I’ve recently read “Quantified Security is a Weak Hypothesis,” a paper which Vilhelm Verendel published at NSPW09. We’re discussing it in email, and I think it deserves some broader attention. My initial note was along these lines:
I think the paper’s key hypothesis “securtity can be correctly represented with quantitative information” is overly broad. Can you replace the term security with something more precice? For example, I would take issue with the claim “health can be correctly represented…” but there are lots of usefully measurable aspects of health. Also, I would argue that there are lots of useful things which are not correct. (In this I take the view that we can disprove hypotheses and thus come closer to correct, but the best we do is either “wrong” or “well tested and not easily shown false”) There’s testable/faslifiable, and there’s operational improvement, and neither requires correctness. That would lead to something like “information confidentiality can be made less bad through quantification,” which I think is nearly semantically equivalent (or can be made into a set of equivallent statements) which are stronger Popperian hypotheses. Going a little further afield, I’d like to offer up two alternatives:
“Information security is no different than other disciplines which
must be measured to be improved.”
“Information security is different from other operational/engineering
disciplines in ways which make quantification irrelevant.”
Anyway, it’s a thought provoking paper, and worth a look.