research-article

Optimizing a policy authoring framework for security and privacy policies

Authors:

Maritza Johnson,

Clare-Marie Karat,

Keith GruenebergAuthors Info & Claims

SOUPS '10: Proceedings of the Sixth Symposium on Usable Privacy and Security

Article No.: 8, Pages 1 - 9

https://doi.org/10.1145/1837110.1837121

Published: 14 July 2010 Publication History

Abstract

Policies which address security and privacy are pervasive parts of both technical and social systems, and technology to enable both organizations and individuals to create and manage such policies is seen as a critical need in IT. This paper describes policy authoring as a key component to usable privacy and security systems, and advances the notions of policy templates in a policy management environment in which different roles with different skill sets are seen as important. We discuss existing guidelines and provide support for the addition of new guidelines for usable policy authoring for security and privacy systems. We describe the relationship between general policy templates and specific policies, and the skills necessary to author each of these in a way that produces high-quality policies. We also report on an experiment in which technical users with limited policy experience authored policy templates using a prototype template authoring user interface we developed.

References

[1]

A. Adams and M. A. Sasse. Users are not the enemy. Commun. ACM, 42(12):40--46, 1999.

Digital Library

[2]

D. Agrawal, S. Calo, J. Giles, K.-W. Lee, and D. Verma. Policy management for networked systems and applications. 9th IFIP/IEEE International Symposium on Integrated Network Management, IM 2005., pages 455--468, 2005.

[3]

D. Balfanz. Usable access control for the world wide web. In ACSAC 19th Annual Computer Security Applications Conference, pages 406--415, 2003.

Digital Library

[4]

Y. Bartal, A. Mayer, K. Nissim, and A. Wool. Firmato: A novel firewall management toolkit. ACM Trans. Comput. Syst., 22(4):381--420, 2004.

Digital Library

[5]

L. Bauer, L. F. Cranor, R. W. Reeder, M. K. Reiter, and K. Vaniea. A user study of policy creation in a flexible access-control system. In CHI '08: Proceedings of the twenty-sixth annual SIGCHI conference on Human factors in computing systems, pages 543--552, NY, NY, USA, 2008. ACM.

Digital Library

[6]

M. Bishop. What is computer security? IEEE Security and Privacy, 1:67--69, 2003.

Digital Library

[7]

B. Blakley, E. McDermott, and D. Geer. Information security is information risk management. In Proceedings of the 2001 Workshop on New Security Paradigms, pages 97--104. ACM, 2001.

Digital Library

[8]

M. Blaze, J. Feigenbaum, J. Ioannidis, and A. Keromytis. The KeyNote trust-management system version 2. http://tools.ietf.org/rfc/rfc2704.txt, September 1999.

Digital Library

[9]

C. Brodie, D. George, C. Karat, J. Karat, J. Lobo, M. Beigi, X. Wang, S. Calo, D. Verma, A. Schaeffer-Filho, et al. The Coalition Policy Management Portal for Policy Authoring, Verification, and Deployment. In IEEE Workshop on Policies for Distributed Systems and Networks, pages 247--249, 2008.

Digital Library

[10]

C. Brodie, C.-M. Karat, J. Karat, and J. Feng. Usable security and privacy: A case study of developing privacy management tools. In SOUPS '05: Proceedings of the 2005 symposium on usable privacy and security, pages 35--43, 2005.

Digital Library

[11]

X. Cao and L. Iverson. Intentional access management: making access control usable for end-users. In SOUPS '06: Proceedings of the second symposium on Usable privacy and security, pages 20--31, NY, NY, USA, 2006. ACM.

Digital Library

[12]

W. Cheswick, S. Bellovin, and A. Rubin. Firewalls and Internet security: repelling the wily hacker. Addison-Wesley Longman Publishing Co., Inc. Boston, MA, USA, 2003.

Digital Library

[13]

J. Chomicki, J. Lobo, and S. Naqvi. A logic programming approach to conflict resolution in policy management. In Principles of Knowledge Representation and Reasoning: Proceedings of the 7th International Conference (KR2000), 2000.

