Visible to the public Lablet Research on Policy-Governed Secure Collaboration

SoS Newsletter- Advanced Book Block

Policy-Governed Secure Collaboration

EXECUTIVE SUMMARY: Over the past year the, NSA Science of Security lablets engaged in 7 NSA-approved research projects addressing the hard problem of Policy-Governed Secure Collaboration. All of the work done against this hard problem addressed other hard problems as well. UIUC's research involved other universities including Illinois Institute of Technology, USC, UPenn, and Dartmouth. The projects are in various stages of maturity, and several have led to publications and/or conference presentations. Summaries of the projects, highlights and publications are presented below.

1. Geo-Temporal Characterization of Security Threats (CMU)

SUMMARY: Addresses the hard problems of Policy-Governed Secure Collaboration and Resilient Architectures; provides an empirical basis for assessment and validation of security models; provides a global model of flow of threats and associated information.


  • Technical Report submitted
  • Identified central core network
  • Identified key actors attacking country of interest and being attacked by country of interest by type of attack
  • Technical Report: Ghita Mezzour, L. Richard Carley, Kathleen M. Carley, 2014, Global Mapping of Cyber Attacks, School of Computer Science, Institute for Software Research, Technical Report CMU-ISR-14-111

2. Scientific Understanding of Policy Complexity (NCSU)

SUMMARY: Addresses the hard problems of Policy-Governed Secure Collaboration and Human Behavior

  • Policy-Governed Secure Collaboration: Security policies can be very complex. The same policy can also be expressed in ways of different complexity. It is desirable to have a scientific understanding of measuring how complex a policy and a policy encoding is. Part of this work includes breaking down complex vulnerabilities into their constituent parts
  • Human Behavior: Our policy complexity is based on how easy for humans to understand and write policies. There is thus a human behavior aspect to it.


  • In an effort to break down complex policies, we have investigated ways to break down NIST's Common Weakness Enumeration (CWE), including experimenting with the Protege taxonomy tool ( It appears that the most fruitful route will be to take each vulnerability (there are about 1000), extract one or more code samples from it, then tag it using Protege. This will give an idea of what concepts are necessary to understand the vulnerability.

3. Formal Specification and Analysis of Security-Critical Norms and Policies (NCSU)

SUMMARY: Addresses the hard problems of Policy-Governed Secure Collaboration and Scalability and Composability

  • Policy-Governed Secure Collaboration: This project addresses how to specify and analyze norms (standards of correct collaborative behavior) and policies (ways of achieving different collaborative behaviors) to determine important properties, such as their mutual consistency.
  • Scalability and Composability: This project can facilitate the composition of new collaborative systems by combining sets of norms and policies, and verifying whether such combinations satisfy desired properties.


  • We are addressing our first research hypothesis, which is that norm and preference specification languages can be constructed that both adequately express typical collaboration scenarios as well as enable tractable checking of consistency, composability, and realizability via policies.
  • We have introduced a new notion of accountability that formulates accountability in normative terms, which will provide a connection between norms and policies and security properties, especially in the academic IT domain.
  • *We are formulating the problems of consistency and realizability in mathematical terms with a view toward producing criteria for designing algorithms for consistency and realizability of norms, policies, and preferences. To this end, we are investigating whether a set of norms is consistent and realizable through the policies and preferences of the collaborators and whether a set of norms achieves specified security properties with reference to the healthcare domain.
  • Amit K. Chopra and Munindar P. Singh, The Thing Itself Speaks: Accountability as a Foundation for Requirements in Sociotechnical Systems, Proceedings of the IEEE International Workshop on Requirements Engineering and Law (RELAW), Extended Abstract, Karlskrona, Sweden, IEEE Computer Society, 2014.

4. Understanding Effects of Norms and Policies on the Robustness, Liveness, and Resilience of Systems (NCSU)

SUMMARY: Addresses the hard problems of Policy-Governed Secure Collaboration and Resilient Architectures

  • Policy-Governed Secure Collaboration: Norms provide a standard of correctness for collaborative behavior, with respect to which policies of the participants can be evaluated individually or in groups.
  • Resilient Architectures: The study of robustness and resilience of systems modeled in terms of norms would provide a basis for understanding resilient social architectures.


