determines the security policy appropriate for the roles in an organization rather than the individuals (a role can be established for a class of individuals, such as doctors in a hospital, or for a class of devices, such as all wireless devices). However, since individuals may have multiple roles, reconciling conflicting privileges can be problematic.

Other major open issues and research areas include the enforcement of security policies (as discussed in Section 6.1) and the determination of how effective a given security policy is in regulating desirable and undesirable behavior. These two areas (that is, enforcement and auditability) have been made more significant in recent years by an evolving regulatory framework that has placed new compliance responsibilities on organizations (e.g., Sarbanes-Oxley Act of 2002 [P.L. No. 107-204, 116 Stat. 745]; Gramm-Leach-Bliley Act [15 U.S.C., Subchapter I, Sec. 6801-6809, Disclosure of Nonpublic Personal Information]; the Health Insurance Portability and Accountability Act (HIPAA) of 1996; and so on). Another open question in this space involves the effectiveness of using outsourced firms to audit security policies.

Additional areas for research include ways to simulate the effects and feasibility of security policies; how to keep policies aligned with organizational goals (especially in multipolicy environments); methods for automating security policies or making them usable by machines; how to apply and manage security policies with respect to evolving technology such as distributed systems, handheld devices, electronic services (or Web services), and so on; and ways to reconcile security policies of different organizations that might decide to communicate or share information or resources.