[14]

L. Cranor. Designing a privacy preference specification interface: A case study. In CHI 2003 Workshop on Human-Computer Interaction and Security Systems, 2003.

[15]

L. Cranor, M. Langheinrich, M. Marchiori, M. Presler-Marshall, and J. Reagle. The Platform for Privacy Preferences 1.0 (P3P 1.0) specification. W3C Recommendation, April 2002.

[16]

L. F. Cranor. What do they indicate?: evaluating security and privacy indicators. interactions, 13(3):45--47, 2006.

Digital Library

[17]

L. F. Cranor, P. Guduru, and M. Arjula. User interfaces for privacy agents. ACM Trans. Comput.-Hum. Interact., 13(2):135--178, 2006.

Digital Library

[18]

N. Damianou, A. K. Bandara, M. S. Sloman, and E. C. Lupu. A survey of policy specification approaches. Technical report, Department of Computing, Imperial College, 2002.

[19]

N. Damianou, N. Dulay, E. Lupu, and M. Sloman. The Ponder policy specification language. In Lecture Notes in Computer Science, pages 18--38. Springer-Verlag, 2001.

Digital Library

[20]

S. L. Garfinkel. Design Principles and Patterns for Computer Systems That Are Simultaneously Secure and Usable. PhD thesis, MIT, 2005.

Digital Library

[21]

M. Johnson, S. M. Bellovin, R. W. Reeder, and S. Schechter. Laissez-faire file sharing: access control designed for individuals at the endpoints. In NSPW '09: Proceedings of the New Security Paradigms Workshop, pages 1--10, September 2009.

Digital Library

[22]

M. Johnson, J. Karat, C.-M. Karat, and K. Grueneberg. Usable policy template authoring for iterative policy refinement. In submission to Annual Conference of ITA, ACITA, 2010.

[23]

L. Kagal, M. Paolucci, N. Srinivasan, G. Denker, T. Finin, and K. Sycara. Authorization and privacy for semantic web services. IEEE Intelligent Systems, 19(4):50--56, July/August 2004.

Digital Library

[24]

J. Karat, C.-M. Karat, C. Brodie, and J. Feng. Privacy in information technology: Designing to enable privacy policy management in organizations. In International Journal of Human-Computer Studies, volume 63, pages 153--174. Elsevier, 2005.

Digital Library

[25]

H. R. Lipford, A. Besmer, and J. Watson. Understanding privacy settings in Facebook with an audience view. In UPSEC'08: Proceedings of the 1st Conference on Usability, Psychology, and Security, pages 1--8, Berkeley, CA, USA, 2008.

Digital Library

[26]

R. A. Maxion and R. W. Reeder. Improving user-interface dependability through mitigation of human error. International Journal of Human-Computer Studies, 63(1--2):25--50, 2005.

Digital Library

[27]

J. Moffett and M. Sloman. Policy conflict analysis in distributed system management. Journal of Organizational Computing, 4(1):1--22, 1994.

[28]

I. Molloy, H. Chen, T. Li, Q. Wang, N. Li, E. Bertino, S. Calo, and J. Lobo. Mining roles with semantic meanings. In SACMAT '08: Proceedings of the 13th ACM symposium on access control models and technologies, pages 21--30. ACM, 2008.

Digital Library

[29]

D. A. Norman. The Design of Everyday Things. New York, DoubleDay, 1988.

[30]

OASIS. eXtendible Access Control Markup Language Committee Specification 2.0. Security services technical committee, 2005.

[31]

Organization for Economic Co-operation and Development. OECD Guidelines on the Protection of Privacy and Transborder Flow of Personal Data. Paris, France, 1980.

[32]

R. Reeder, C.-M. Karat, J. Karat, and C. Brodie. Usability challenges in security and privacy policy-authoring interfaces. In Human-Computer Interaction -- INTERACT 2007, pages 141--155. Springer Berlin/Heidelberg, 2007.

Digital Library

[33]

R. W. Reeder. Expandable Grids: A user interface visualization technique and a policy semantics to support fast, accurate security and privacy policy authoring. PhD thesis, Carnegie Mellon University, Pittsburgh, PA, July 2008.

