveraging user feedback and presenting them with incremental, user-understandable suggestions on how to improve their security or privacy policies. In contrast to traditional machine learning techniques, which are generally configured as ?black boxes? that take over from the user, user-controllable policy learning aims to ensure that users continue to understand their policies and remain in control of policy changes. As a result, this family of policy learning techniques offers the prospect of empowering lay and expert users to more effectively configure a broad range of security and privacy policies.
The techniques to be developed in this project will be evaluated and refined in the context of two strategically important domains, namely privacy policies in social networks and firewall policies. In the process, work to be conducted in this project is also expected to lead to a significantly deeper understanding of (1) the difficulties experienced by users as they try to specify and refine security and privacy policies, and (2) what it takes to overcome these difficulties. The latter includes developing models of the types of policy modifications users can relate to and exploit as well as an understanding of the tradeoffs between usability and the number of policy modifications users are presented with. It also includes understanding how the effectiveness of user-controllable policy learning is impacted by the expressiveness of underlying policy languages, modes of interaction with the user (e.g. graphical versus text-based), and the topologies across which policies are deployed,
