Dan Simon is wrongDan Simon is wrong

July 8, 1998July 8, 1998

““What is Security?”What is Security?”

““Security is about implementing Security is about implementing people’s preferences for privacy, trust people’s preferences for privacy, trust and information sharing (i.e., their and information sharing (i.e., their `Security Policies’)”`Security Policies’)”– Wrong (or incomplete)Wrong (or incomplete)

Security is also about eliminating Security is also about eliminating unforeseen consequencesunforeseen consequences

Constructing the policy is the hard Constructing the policy is the hard partpart

You You can’tcan’t handle the truth handle the truth

Who should be able to open the front Who should be able to open the front door on my house?door on my house?– Me, my family, our guestsMe, my family, our guests– Police, firefighters, paramedicsPolice, firefighters, paramedics

But they should be logged and auditedBut they should be logged and audited

– Locksmiths?Locksmiths? It’s hard to construct the right listsIt’s hard to construct the right lists Physical metaphors may not helpPhysical metaphors may not help

Social constructsSocial constructs

Security policies are based on experienceSecurity policies are based on experience Less experience on computers than in Less experience on computers than in

real worldreal world Unforeseen consequences may be far Unforeseen consequences may be far

more numerousmore numerous Predicting consequences is Predicting consequences is

computationally complexcomputationally complex Analogies may not maintain Analogies may not maintain

consequencesconsequences

DesiderataDesiderata

I need an administratorI need an administrator– I’m not aloneI’m not alone

My policy might simply parameterize My policy might simply parameterize the administrator’s policythe administrator’s policy

I need auditingI need auditing I need undoI need undo I need someone to explain my policy I need someone to explain my policy

to meto me