Important Dates

Final Deadline Extended!!
Camera-ready: 8 May 2009
 Author: 8 May 2009
 Early-bird: 22 June 2009

Sponsored by

Information about available sponsorship opportunities can be found in the Call for Patrons
If you are interested in becoming a sponsor of the symposium, please contact the organisers (ieeepolicy2009@googlemail.com).


Monday, July 20, 2009
08:30AM - 09:30AM Registration
09:30AM - 10:00AM Opening Session
10:00AM - 11:00AM Keynote Talk: Is the user STILL the enemy?
Dr. Anne Adams, Institute of Educational Technology,
The Open University, UK
11:00AM - 11:30AM COFFEE BREAK
11:30AM - 1:00PM Session 1: Privacy and Security Management
Chair: Naftaly Minsky, Rutgers University, USA
Full Papers Abductive Authorization Credential Gathering      
******Best Student Paper Award*********

Moritz Becker, Jason Mackay, Microsoft Research, USA
Blair Dillaway, Microft Corporation, USA.
Towards Session-aware RBAC Administration and Enforcement with XACML
Min Xu, George Mason University, USA
Duminda Wijesekera, George Mason University, USA
Xinwen Zhang, Samsung Information Systems America, USA
Deshan Cooray, George Mason University, USA.
Using Modeling and Simulation for Policy Decision Support in Identity Management
Marco Casassa Mont, Hewlett-Packard Labs, Great Britain
Adrian Baldwin, Simon Shiu, HP Labs Bristol, Great Britain.
2:30PM - 3:45PM Session 2: Short Papers
Chair: Ken Moody, University of Cambridge, UK
Short Papers Visualizing Access Control Policy Analysis Results
Prathima Rao, Gabriel Ghinita, Elisa Bertino, Purdue University, USA
Jorge Lobo, IBM T. J. Watson Research Center, USA.
Policies for Self Tuning Home Networks
Dimosthenis Pediaditakis, Leonardo Mostarda, Changyu Dong, Imperial College London, Great Britain
Naranker Dulay, Imperial College London, Great Britain.
Strong and Weak Policy Relations
Michael May, Kinneret College on the Sea of Galilee, Israel
Insup Lee, University of Pennsylvania, USA
Carl Gunter, UIUC, USA
Steve Zdancewic, University of Pennsylvania, USA.
Verification of Policy-Based Self-Managed Cell Interactions Using Alloy
Alberto Schaeffer-Filho, Imperial College London, Great Britain
Emil Lupu, Imperial College London, Great Britain
Morris Sloman, Susan Eisenbach, Imperial College London, Great Britain
An Entropy-based Countermeasure against Intelligent DoS Attacks Targeting Firewalls
Fahd Al-Haidari, KFUPM, Saudi Arabia
Mohammed Sqalli, King Fahd University of Petroleum & Minerals, Saudi Arabia
Jamil Hamodi, Khaled Salah, KFUPM, Saudi Arabia.
4:30PM - 6:00PM Session 3: Applications
Chair: Duminda Wijesekera, George Mason University, USA
Full Papers Apply Measurable Risk to Strengthen Security of a
Role-based Delegation supporting Workflow System

Weili Han, Fudan University, P.R. China.
Qun Ni, Hong Chen, Purdue University, USA
Policy-based Real-time Decision-Making for Personalized Service Delivery
Jochen Bauknecht, NEC Laboratories Europe, Germany
Johannes Haeussler, Daniel Kraft, Marcus Kuhnen, Mario Lischka, NEC Europe Ltd., Germany
Anett Schuelke, NEC Laboratories Europe, Germany.
Model Checking Firewall Policy Configurations
Alan Jeffrey, Bell Labs, Alcatel-Lucent, USA
Taghrid Samak, DePaul University, USA.
Physics Department Common Room, 8th Floor, Physics Building, Prince Consort Road
Tuesday, July 21, 2009
9:00AM - 10:00AM Keynote Talk: Policy and IT
Claudio Bartolini, HP Labs, Palo Alto, USA
10:00AM - 10:30AM COFFEE BREAK
10:30AM - 12:00PM Session 4: Policy Refinement
Chair: Hanan Luftiyya, University of Western Ontario, Canada
Full Papers ChangeRefinery: Assisted Refinement of High-Level IT Change Requests
David Trastour, HP Labs, Great Britain
Robert Fink, Feng Liu, University of Munich, Germany.
Realizing the CDL Cross-Domain Language in the
Ponder2 Policy Framework: Experiences and Research Directions

Roshan Thomas, Sparta, USA
Giovanni Russello, Imperial College London, Great Britain
Simon Tsang, Telcordia, USA.
Delegation Assistance
Achim Brucker, Helmut Petritsch, SAP Research, Germany
Andreas Schaad, SAP, Germany.
12:00PM - 1:00PM Poster and Demo Session
Demos ProActive Caching - A Framework for performance optimized Access Control Evaluations
Mathias Kohler, SAP AG, Germany
Robert Fies, SAP Research, Germany.
A Policy-based Sensor Selection System with Goal Oriented
Singular Value Decomposition Technique

