DRAFTING SECURITY POLICY

Drafting Security Policy

Drafting Security Policy

Introduction

Setting up a security policy or security rules for a personal firewall, for application surveillance on one's computer, or for how a web browser should interacts with the privacy policies of visited web sites, is a difficult task. It is technically difficult in the sense that lay users must have some grasp of technical terms, the limitations of the policy system, and policy syntax or available options. It is also difficult for users to accept the whole concept in the first place, because users can easily perceive security measures as an extra strain whose benefit is not readily understood.

Drafting Security Policy

Still, at least one security tool for setting up security policies at runtime has succeeded: personal firewalls are on many people's personal computers and a fair number of non-expert users have come to appreciate and master them. But, firewalls are not very complex in their runtime rule syntax. They will either allow or disallow a network connection based on connection attributes - typically port and host - and the name of the local application.

Research has envisioned many advanced security policy systems and languages for end-users, ranging from runtime application rules, as seen in the Java runtime environment and rules for intrusion detection systems, to policy languages for trust negotiation (Seamons et al., 2002) and advanced access control (Herrmann and Krumm, 2001). So far, no usable end-user interface has been presented for any of these advanced security controls. Thus, we are interested in studying whether users can handle more advanced security policy set-up than firewall rules and what is required in a graphical user interface for this kind of task.

The contribution of our work is consequently to present and discuss concrete guidelines for enhancing the usability and security of software that delegates security decisions to lay users and captures these user decisions as a security policy. The guidelines have emerged from pre-studies described below on how users prefer to and are capable of setting up runtime security rules, from previous work on the usability of personal firewalls (Herzog and Shahmehri, 2007), from a usability study of a tool for off-line setting of Java security policies (Herzog and Shahmehri, 2006) and from literature studies on usability and security. The validity of our guidelines is supported by a prototype implementation of a tool for setting up an access control policy for Java applications that follows these guidelines and that was received positively by users.

We chose Java and the set-up of Java security policies because Java is a language that supports runtime monitoring of security properties. But, due to usability lapses (Herzog and Shahmehri, 2006) and because of alleged slowness of the Java security mechanism - which is only partially true as shown in Herzog and Shahmehri (2005) - this Java feature is seldom used. Consequently, our implementation fills a need in the Java community, but choosing Java also provides an extensible test bed for user interfaces for policy languages, because many policy languages - for example object-oriented Ponder ...