“If you were attacked, you’d be sorry‿: Counterfactuals as security arguments

Cormac Herley, Wolter Pieters

  • 5 Citations

Abstract

Counterfactuals (or what-if scenarios) are often employed as security arguments, but the dos and don’ts of their use are poorly understood. They are useful to discuss vulnerability of systems under threats that haven’t yet materialized, but they can also be used to justify investment in obscure controls. In this paper, we shed light on the role of counterfactuals in security, and present conditions under which counterfactuals are legitimate arguments, linked to the exclusion or inclusion of the threat environment in security metrics. We provide a new paradigm for security reasoning by deriving essential questions to ask in order to decide on the acceptability of specific counterfactuals as security arguments, which can serve as a basis for further study in this field. We conclude that counterfactuals are a necessary evil in security, which should be carefully controlled.
Original languageUndefined
Title of host publicationNew Security Paradigm Workshop (NSPW)
Place of PublicationNew York
PublisherAssociation for Computing Machinery
Pages112-123
Number of pages12
ISBN (Print)978-1-4503-3754-0
DOIs
StatePublished - Sep 2015

Publication series

Name
PublisherACM

Fingerprint

Threat
Inclusion
Scenarios
Acceptability
Evil
Controlled
Exclusion
Vulnerability
New paradigm

Keywords

  • SCS-Cybersecurity
  • EWI-26393
  • IR-97946
  • EC Grant Agreement nr.: FP7/318003
  • METIS-314989
  • EC Grant Agreement nr.: FP7/2007-2013

Cite this

Herley, C., & Pieters, W. (2015). “If you were attacked, you’d be sorry‿: Counterfactuals as security arguments. In New Security Paradigm Workshop (NSPW) (pp. 112-123). New York: Association for Computing Machinery. DOI: 10.1145/2841113.2841122

Herley, Cormac; Pieters, Wolter / “If you were attacked, you’d be sorry‿: Counterfactuals as security arguments.

New Security Paradigm Workshop (NSPW). New York : Association for Computing Machinery, 2015. p. 112-123.

Research output: Scientific - peer-reviewConference contribution

@inbook{4e404e59f1bd4d878c717d4af1410b65,
title = "“If you were attacked, you’d be sorry‿: Counterfactuals as security arguments",
abstract = "Counterfactuals (or what-if scenarios) are often employed as security arguments, but the dos and don’ts of their use are poorly understood. They are useful to discuss vulnerability of systems under threats that haven’t yet materialized, but they can also be used to justify investment in obscure controls. In this paper, we shed light on the role of counterfactuals in security, and present conditions under which counterfactuals are legitimate arguments, linked to the exclusion or inclusion of the threat environment in security metrics. We provide a new paradigm for security reasoning by deriving essential questions to ask in order to decide on the acceptability of specific counterfactuals as security arguments, which can serve as a basis for further study in this field. We conclude that counterfactuals are a necessary evil in security, which should be carefully controlled.",
keywords = "SCS-Cybersecurity, EWI-26393, IR-97946, EC Grant Agreement nr.: FP7/318003, METIS-314989, EC Grant Agreement nr.: FP7/2007-2013",
author = "Cormac Herley and Wolter Pieters",
note = "Foreground = 50% ;Type of activity = workshop;Main leader = UT;Type of audience = scientific community; Size of audience = 35;Countries addressed = International;",
year = "2015",
month = "9",
doi = "10.1145/2841113.2841122",
isbn = "978-1-4503-3754-0",
publisher = "Association for Computing Machinery",
pages = "112--123",
booktitle = "New Security Paradigm Workshop (NSPW)",
address = "United States",

}

Herley, C & Pieters, W 2015, “If you were attacked, you’d be sorry‿: Counterfactuals as security arguments. in New Security Paradigm Workshop (NSPW). Association for Computing Machinery, New York, pp. 112-123. DOI: 10.1145/2841113.2841122

“If you were attacked, you’d be sorry‿: Counterfactuals as security arguments. / Herley, Cormac; Pieters, Wolter.

New Security Paradigm Workshop (NSPW). New York : Association for Computing Machinery, 2015. p. 112-123.

Research output: Scientific - peer-reviewConference contribution

TY - CHAP

T1 - “If you were attacked, you’d be sorry‿: Counterfactuals as security arguments

AU - Herley,Cormac

AU - Pieters,Wolter

N1 - Foreground = 50% ;Type of activity = workshop;Main leader = UT;Type of audience = scientific community; Size of audience = 35;Countries addressed = International;

PY - 2015/9

Y1 - 2015/9

N2 - Counterfactuals (or what-if scenarios) are often employed as security arguments, but the dos and don’ts of their use are poorly understood. They are useful to discuss vulnerability of systems under threats that haven’t yet materialized, but they can also be used to justify investment in obscure controls. In this paper, we shed light on the role of counterfactuals in security, and present conditions under which counterfactuals are legitimate arguments, linked to the exclusion or inclusion of the threat environment in security metrics. We provide a new paradigm for security reasoning by deriving essential questions to ask in order to decide on the acceptability of specific counterfactuals as security arguments, which can serve as a basis for further study in this field. We conclude that counterfactuals are a necessary evil in security, which should be carefully controlled.

AB - Counterfactuals (or what-if scenarios) are often employed as security arguments, but the dos and don’ts of their use are poorly understood. They are useful to discuss vulnerability of systems under threats that haven’t yet materialized, but they can also be used to justify investment in obscure controls. In this paper, we shed light on the role of counterfactuals in security, and present conditions under which counterfactuals are legitimate arguments, linked to the exclusion or inclusion of the threat environment in security metrics. We provide a new paradigm for security reasoning by deriving essential questions to ask in order to decide on the acceptability of specific counterfactuals as security arguments, which can serve as a basis for further study in this field. We conclude that counterfactuals are a necessary evil in security, which should be carefully controlled.

KW - SCS-Cybersecurity

KW - EWI-26393

KW - IR-97946

KW - EC Grant Agreement nr.: FP7/318003

KW - METIS-314989

KW - EC Grant Agreement nr.: FP7/2007-2013

U2 - 10.1145/2841113.2841122

DO - 10.1145/2841113.2841122

M3 - Conference contribution

SN - 978-1-4503-3754-0

SP - 112

EP - 123

BT - New Security Paradigm Workshop (NSPW)

PB - Association for Computing Machinery

ER -

Herley C, Pieters W. “If you were attacked, you’d be sorry‿: Counterfactuals as security arguments. In New Security Paradigm Workshop (NSPW). New York: Association for Computing Machinery. 2015. p. 112-123. Available from, DOI: 10.1145/2841113.2841122