“If you were attacked, you’d be sorry‿: Counterfactuals as security arguments

Cormac Herley, Wolter Pieters

    Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

    8 Citations (Scopus)

    Abstract

    Counterfactuals (or what-if scenarios) are often employed as security arguments, but the dos and don’ts of their use are poorly understood. They are useful to discuss vulnerability of systems under threats that haven’t yet materialized, but they can also be used to justify investment in obscure controls. In this paper, we shed light on the role of counterfactuals in security, and present conditions under which counterfactuals are legitimate arguments, linked to the exclusion or inclusion of the threat environment in security metrics. We provide a new paradigm for security reasoning by deriving essential questions to ask in order to decide on the acceptability of specific counterfactuals as security arguments, which can serve as a basis for further study in this field. We conclude that counterfactuals are a necessary evil in security, which should be carefully controlled.
    Original languageUndefined
    Title of host publicationNew Security Paradigm Workshop (NSPW)
    Place of PublicationNew York
    PublisherAssociation for Computing Machinery (ACM)
    Pages112-123
    Number of pages12
    ISBN (Print)978-1-4503-3754-0
    DOIs
    Publication statusPublished - Sep 2015
    Event2015 New Security Paradigms Workshop, NSPW 2015 - Twente, Netherlands
    Duration: 8 Sep 201511 Sep 2015

    Publication series

    Name
    PublisherACM

    Workshop

    Workshop2015 New Security Paradigms Workshop, NSPW 2015
    Abbreviated titleNSPW
    CountryNetherlands
    CityTwente
    Period8/09/1511/09/15

    Keywords

    • SCS-Cybersecurity
    • EWI-26393
    • IR-97946
    • EC Grant Agreement nr.: FP7/318003
    • METIS-314989
    • EC Grant Agreement nr.: FP7/2007-2013

    Cite this

    Herley, C., & Pieters, W. (2015). “If you were attacked, you’d be sorry‿: Counterfactuals as security arguments. In New Security Paradigm Workshop (NSPW) (pp. 112-123). New York: Association for Computing Machinery (ACM). https://doi.org/10.1145/2841113.2841122