Hoi Chan, IBM T.J. Watson Research Center, USA
Thomas Kwok, IBM T.J. Research Center, USA.
2:30PM - 3:45PM Session 5: Short Papers
Chair: Alessandra Russo, Imperial College London, UK
Short Papers XACML Policy profile for multidomain Network Resource Provisioning
and supporting Authorisation Infrastructure
Yuri Demchenko, Mihai Cristea, Cees de Laat, University of Amsterdam, The Netherlands.
Engineering a Policy-based Management System for Distributed Interoperability
Chiang Jason, Gary Levin, Shih-Wei Li, Telcordia, USA
Constantin Serban, Michelle Wolberg, Telcordia Technologies, USA
Ritu Chadha, Telcordia, USA.
A Digital Rights Management Model for Healthcare
Nicholas Sheppard, Reihaneh Safavi-Naini, Mohammad Jafari, University of Calgary, Canada.
POLIPO: Policies & OntoLogies for Interoperability, Portability, and autOnomy
Daniel Trivellato, Fred Spiessens, Nicola Zannone, TU/e, The Netherlands
Sandro Etalle, Eindhoven Technical University, The Netherlands.
Common Carrier Monitoring Service Providers
Carl Gunter, University of Illinois, USA.
4:30PM - 6:00PM Session 6: Systems and Tools
Chair: Yuri Demchenko, University of Amsterdam, The Netherlands
Full Papers Efficient XACML Policy Evaluation with a Statistics Based & Clustering Framework
Said Marouf, Mohamed Shehab, UNC Charlotte, USA
Anna Squicciarini, Smitha Sundareswaran, Penn State, USA.
Policy Processing: Don't Take it for Granted
Joseane Fidalgo, UFPE, Brazil
Carlos Kamienski, Universidade Federal do ABC (UFABC), Brazil
Ramide Dantas, Universidade Federal de Pernambuco, Brazil
Djamel Sadok, UFPE, Brazil
Boerje Ohlman, Ericsson Research, Sweden.
In Vivo Evolution of Policies that Govern a Distributed System
Constantin Serban, Telcordia Technologies, USA
Naftaly Minsky, Rutgers University, USA.
Bombay Brasserie, Courtfield Road, London SW7 4QH  map
Wednesday, July 22, 2009
9:00AM - 10:00AM Keynote Talk: Analysing policies for electronic voting
Dr. Mark Ryan, Department of Computer Science, University of Birmingham, UK
10:00AM - 10:30AM COFFEE BREAK
10:30AM - 12:00PM Session 7: Formal Semantics of Policies
Chair: Helge Janicke, De Montfort University, UK
Full Papers A Temporal Description Logic Based Access Control Model for
Expressing History Constrained Policies in Semantic Web Environments
Fathieh Faghih, Sharif University of Technology, Iran.
Access Control Policies for Semantic Networks
Tatyana Ryutov, USC Information Sciences Institute, USA.
Formalization and Management of Group Obligations
Yehia El Rakaiby, TELECOM-Bretagne, France
Frederic Cuppens, Nora Cuppens-Boulahia, TELECOM Bretagne, France.
12:00PM - 1:30PM Panel Discussion: W(h)ither Policy 2020?
Chair: Arosha Bandara, The Open University, UK
  This is the 10th anniversary year for the conference and therefore an opportunity to look ahead and set the challenges for the next 10 years of research. Therefore, this year's panel discussion will try and address the following:
  • What have been the major accomplishments of policy-based management?
  • What are the major challenges ahead?
  • Which research topics should we be focussing on? Which ones have we investigated to death?
  • How should we broaden the application areas of policy-based management? e.g., pervasive systems
  • What will be the killer application that catapults policy-based management into wide scale use?
  • Is standardisation dead?
The panel comprises experts in the field, drawn from both academia and industry:
  • Prof. Naftaly Minsky, Rutgers University, USA
  • Dr. Theo Dimitrakos, CISSR, British Telecom, UK
  • Prof. Marek Sergot, Imperial College London, UK
  • Prof. Duminda Wijesekera, George Mason University, USA
2:30PM - 4:00PM Session 8: Short Papers
Chair: Scott Newman, US Army CERDEC, USA
Short Papers An XACML Extension for Business Process-centric Access Control Policies
Christian Wolter, SAP Research, Germany.
Towards consistency of policy states in
decentralized autonomic network management
Jeferson Nobre, Lisandro Zambenedetti Granville, UFRGS, Brazil.
The Zodiac Policy Subsystem: a Policy-Based
Management System for a High-security MANET
Yuu-Heng Cheng, Scott Alexander, Alexander Poylisher, Telcordia, USA
Mariana Raykova, Steven Bellovin, Columbia University, USA.
xDUCON: Cross Domain Usage Control through Shared Data Spaces
Giovanni Russello, Naranker Dulay, Imperial College London, Great Britain.
Detecting Conflicts in ABAC Policies with Rule-reduction and Binary-search Techniques
Cheng-chun Shu, ICT, CAS, P.R. China
Erica Yang, Alvaro Arenas, Science and Technology Facility Council,UK, Great Britain.
Mapping Policies to Management Systems
Abdelnasser Ouda, University of Western Ontario, Canada.
Michael Bauer, Hanan Luftiyya, University of Western Ontario, Canada.