Digital Library

[34]

R. W. Reeder, L. Bauer, L. F. Cranor, M. K. Reiter, K. Bacon, K. How, and H. Strong. Expandable grids for visualizing and authoring computer security policies. In CHI '08: Proceedings of the SIGCHI conference on Human factors in computing systems, pages 1473--1482, NY, NY, USA, 2008. ACM.

Digital Library

[35]

R. W. Reeder, P. G. Kelley, A. M. McDonald, and L. F. Cranor. A user study of the expandable grid applied to p3p privacy policy visualization. In WPES '08: Proceedings of the 7th ACM workshop on Privacy in the electronic society, pages 45--54, New York, NY, USA, 2008. ACM.

Digital Library

[36]

J. H. Saltzer and M. D. Schroeder. The protection of information in computer systems. Proceedings of the IEEE, 63(9):1278--1308, Sept. 1975.

[37]

R. S. Sandhu, E. J. Coyne, H. L. Feinstein, and C. E. Youman. Role-based access control models. Computer, 29(2):38--47, 1996.

Digital Library

[38]

S. E. Schechter. Computer Security Strength & Risk: A Quantitative Approach. PhD thesis, Harvard University, Cambridge, Massachusetts, May 2004.

Digital Library

[39]

J. Sunshine, S. Egelman, H. Almuhimedi, N. Atri, and L. F. Cranor. Crying wolf: An empirical study of SSL warning effectiveness. In 18th USENIX Security Symposium, 2009.

Digital Library

[40]

A. Wool. A quantitative study of firewall configuration errors. IEEE Computer, 37(6):62--67, 2004.

Digital Library

[41]

M. E. Zurko, R. T. Simon, and T. Sanfilippo. A user-centered, modular authorization service built on an RBAC foundation. Proceedings of the 1999 IEEE Symposium on Security and Privacy, pages 57--71, 1999.

Cited By

Jayasundara SGamagedara Arachchilage NRussello G(2024)SoK: Access Control Policy Generation from High-level Natural Language RequirementsACM Computing Surveys10.1145/370605757:4(1-37)Online publication date: 28-Nov-2024
https://dl.acm.org/doi/10.1145/3706057
Schnell KRoy KSiddula M(2023)A Descriptive Study of Webpage Designs for Posting Privacy Policies for Different-Sized US Hospitals to Create an Assessment FrameworkFuture Internet10.3390/fi1503011215:3(112)Online publication date: 17-Mar-2023
https://doi.org/10.3390/fi15030112
Weidman JBilogrevic IGrossklags J(2020)Nothing Standard About It: An Analysis of Minimum Security Standards in OrganizationsComputer Security10.1007/978-3-030-66504-3_16(263-282)Online publication date: 24-Dec-2020
https://doi.org/10.1007/978-3-030-66504-3_16
Show More Cited By

Index Terms

Optimizing a policy authoring framework for security and privacy policies

Recommendations

Refinement checking for privacy policies

This paper presents a framework for analysis and comparison of privacy policies expressed in P3P (Platform for Privacy Preferences). In contrast to existing approaches to policy analysis, which focus on demonstrations of equality or equivalence of ...
Formal specification and management of security policies with collective group obligations

Obligations are an essential element of security policies since they enable the specification of many security requirements such as availability, privacy, usage control and data protection. In everyday life, the fulfillment of obligations is often the ...
Security policy compliance with violation management
FMSE '07: Proceedings of the 2007 ACM workshop on Formal methods in security engineering

A security policy of an information system is a set of security requirements that correspond to permissions, prohibitions and obligations to execute some actions when some contextual conditions are satisfied. Traditional approaches consider that the ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

SOUPS '10: Proceedings of the Sixth Symposium on Usable Privacy and Security

July 2010

236 pages

ISBN:9781450302647

DOI:10.1145/1837110

General Chair:
Lorrie Faith Cranor
Carnegie Mellon University

Copyright © 2010 Copyright is held by the author/owner.