  • We have developed prototype multiagent systems of simple structure on which to build more complex simulations of norms and policies on system properties.
  • We have developed a simplified model for an academic security setting that identifies the main stakeholders, norms that promote security, internal policies by which parties may autonomously decide to comply with (or not) different norms. We have realized this model in our multiagent simulation framework and are using the model not only to refine our understanding of the robustness, liveness, and resilience of norms as they pertain to security but also as a basis for understanding the requirements on a sufficiently expressive simulation framework.

5. A Hypothesis Testing Framework for Network Security (UIUC and Illinois Institute of Technology)

SUMMARY: Addresses four hard problems:

  • Scalability and Composability
  • Policy-Governed Secure Collaboration
  • Predictive Security Metrics
  • Resilient Architectures


  • A key part of our strategy is to test hypotheses within a model of a live network. We continued our work on the foundational rigorous network model along three dimensions: 1) network behavior under timing uncertainty, 2) modeling virtualized networks and 3) database model of network behavior.
  • Our workshop paper on modeling virtualized networks received the best paper award at HotSDN 2014.
  • Soudeh Ghorbani and Brighten Godfrey, "Towards Correct Network Virtualization", ACM Workshop on Hot Topics in Software Defined Networks (HotSDN), August 2014.
  • Dong Jin and Yi Ning, "Securing Industrial Control Systems with a Simulation-based Verification System", 2014 ACM SIGSIM Conference on Principles of Advanced Discrete Simulation, Denver, CO, May 2014 (Work-in-Progress Paper)

6. Science of Human Circumvention of Security (UIUC, USC, UPenn, Dartmouth)

SUMMARY: Our project most closely aligns with problem 5 (Understanding and Accounting for Human Behavior). However, it also pertains to problems 1 (Scalability and Composability), 2 Policy-Governed Secure Collaboration), and 3 (Predictive Security Metrics).

  • Scalability and Composability: We want to understand not just the drivers of individual incidents of human circumvention, but also the net effect of these incidents. Included here are measures of the environment (physical, organizational, hierarchical, embeddedness within larger systems.)
  • Policy-Governed Secure Collaboration: In order to create policies that in reality actually enable secure collaboration among users in varying domains, we need to understand and predict the de facto consequences of policies, not just the de juro ones.
  • Security-Metrics-Driven Evaluation, Design, Development, and Deployment: Making sane decisions about what security controls to deploy requires understanding the de facto consequences of these deployments---instead of just pretending that circumvention by honest users never happens.


  • Via fieldwork in real-world enterprises, we have been identifying and cataloging types and causes of circumvention by well-intentioned users. We are using help desk logs, records of security-related computer changes, analysis of user behavior in situ, and surveys---in addition to interviews and observations. We then began to build and validate models of usage and circumvention behavior, for individuals and then for populations within an enterprise.
  • The JAMIA paper by Smith and Koppel on usability problems with health IT (pre-SHUCS, but related) received another accolade, this time from the International Medical Informatics Association, which also named it one of best papers of 2014. We are updating that paper to include discoveries from our analysis of the workaround corpora above.
  • J. Blythe, R. Koppel, V. Kothari, and S. Smith. "Ethnography of Computer Security Evasions in Healthcare Settings: Circumvention as the Norm". HealthTech' 14: Proceedings of the 2014 USENIX Summit on Health Information Technologies, August 2014. Abstract: Healthcare professionals have unique motivations, goals, perceptions, training, tensions, and behaviors, which guide workflow and often lead to unprecedented workarounds that weaken the efficacy of security policies and mechanisms. Identifying and understanding these factors that contribute to circumvention, as well as the acts of circumvention themselves, is key to designing, implementing, and maintaining security subsystems that achieve security goals in healthcare settings. To this end, we present our research on workarounds to computer security in healthcare settings without compromising the fundamental health goals. We argue and demonstrate that understanding workarounds to computer security, especially in medical settings, requires not only analyses of computer rules and processes, but also interviews and observations with users and security personnel. In addition, we discuss the value of shadowing clinicians and conducting focus groups with them to understand their motivations and tradeoffs for circumvention. Ethnographic investigation of workflow is paramount to achieving security objectives. (This publication addresses Problems 5,1,2, and 3.)
  • R. Koppel. "Software Loved by its Vendors and Disliked by 70% of its Users: Two Trillion Dollars of Healthcare Information Technology's Promises and Disappointments". HealthTech'14: Keynote talk at the 2014 USENIX Summit on Health Information Technologies, August 2014. (This keynote talk addresses Problem 5.)
  • R. Koppel, J. Blythe, and S. Smith. "Ethnography of Computer Security Evasions in Healthcare Organizations: Circumvention of Cyber Controls". Talk at the European Sociological Association Midterm Conference, August 2014. (This talk addresses Problems 5 and 3.)

