We are now accepting applications for a new Ph.D. student to join our research group. There are many great programs to consider, for example:

• Societal Computing Ph.D. program
• Software Engineering Ph.D. program

The choice of which program to apply to depends on one's preferences with regard to your professional and intellectual interests, curriculum requirements, other student interests in the programs, etc.

Anmol Singhal, Ph.D. Student in Societal Computing. Mr. Singhal is interested in deep learning and natural language processing with applications to information extraction, document processing and legal language processing.

Sarah Santos, Ph.D. Student in Software Engineering. Ms. Santos is interested in program analysis, synthesis and verification in the domain of computational law and security.

Yuchen Shen, Ph.D. Student in Software Engineering. Ms. Shen is interested in machine learning and is currently working on natural language models of privacy

Jaspreet Bhatia, received the Ph.D. in Software Engineering in 2019 for successfully defending her dissertation, entitled Ambiguity in Privacy Policies and Perceived Privacy Risk

Dr. Hanan Hibshi received the Ph.D. in Societal Computing in 2019 for successfully defending her dissertation, entitied Composite Security Requirements in the Presence of Uncertainty.

Dr. Dave Gordon received the Ph.D. in Engineering and Public Policy in 2014 for successfully defending his dissertation, entitled Without Borders: Addressing Legal Requirements in Multi-Jurisdictional IT Environments.

Legal Accountability and Software Quality

Summary: As software innovation challenges societal norms, companies need new design methods and tools to enable legal analysts and software engineerings to collaborate on design. These tools can shift legal compliance from an oversight activity to a principal design activitiy, in which which accountability to law is a quality of the of software. This project aims to tackle several problems, including: (1) developers lack awareness that their software is regulated, and generally discover this fact late in the design process after key design decisions have been made; (2) upon discovery, developers struggle with legal ambiguity when deciding how best to comply with law; (3) developers struggle with balancing trade-offs between legal requirements and business objectives; and (4) as software evolves, developers may not realize the need to restart compliance discussions with their legal teams. See the project page for more information.

• $750,000, NSF Designing Accountable Software Systems (DASS) Award #2217582, National Science Foundation, Aug 2022 - Sep 2025

Formal Analysis and Specification of Privacy and Security Requirements

Summary: As companies increasingly share sensitive, personal information, software developers need tools to design privacy-preserving and security systems. We proposed a formal language to express minimal privacy policies in Description Logic, which can be checked for compliance with the OECD collection and use limitation principles (Breaux, Smullen, Hibshi, 2015). This work was extended to check information flows in mobile applications for violations of privacy policies (Slavin et al., 2016). To help developers prioritize sensitive information when investing resources in privacy controls, we developed a new method to measure perceived privacy risk, and show how risk perception is affected by vagueness (Bhatia, Breaux, Reidenberg, Norton, 2016). Underpinning the challenge of formalizing privacy policy, however, is a substantial ontology challenge as different parties use different terms to describe data.

• $514,221, NSF Small Award #2007298, National Science Foundation, Jun 2020 - May 2023
• $693,716, NSF Frontier Award #1330596, National Science Foundation, Sep 2013 - Feb 2017
• $139,811, National Security Agency, Mar 2016 - Feb 2017
• $349,809, Office of Naval Research, Dec 2011 - May 2017

Empirical Security Assessments through Expert Judgements

Summary: Our prior research shows that software developers employ considerable domain knowledge when translating regulations, policies and standards into system requirements [Breaux & Baumer, 2011]. This project aims to adapt theory from cognitive psychology and judgement and decision making to develop an experimental framework and theory for expressing, selecting and applying requirements to improve security. This includes studies of analyst situational awareness (Hibshi, Breaux, Riaz, Williams, 2016). Recently, Hibshi developed a method to collect expert security judgements (Hibshi, Breaux, Broomell, 2015), which she has formalized using Interval Type 2 Fuzzy Logic (Hibshi, Breaux, Wagner, 2016).

• $179,625, Engineering and Physical Sciences Research Council, Jan 2017 - Dec 2019
• $120,000, Office of Naval Research, Feb 2017 - May 2018
• $146,670, National Security Agency, Apr 2015 - Mar 2016
• $260,000, National Security Agency, Dec 2011 - Nov 2013

Multi-Jurisdictional Compliance for Distributed Software Systems

Summary: Increasingly, information systems are distributed across the physical and logical borders of nations, states and provinces. We see this trend emerging in mobile, social and cloud-based computing. The challenge for business analysts and software designers is to determine which set of requriements govern their systems as software and data move across these borders. This project aims to understand the "dynamics" of this multi-jurisdictional ecosystem to help analysts and designers develop legally compliant systems. The outcome of this research is empirically valid methods and tools that have been evaluated in real-world data.

• $600,000, NSF CAREER Award #1453139, National Science Foundation, Sep 2015 - Aug 2020
• $150,000, HPL IRP Award #CW267287 and HP Cloud & Security Lab, Oct 2011 - Sep 2013
• $175,000, DHS Award #2006-CS-001-000001, via the I3P, Feb 2011 - Jul 2012

For more information, please see our research website.