Photo of Hanan Hibshi

Hanan Hibshi

Office: Wean Hall - WEH 4125
Phone: 412-268-4885
Email: hhibshi [at] cmu [dot] edu

Click here for RE16 Tutorial
About Me

I am a Ph.D student in the Societal Computing program at the School of Computer Science at Carnegie Mellon University. In May 2011, I got my Masters degree in Information Security Technology & Management from the Information Networking Institute (INI) at Carnegie Mellon University. Prior to my life as a CMU student, I worked as a Teaching Assistant in King Abdul-Aziz University for one year. I had also worked in the banking industry for almost 4 years.


My research interests are usable security and privacy requirements. With all the current and different threats facing technology users today, and with people's huge reliance on those technologies; it becomes important to find ways where we understand security analysts decision-making and risk assessment in a way that would help in quantifying the security risk, prioritizing requirements and draw dependence relationships among the security requirements.

Currently, I am working with Dr. Travis Breaux in the Requirements Engineering Laboratory at CMU . We work primarily on security requirements where we aim to make security requirements more usable by experts, developers, and systems engineers. This research area is very interdisciplinary in nature combining theories and practices from areas like: psychology, decision science, computer security, information sciences, fuzzy logic and others.

Privacy research is another aspect of my research that I find very interesting to apply my interdisciplinary approach to. I have also worked as a teaching assistant for two privacy courses at CMU: privacy,policy, law, and technology; and engineering privacy in software.

I am a student member of the Cylab Usable Privacy and Security (CUPS) laboratory at CMU directed by Dr. Lorrie Cranor. Dr. Cranor was the advisor for my Masters Thesis: Usability of Digital Forensics Tools and we still work together to conduct more research that helps improving the usability aspects of such security tools.

Thesis Abstract

  [Download Thesis Proposal in PDF ] 

Providing secure solutions for information systems relies on decisions made by expert security professionals. These professionals must be capable of aligning threats to existing vulnerabilities to provide mitigations needed to minimize security risks. Despite the abundance of security controls, guidelines, and checklists, security experts rely mostly on their background knowledge and experience to make security-related decisions. I plan to explore how security experts make security-related decisions, collect their assessments of security measures nested in scenarios, and extract security mitigation rules. These rules could be used to build an intelligent fuzzy logic recommendation system, which captures the knowledge of many experts in combination. Extracting security knowledge from experts is done empirically with user-studies by applying factorial vignettes to capture the experts' assessments of mitigations in scenarios composed of many components affecting the decision-making process. The results are analyzed with multi-level modeling in order to capture the weights and priorities assigned to security requirements. The outcome of the analysis will be used to generate membership functions for a type-2 fuzzy logic system. The corresponding fuzzy rule-sets encode the interpersonal and intra-personal uncertainties among experts in decision-making. This work explores security decision-making in presence of: composite security requirements, varying expertise, and uncertainty.