Unfalsifiability of security claims-Reference-Cited by-同舟云学术

Unfalsifiability of security claims

Published:2016-05-23 Issue:23 Volume:113 Page:6415-6420
ISSN:0027-8424
Container-title:Proceedings of the National Academy of Sciences
language:en
Short-container-title:Proc Natl Acad Sci USA

Author:

Herley Cormac

Abstract

There is an inherent asymmetry in computer security: Things can be declared insecure by observation, but not the reverse. There is no observation that allows us to declare an arbitrary system or technique secure. We show that this implies that claims of necessary conditions for security (and sufficient conditions for insecurity) are unfalsifiable. This in turn implies an asymmetry in self-correction: Whereas the claim that countermeasures are sufficient is always subject to correction, the claim that they are necessary is not. Thus, the response to new information can only be to ratchet upward: Newly observed or speculated attack capabilities can argue a countermeasure in, but no possible observation argues one out. Further, when justifications are unfalsifiable, deciding the relative importance of defensive measures reduces to a subjective comparison of assumptions. Relying on such claims is the source of two problems: once we go wrong we stay wrong and errors accumulate, and we have no systematic way to rank or prioritize measures.

Publisher

Proceedings of the National Academy of Sciences

Subject

Multidisciplinary

Reference20 articles.

1. Popper K (1959) Conjectures and Refutations: The Growth of Scientific Knowledge (Routledge, London).

2. Landau S (2013) Making sense from Snowden: What's significant in the NSA surveillance revelations. IEEE Security & Privacy, (4):54–63.

3. Godfrey-Smith P (2009) Theory and Reality: An Introduction to the Philosophy of Science (Univ of Chicago Press, Chicago).

4. Shostack A (2014) Threat Modeling: Designing for Security (John Wiley & Sons, Hoboken, NJ).

5. Schneider FB , Blueprint for a science of cybersecurity. National Security Agency: The Next Wave, 19(2):6–16, 2011.

Cited by 13 articles. 订阅此论文施引文献订阅此论文施引文献，注册后可以免费订阅5篇论文的施引文献，订阅后可以查看论文全部施引文献

1. The Slow Violence of Surveillance Capitalism;2023 ACM Conference on Fairness, Accountability, and Transparency;2023-06-12

2. “There’s so much responsibility on users right now:” Expert Advice for Staying Safer From Hate and Harassment;Proceedings of the 2023 CHI Conference on Human Factors in Computing Systems;2023-04-19

3. The Etiology of Cybersecurity;Lecture Notes in Computer Science;2022

4. AI Risk Skepticism;Studies in Applied Philosophy, Epistemology and Rational Ethics;2022

5. No Time to Lie: Bounds on the Learning Rate of a Defender for Inferring Attacker Target Preferences;Lecture Notes in Computer Science;2021