7. Trust, Recommendation Systems and Collaboration (UMD)

SUMMARY: Addresses Policy-Governed Secure Collaboration; Scalability and Composability, and Understanding and Accounting for Human Behavior


  • Our goal is to develop a transformational framework for a science of trust, and its impact on local policies for collaboration, in networked multi-agent systems. The framework will take human behavior into account from the start by treating humans as integrated components of these networks, interacting dynamically with other elements. The new analytical framework will be integrated, and validated, with empirical methods of analyzing experimental data on trust, recommendation, and reputation, from several datasets available to us, in order to capture fundamental trends and patterns of human behavior, including trust and mistrust propagation, confidence in trust, phase transitions in the dynamic graph models involved in the new framework, stability or instability of collaborations.
  • We developed new algorithms that effectively and provably use trust in distributed consensus problems in the presence of adversaries. Such problems are of interest in distributed fusion in sensor networks. We showed that a trust mechanism allows correct consensus to occur whereby without the trust mechanism this would not be possible.
  • We developed new mathematical models for networks that carry opinions (beliefs) in their nodes, while the interaction between the nodes (agents) can be positive (friends) or negative (enemies). We analyzed the dynamics of belief evolution and emergence in such signed networks and discovered new laws governing these dynamics.
  • We developed a novel model and an efficient solution algorithm to the so called "Advertisement Allocation Problem" in large social networks, using a new and innovative embedding of the graph in hyperbolic space. The new algorithm obtains the same results as other algorithms albeit with complexity lower by two orders of magnitude.
  • We demonstrated how physical layer security schemes can be successfully employed to create a trusted core and provide privacy protection in distributed control and inference schemes.
  • We investigated several problems in crowdsourcing, by developing novel methods and algorithms that can handle multiple domains of knowledge, multi-dimensional trust in the knowledge of people or experts, and budget constraints. We investigated analytically these problems and obtained new algorithms and results on their performance.
  • X. Liu and J.S. Baras, "Using Trust in Distributed Consensus With Adversaries in Sensor and Other Networks," invited paper, Proceedings of 17th International Conference on Information Fusion (FUSION 2014), Salamanca, Spain, July 7-10, 2014. Abstract: Extensive research efforts have been devoted to distributed consensus with adversaries. Many diverse applications drive this increased interest in this area including distributed collaborative sensor networks, sensor fusion and distributed collaborative control. We consider the problem of detecting Byzantine adversaries in a network of agents with the goal of reaching consensus. We propose a novel trust model that establishes both local trust based on local evidences and global trust based on local exchange of local trust values. We describe a trust-aware consensus algorithm that integrates the trust evaluation mechanism into the traditional consensus algorithm and propose various local decision rules based on local evidence. To further enhance the robustness of trust evaluation itself, we also provide a trust propagation scheme in order to take into account evidences of other nodes in the network. The algorithm is flexible and extensible to incorporate more complicated designs of decision rules and trust models. Then we show by simulation that the trust-aware consensus algorithm can effectively detect Byzantine adversaries and exclude them from consensus iterations even in sparse networks. These results can be applied for fusion of trust evidences as well as for sensor fusion when malicious sensors are present like for example in power grid sensing and monitoring.
  • J.S. Baras gave the following invited, plenary and keynote lectures on the topics, approach and results in this Task: J.S. Baras, "Security and Trust in a Networked Immersed World: From Components to Systems and Beyond," invited keynote lecture, Workshop on Security and Safety: Issues, Concepts and Ideas , 2nd Hellenic Forum for Science, Innovation and Technology, Demokritos Research Center, Athens, Greece, June 30 - July 4, 2014.

(ID#: 14-3365)


Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to SoS.Project (at) for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.