Visible to the public Other Projects - January 2017Conflict Detection Enabled

Public Audience
Purpose: To highlight project progress. Information is generally at a higher level which is accessible to the interested public. All information contained in the report (regions 1-3) is a Government Deliverable/CDRL.

PI(s):  Laurie Williams, Munindar Singh
Researchers: Ozgur Kafali, Pradeep Murukannaiah


  • Policy-Governed Secure Collaboration - This project addresses how to specify and analyze norms (standards of correct collaborative behavior) and policies (ways of achieving different collaborative behaviors) to understand their relation to security breaches.
  • Security Metrics and Models - The project is to develop and analyze metrics that quantify how well security policies account for real breaches, and identify the gaps in between.

Report papers written as a result of this research. If accepted by or submitted to a journal, which journal. If presented at a conference, which conference.


  • We proposed a systematic and reusable framework called Semaver to understand how well security policies account for real breaches (therefore identify the gaps in between). We differentiate between two types of breaches: malicious misuses where adversaries exploit vulnerabilities and accidental misuses where human factors play an important role. Our investigation of the 1,577 healthcare breaches reported by the HHS shows that 44% of the breaches are accidental misuses. Moreover, we find that HIPAA policies do not account for accidental misuses as well as malicious misuses.
  • We have extended the Semaver framework to include additional research questions that would be of practical help to security analysts, such as "How can we automatically propose refinements of requirements based on identified gaps?", and "How can we increase the knowledge of potential threats by consolidating various threat models via a domain model?"
  • We investigated multiuser privacy scenarios, namely, those where information is to be shared that concerns two or more users. Specifically, we studied how users decide which sharing policy to adopt in cases where the users have different preferred sharing policies. From an empirical study of nearly 1,000 subjects, we found that contextual factors, user preferences, and arguments influence the optimal sharing policy in a multiuser scenario.