“If you were attacked, you’d be sorry‿: Counterfactuals as security arguments

Cormac Herley, Wolter Pieters

Research output: Chapter in Book/Report/Conference proceedingConference contribution

  • 5 Citations

Abstract

Counterfactuals (or what-if scenarios) are often employed as security arguments, but the dos and don’ts of their use are poorly understood. They are useful to discuss vulnerability of systems under threats that haven’t yet materialized, but they can also be used to justify investment in obscure controls. In this paper, we shed light on the role of counterfactuals in security, and present conditions under which counterfactuals are legitimate arguments, linked to the exclusion or inclusion of the threat environment in security metrics. We provide a new paradigm for security reasoning by deriving essential questions to ask in order to decide on the acceptability of specific counterfactuals as security arguments, which can serve as a basis for further study in this field. We conclude that counterfactuals are a necessary evil in security, which should be carefully controlled.
LanguageUndefined
Title of host publicationNew Security Paradigm Workshop (NSPW)
Place of PublicationNew York
PublisherAssociation for Computing Machinery
Pages112-123
Number of pages12
ISBN (Print)978-1-4503-3754-0
DOIs
StatePublished - Sep 2015

Publication series

Name
PublisherACM

Keywords

  • SCS-Cybersecurity
  • EWI-26393
  • IR-97946
  • EC Grant Agreement nr.: FP7/318003
  • METIS-314989
  • EC Grant Agreement nr.: FP7/2007-2013

Cite this

Herley, C., & Pieters, W. (2015). “If you were attacked, you’d be sorry‿: Counterfactuals as security arguments. In New Security Paradigm Workshop (NSPW) (pp. 112-123). New York: Association for Computing Machinery. DOI: 10.1145/2841113.2841122
Herley, Cormac ; Pieters, Wolter. / “If you were attacked, you’d be sorry‿: Counterfactuals as security arguments. New Security Paradigm Workshop (NSPW). New York : Association for Computing Machinery, 2015. pp. 112-123
@inproceedings{4e404e59f1bd4d878c717d4af1410b65,
title = "“If you were attacked, you’d be sorry‿: Counterfactuals as security arguments",
abstract = "Counterfactuals (or what-if scenarios) are often employed as security arguments, but the dos and don’ts of their use are poorly understood. They are useful to discuss vulnerability of systems under threats that haven’t yet materialized, but they can also be used to justify investment in obscure controls. In this paper, we shed light on the role of counterfactuals in security, and present conditions under which counterfactuals are legitimate arguments, linked to the exclusion or inclusion of the threat environment in security metrics. We provide a new paradigm for security reasoning by deriving essential questions to ask in order to decide on the acceptability of specific counterfactuals as security arguments, which can serve as a basis for further study in this field. We conclude that counterfactuals are a necessary evil in security, which should be carefully controlled.",
keywords = "SCS-Cybersecurity, EWI-26393, IR-97946, EC Grant Agreement nr.: FP7/318003, METIS-314989, EC Grant Agreement nr.: FP7/2007-2013",
author = "Cormac Herley and Wolter Pieters",
note = "Foreground = 50{\%} ;Type of activity = workshop;Main leader = UT;Type of audience = scientific community; Size of audience = 35;Countries addressed = International;",
year = "2015",
month = "9",
doi = "10.1145/2841113.2841122",
language = "Undefined",
isbn = "978-1-4503-3754-0",
publisher = "Association for Computing Machinery",
pages = "112--123",
booktitle = "New Security Paradigm Workshop (NSPW)",
address = "United States",

}

Herley, C & Pieters, W 2015, “If you were attacked, you’d be sorry‿: Counterfactuals as security arguments. in New Security Paradigm Workshop (NSPW). Association for Computing Machinery, New York, pp. 112-123. DOI: 10.1145/2841113.2841122

“If you were attacked, you’d be sorry‿: Counterfactuals as security arguments. / Herley, Cormac; Pieters, Wolter.

New Security Paradigm Workshop (NSPW). New York : Association for Computing Machinery, 2015. p. 112-123.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

TY - GEN

T1 - “If you were attacked, you’d be sorry‿: Counterfactuals as security arguments

AU - Herley,Cormac

AU - Pieters,Wolter

N1 - Foreground = 50% ;Type of activity = workshop;Main leader = UT;Type of audience = scientific community; Size of audience = 35;Countries addressed = International;

PY - 2015/9

Y1 - 2015/9

N2 - Counterfactuals (or what-if scenarios) are often employed as security arguments, but the dos and don’ts of their use are poorly understood. They are useful to discuss vulnerability of systems under threats that haven’t yet materialized, but they can also be used to justify investment in obscure controls. In this paper, we shed light on the role of counterfactuals in security, and present conditions under which counterfactuals are legitimate arguments, linked to the exclusion or inclusion of the threat environment in security metrics. We provide a new paradigm for security reasoning by deriving essential questions to ask in order to decide on the acceptability of specific counterfactuals as security arguments, which can serve as a basis for further study in this field. We conclude that counterfactuals are a necessary evil in security, which should be carefully controlled.

AB - Counterfactuals (or what-if scenarios) are often employed as security arguments, but the dos and don’ts of their use are poorly understood. They are useful to discuss vulnerability of systems under threats that haven’t yet materialized, but they can also be used to justify investment in obscure controls. In this paper, we shed light on the role of counterfactuals in security, and present conditions under which counterfactuals are legitimate arguments, linked to the exclusion or inclusion of the threat environment in security metrics. We provide a new paradigm for security reasoning by deriving essential questions to ask in order to decide on the acceptability of specific counterfactuals as security arguments, which can serve as a basis for further study in this field. We conclude that counterfactuals are a necessary evil in security, which should be carefully controlled.

KW - SCS-Cybersecurity

KW - EWI-26393

KW - IR-97946

KW - EC Grant Agreement nr.: FP7/318003

KW - METIS-314989

KW - EC Grant Agreement nr.: FP7/2007-2013

U2 - 10.1145/2841113.2841122

DO - 10.1145/2841113.2841122

M3 - Conference contribution

SN - 978-1-4503-3754-0

SP - 112

EP - 123

BT - New Security Paradigm Workshop (NSPW)

PB - Association for Computing Machinery

CY - New York

ER -

Herley C, Pieters W. “If you were attacked, you’d be sorry‿: Counterfactuals as security arguments. In New Security Paradigm Workshop (NSPW). New York: Association for Computing Machinery. 2015. p. 112-123. Available from, DOI: 10.1145/2841113.2841122