Information Security as Strategic (In)effectivity
Wojciech Jamroga, Masoud Tabatabaei
TL;DR
This paper redefines information security as a means to prevent harm rather than an absolute goal, proposing a harm-based comparison of information flows to assess security effectiveness.
Contribution
It introduces a harm-based framework for evaluating information flow security, contrasting it with classical noninterference, and formalizes how to compare adversarial capabilities.
Findings
Information flow security can be measured by harm potential.
A system is secure if it does not enable more harm than an idealized version.
The harm-based approach aligns security assessment with practical attacker impacts.
Abstract
Security of information flow is commonly understood as preventing any information leakage, regardless of how grave or harmless consequences the leakage can have. In this work, we suggest that information security is not a goal in itself, but rather a means of preventing potential attackers from compromising the correct behavior of the system. To formalize this, we first show how two information flows can be compared by looking at the adversary's ability to harm the system. Then, we propose that the information flow in a system is effectively information-secure if it does not allow for more harm than its idealized variant based on the classical notion of noninterference.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsSecurity and Verification in Computing · Advanced Malware Detection Techniques · Network Security and Intrusion Detection