A typical enterprise network might have hundreds of security devices such as firewalls, IPSec gateways, IDS/IPS, authentication servers, authorization/RBAC servers and crypto systems. These must be logically integrated into a security architecture satisfying security goals at and across multiple networks. Logical integration is accomplished by consistently setting thousands of configuration variables and rules on the devices. The configuration must be constantly adapted to optimize protection and block prospective attacks. The configuration must be tuned to balance security with usability. These challenges are compounded by the deployment of mobile devices and ad hoc networks. The resulting security configuration complexity places a heavy burden on both regular users and experienced administrators and dramatically reduces overall network assurability and usability. For example, a December 2008 report from Center for Strategic and International Studies "Securing Cyberspace for the 44th Presidency" states that "inappropriate or incorrect security configurations … were responsible for 80% of Air Force vulnerabilities" and a May 2008 report from Juniper Networks "What is Behind Network Downtime?" states that "human factors … [are] responsible for 50 to 80 percent of network device outages".

The fist event of this workshop was invitation-only and sponsored by NSF to promote research in this area. This workshop has an open call for paper and aims to bring together academic as well as industry researchers to exchange experiences, discuss challenges and propose solutions for offering assurable and usable security. This workshop is an open call for submission workshop will consist of presentations and panel discussions on the following topics:

Topics

* Integrating network and host configuration
* Automated forensics and mitigation
* Metrics for measuring assurability and usability: Usable security often
   involves trade offs between security or privacy and usability/utility
* Abstract models and languages for configuration specification
* Configuration refinement and enforcement
* Configuration of MANETS and coalition networks
* Formal semantics of security policies /map policies to configuration
* Configuration testing, debugging and evaluation
* Reasoning about uncertainly in configuration management
* Representation of belief, trust, and risk in security policies
* Configuration/misconfiguration visualization
* Configuration reasoning and conflict analysis
* Risk adaptive configuration systems
* Context-aware security configuration for pervasive and mobile computing
* Configuration accountability
* Automated signature and patch management
* Automated alarm management
* Protecting the privacy and integrity of security configuration
* Optimizing security, flexibility and performance
* Measurable metric of flexibility and usability
* Design for flexibility and manageability - clean slate approach
* Configuration management vs. least-privilege

Papers must present original work and must be written in English. We require that the authors use the ACM format for papers, using one of the ACM SIG Proceeding Templates (http://www.acm.org/sigs/pubs/proceed/template.html). We solicit two types of papers, regular papers and position papers. The length of the regular papers in the proceedings format should not exceed 8 US letter pages, excluding well-marked appendices. Committee members are not required to read the appendices, so papers must be intelligible without them. Position papers may not exceed 4 pages. Papers are to be submitted electronically as a single PDF file. For paper REGISTRATION, check this link http://edas.info/N7880. The accepted papers will be published in the workshop proceedings and the ACM Digital Library. Student and author scholarships are available for workshop presenters.