Dan Simon is wrong
July 8, 1998
“What is Security?”

“Security is about implementing people’s
preferences for privacy, trust and
information sharing (i.e., their `Security
Policies’)”
– Wrong (or incomplete)
Security is also about eliminating
unforeseen consequences
 Constructing the policy is the hard part

You can’t handle the truth

Who should be able to open the front door
on my house?
– Me, my family, our guests
– Police, firefighters, paramedics
 But they should be logged and audited
– Locksmiths?
It’s hard to construct the right lists
 Physical metaphors may not help

Social constructs
Security policies are based on experience
 Less experience on computers than in real
world
 Unforeseen consequences may be far
more numerous
 Predicting consequences is
computationally complex
 Analogies may not maintain consequences

Desiderata

I need an administrator
– I’m not alone
My policy might simply parameterize the
administrator’s policy
 I need auditing
 I need undo
 I need someone to explain my policy to
me