Sponsors

Carnegie Mellon University: Carnegie Mellon University

In-Cooperation

SIGCHI: ACM Special Interest Group on Computer-Human Interaction

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 14 July 2010

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

U.K. Ministry of Defence

Conference

SOUPS '10

Sponsor:

Carnegie Mellon University

SOUPS '10: Symposium on Usable Privacy and Security

July 14 - 16, 2010

Washington, Redmond, USA

Acceptance Rates

Overall Acceptance Rate 15 of 49 submissions, 31%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

21
Total Citations
View Citations
922
Total Downloads

Downloads (Last 12 months)14
Downloads (Last 6 weeks)3

Reflects downloads up to 22 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Jayasundara SGamagedara Arachchilage NRussello G(2024)SoK: Access Control Policy Generation from High-level Natural Language RequirementsACM Computing Surveys10.1145/370605757:4(1-37)Online publication date: 28-Nov-2024
https://dl.acm.org/doi/10.1145/3706057
Schnell KRoy KSiddula M(2023)A Descriptive Study of Webpage Designs for Posting Privacy Policies for Different-Sized US Hospitals to Create an Assessment FrameworkFuture Internet10.3390/fi1503011215:3(112)Online publication date: 17-Mar-2023
https://doi.org/10.3390/fi15030112
Weidman JBilogrevic IGrossklags J(2020)Nothing Standard About It: An Analysis of Minimum Security Standards in OrganizationsComputer Security10.1007/978-3-030-66504-3_16(263-282)Online publication date: 24-Dec-2020
https://doi.org/10.1007/978-3-030-66504-3_16
Bowers JSherman IButler KTraynor P(2019)Characterizing security and privacy practices in emerging digital credit applicationsProceedings of the 12th Conference on Security and Privacy in Wireless and Mobile Networks10.1145/3317549.3319723(94-107)Online publication date: 15-May-2019
https://dl.acm.org/doi/10.1145/3317549.3319723
Thuraisingham BKantarcioglu MBertino EBakdash JFernandez MBertino ELin DLobo J(2018)Towards a Privacy-Aware Quantified Self Data Management FrameworkProceedings of the 23nd ACM on Symposium on Access Control Models and Technologies10.1145/3205977.3205997(173-184)Online publication date: 7-Jun-2018
https://dl.acm.org/doi/10.1145/3205977.3205997
Rudolph MFeth DPolst S(2018)Why Users Ignore Privacy Policies – A Survey and Intention Model for Explaining User Privacy BehaviorHuman-Computer Interaction. Theories, Methods, and Human Issues10.1007/978-3-319-91238-7_45(587-598)Online publication date: 1-Jun-2018
https://doi.org/10.1007/978-3-319-91238-7_45
Bowers JReaves BSherman ITraynor PButler K(2017)Regulators, mount up! analysis of privacy policies for mobile money servicesProceedings of the Thirteenth USENIX Conference on Usable Privacy and Security10.5555/3235924.3235933(97-114)Online publication date: 12-Jul-2017
https://dl.acm.org/doi/10.5555/3235924.3235933
Caimi CGambardella CManea MPetrocchi MStella D(2016)Legal and Technical Perspectives in Data Sharing Agreements DefinitionPrivacy Technologies and Policy10.1007/978-3-319-31456-3_10(178-192)Online publication date: 10-Mar-2016
https://doi.org/10.1007/978-3-319-31456-3_10
Machado CWickboldt JGranville LSchaeffer-Filho A(2015)Policy authoring for software-defined networking management2015 IFIP/IEEE International Symposium on Integrated Network Management (IM)10.1109/INM.2015.7140295(216-224)Online publication date: May-2015
https://doi.org/10.1109/INM.2015.7140295
Casassa-Mont MMatteucci IPetrocchi MSbodio M(2015)Towards safer information sharing in the cloudInternational Journal of Information Security10.1007/s10207-014-0258-514:4(319-334)Online publication date: 1-Aug-2015
https://dl.acm.org/doi/10.1007/s10207-014-0258-5
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten