Goal: To develop a scientific understanding of what makes security policies complex as well as metrics for measuring security policy complexity, defined as the degree of difficulty in understanding by relevant users.

Research Questions: What is the right way to define security policy complexity? How should we measure users' ability to understand and specify security policies? What features of policy languages or policies make them inherently more complex? Can we transform a security policy into a logically equivalent one that has lower complexity? In other words, is today's high complexity for security policies accidental or inherent?