Goal: To understand how security properties vary with norms and policies that govern the behavior of collaborators (users and organizations), to enable identification of norms and policies that achieve desired tradeoffs between security and user preferences.

Research Questions: How can we verify whether a set of norms (1) is consistent and realizable through the policies and preferences of the collaborators, and (2) achieves specified security properties? How can we predict the difficulty of the reasoned and modular creation and maintenance of sets of norms, policies, and preferences by collaborators?

Goal: To develop a scientific understanding of what makes security policies complex as well as metrics for measuring security policy complexity, defined as the degree of difficulty in understanding by relevant users.

Research Questions: What is the right way to define security policy complexity? How should we measure users' ability to understand and specify security policies? What features of policy languages or policies make them inherently more complex? Can we transform a security policy into a logically equivalent one that has lower complexity? In other words, is today's high complexity for security policies accidental or inherent?

Well-intentioned human users continually circumvent security controls. The pandemic/ubiquitous fact of this circumvention undermines the effectiveness of security designs that implicitly assume circumvention never happens. We seek to develop metrics to enable security engineers and other stakeholders to make meaningful, quantifiable comparisons, decisions, and evaluations of proposed security controls in light of what really happens when these controls are deployed.

This project builds on foundations of human-computer-interface in security and the preliminary research the investigators have been working on already: Blythe, Koppel, and Smith, studying workers’ reasons for and methods of circumvention along with Xie, studying techniques for assisting mobile-app users (who can be enterprise workers) to conduct security controls on apps to be installed on their mobile devices. Research conducted in large enterprise systems increasingly finds that such apps are a major source of malware invasions into those larger systems. Similarly, with the expanded use of BYOD (bring your own device), such dangers are pandemic without security controls and without users’ ability to understand and follow those controls. Security-control circumvention by enterprise workers as mobile app users is reflected by their acceptance to install apps without sufficiently assessing their risk.

This project develops a scientific approach to testing hypotheses about network security when those tests must consider layers of complex interacting policies within the network stack. The work is motivated by observation that the infrastructure of large networks is hideously complex, and so is vulnerable to various attacks on services and data. Coping with these vulnerabilities consumes significant human management time, just trying to understand the network’s behavior. Unfortunately, even very simple behaviors – such as whether it is possible for any packet (however unusual) to flow between two devises – are difficult for operators to test, and synthesizing these low-level behaviors into a high-level quantitative understanding of network security has been beyond reach.

We propose to develop the analysis methodology needed to support scientific reasoning about the security of networks, with a particular focus on information and data flow security. The core of this vision is Network Hypothesis Testing Methodology (NetHTM), a set of techniques for performing and integrating security analyses applied at different network layers, in different ways, to pose and rigorously answer quantitative hypotheses about the end-to-end security of a network.

In security more than in other computing disciplines, professionals depend heavily on rapid analysis of voluminous streams of data gathered by a combination of network-, file-, and system-level monitors. The data are used both to maintain a constant vigil against attacks and compromises on a target system and to improve the monitoring itself. While the focus of the security engineer is on ensuring operational security, it is our experience that the data are a gold mine of information that can be used to develop greater fundamental insight and hence a stronger scientific basis for building, monitoring, and analyzing future secure systems. The challenge lies in being able to extract the underlying models and develop methods and tools that can be the cornerstone of the next generation of disruptive technologies.

This project is taking an important step in addressing that challenge by developing scientific principles and data-driven formalisms that allow construction of dynamic situation-awareness models that are adaptive to system and environment changes (specifically, malicious attacks and accidental errors). Such models will be able (i) to identify and capture attacker actions at the system and network levels, and hence provide a way to reason about the attack independently of the vulnerabilities exploited; and (ii) to assist in reconfiguring the monitoring system (e.g., placing and dynamically configuring the detectors) to adapt detection capabilities to changes in the underlying infrastructure and to the growing sophistication of attackers. In brief, the continuous measurements and the models will form the basis of what we call execution under probation technologies.

The goal of this project is to develop quantitative, scientifically grounded, decision-making methodologies to guide information security investments in private or public organizations, combining human and technological concerns, to demonstrate their use in two or more real-life case studies, prototype tools and demonstrate their proof of concept on those case studies. It is our hypothesis that quantitative security models, augmented by collected data, can be used to make credible business decisions about the use of particular security technologies to protect an organization’s infrastructure. The key output of this research will be a data-driven, model-based methodology for security investment decision-making, with associated software tool support, and a validation of the usefulness of the tool in a realistic setting. The main scientific contributions will be new abstractions for modeling human behavior, and techniques and tools for optimization of the associated data collection strategy.

This project is a collaboration between the University of Illinois at Urbana-Champaign and Newcastle University.