Security policy audits: why and how
Arvind Narayanan, Kevin Lee
TL;DR
This paper emphasizes the importance of security policies and processes, highlighting their flaws through audits that reveal vulnerabilities exploited by low-tech attackers, and advocates for more research in this area.
Contribution
It introduces a series of security policy audits exposing critical flaws affecting billions and advocates for increased focus on policies and processes in security research.
Findings
Policy flaws can be exploited by low-tech attackers
Audits reveal vulnerabilities affecting billions
Need for policy-based solutions
Abstract
Information security isn't just about software and hardware -- it's at least as much about policies and processes. But the research community overwhelmingly focuses on the former over the latter, while gaping policy and process problems persist. In this experience paper, we describe a series of security policy audits that we conducted, exposing policy flaws affecting billions of users that can be -- and often are -- exploited by low-tech attackers who don't need to use any tools or exploit software vulnerabilities. The solutions, in turn, need to be policy-based. We advocate for the study of policies and processes, point out its intellectual and practical challenges, lay out our theory of change, and present a research agenda.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsInformation and Cyber Security · Network Security and Intrusion Detection · Access Control and Trust