Is the user STILL the enemy?
Dr. Anne Adams, Institute of Educational Technology, The Open University, UK


Global communications is a powerful force in advancing the freedom of information. However, with an increase in different types of personal data, as well as functionality for accessing and using such data, there are associated risks. The limit of users' acceptability for these risks is of the utmost importance because perceived infringements of security can lead to a rejection of communication technology thus decreasing its commercial viability. This presentation will review over 10 years of research with various multimedia, virtual reality, mobile, pervasive and web2 technologies in academic, industrial and public sectors. The findings highlight designers' natural preference for replicating real world scenarios virtually. Technology, however, can distort that world, making natural assumptions inaccurate. This presentation shows how this has serious implications for the past, present and future approaches to security policy making. Over 10 years ago a plea was sent out to security policy makers to change their adversarial approach. Major threats to security were identified as not necessarily from malicious intent but inadvertently supported by the technology and policies for implementation. The question now is: what have we learnt?


Dr. Anne Adams is a Lecturer in the Institute of Educational Technology at the Open University, a visiting Senior Lecturer at the Middlesex University Interaction Design Centre and previously an external examiner for the Royal College of Surgeon and Bath University. From an interdisciplinary background in psychology, ergonomics and computing Dr. Adams has developed a wide range of research interests varying from digital libraries to security and HCI, the social impacts of technology, CSCW and has recently written several chapters on research methods in HCI. Initial UCL research focused on security and usability reviewing authentication mechanisms and users' perceptions of privacy within multimedia communications. Later projects on digital resources, awareness and mobile devices identified the importance of context in technology design. Finally a position at Nottingham University advanced her research into mobile and ubiquitous technology. Previous research projects were based within a variety of organisations from industry (i.e. telecommunications and building) to clinical (e.g. NHS, Department of Health) and academic settings. Her current work at the Open University has focused on technology enhanced learning and practice based learning through the Open CETL. She is a member of the ACM, has been on the committee for the BCS HCI group and has organised and contributed to international forums on Healthcare and Mobile Digital Libraries. She has presented at and chaired sessions at international conferences and been both an invited and keynote speaker for academic, industrial and health organisations across the world including the Royal Society of Medicine, Google, Royal College of Surgeons, the Higher Education Academy and Microsoft.

Policy and IT
Claudio Bartolini, HP Labs, Palo Alto, USA


The traditional domain of application of industrial and academic research on policy has been distributed systems and networks. Within it, research on information security policy has been a particularly fertile field. In this talk, I'll explore the impact of policy onto all dimensions of IT: not just technology (systems and networks), but also - and especially - people and processes. With this exploration, I'll show that information security is just one of the preoccupation of a chief information officer (CIO): setting policies for a medium or large IT organization requires setting policy for other processes, such as change release, service requests, help desk procedures etc. I'll discuss the impact of policy choices and highlight research challenges in policy for the wider domain of IT. In particular I will touch on some recent work carried out with HP Labs colleagues on model-based and market-based decision support techniques for understanding the impact and consequences of IT policy choices onto the organization.


Claudio Bartolini manages the predictive IT analytics research group in HP Labs Palo Alto and Bristol. He's been with HP Labs since 1996 holding a variety of technical positions at Bristol and Palo Alto. He has published extensively and has been granted patents in the domains of IT service management and e-commerce. He has organized and taken part in the technical committee of many of various editions of IM, NOMS, DSOM, POLICY among others. Claudio holds a M.Sc E.E. from the University of Bologna, Italy and a Ph.D. in Information Engineering from the University of Ferrara, Italy.

Analysing policies for electronic voting
Dr. Mark Ryan, Department of Computer Science, University of Birmingham, UK


Electronic voting systems have subtle and often apparently conflicting requirements, that have proved very difficult to provide in practice. One one hand, the requirement of "vote verifiability" enables a voter to check that her vote is included in the final tally. On the other hand, a voter should not be able to prove to another party that she voted in a particular way, in order to protect her from coercion. These properties may appear to contradict each other. In the talk, we discuss how the properties can be formalised, and how particular systems can be analysed to check whether they satisfy the policies.


Mark Ryan obtained his bachelors and masters degrees from University of Cambridge, and his PhD from Imperial College London. He is Reader in Computer Science at University of Birmingham. His current research is in computer security, particularly the analysis of cryptographic protocols. He has recently worked on protocols for electronic voting, trusted computing, and anonymous service usage. Previously, he was active in applications of logic, and he co-authored the textbook "Logic in Computer Science" which has sold about 20 000 copies. Ryan's research is supported by EPSRC, as well as Microsoft and Hewlett Packard.