November 23, 2009
Professor Norman Sadeh of Carnegie Mellon CyLab and Professor Steve Bellovin of Columbia University have been awarded a new three and a half year grant from the National Science Foundation (NSF) on "User-Controllable Policy Learning"
As both corporate and consumer-oriented applications introduce new functionality and increased levels of customization, they inevitably give rise to more complex security and privacy policies. Yet, studies have repeatedly shown that both lay and expert users are not good at configuring policies, rendering the human element an important, yet often overlooked source of vulnerability. In this project Sadeh and Bellovin will develop a new family of user-controllable policy learning techniques capable of leveraging user feedback and present users with incremental, user-understandable suggestions on how to improve their security or privacy policies over time.
“In contrast to traditional machine learning techniques, which are generally configured as ‘black boxes’ than take over from the user, user-controllable policy learning aims to ensure that users continue to understand their policies and remain in control of policy changes,” said CyLab’s Sadeh. “As a result, this family of policy learning techniques offers the prospect of empowering lay and expert users to more effectively configure a broad range of security and privacy policies – from Facebook policies, to corporate access control policies and beyond. This technology also has the potential of transforming recommendation systems such as those found on sites such as Amazon and Netflix.”
The new technologies will initially be demonstrated in the context of two important domains, namely privacy policies in social networks and firewall policies.
The project is also expected to lead to a significantly deeper understanding of the difficulties experienced by users as they try to specify and refine security and privacy policies and of what it takes to overcome these challenges. This includes developing a better understanding of the types of policy modifications users can relate to, how many policy modifications users can realistically be expected to handle in a given domain, as well as how these issues relate to the expressiveness of underlying policy languages or modes of interaction with users.
Norman Sadeh is a Professor in the School of Computer Science as well as CyLab faculty member. Professor Lorrie Cranor, Director of CyLab Usable Privacy and Security (CUPS) Lab, will also be contributing to the project.
See all CyLab News articles