Security policy audits: why and how
- URL: http://arxiv.org/abs/2207.11306v1
- Date: Fri, 22 Jul 2022 19:27:18 GMT
- Title: Security policy audits: why and how
- Authors: Arvind Narayanan, Kevin Lee
- Abstract summary: This experience paper describes a series of security policy audits.
It exposes policy flaws affecting billions of users that can be exploited by low-tech attackers.
The solutions, in turn, need to be policy-based.
- Score: 8.263685033627668
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Information security isn't just about software and hardware -- it's at least
as much about policies and processes. But the research community overwhelmingly
focuses on the former over the latter, while gaping policy and process problems
persist. In this experience paper, we describe a series of security policy
audits that we conducted, exposing policy flaws affecting billions of users
that can be -- and often are -- exploited by low-tech attackers who don't need
to use any tools or exploit software vulnerabilities. The solutions, in turn,
need to be policy-based. We advocate for the study of policies and processes,
point out its intellectual and practical challenges, lay out our theory of
change, and present a research agenda.
Related papers
- From Guidelines to Governance: A Study of AI Policies in Education [1.9659095632676098]
This study employs a survey methodology to examine the policy landscape concerning emerging technologies.
The majority of institutions lack specialized guide-lines for the ethical deployment of AI tools such as ChatGPT.
High schools are less inclined to work on policies than higher educational institutions.
arXiv Detail & Related papers (2024-03-22T20:07:58Z) - The current state of security -- Insights from the German software industry [0.0]
This paper outlines the main ideas of secure software development that have been discussed in the literature.
A dataset on implementation in practice is gathered through a qualitative interview research involving 20 companies.
arXiv Detail & Related papers (2024-02-13T13:05:10Z) - Exploring Security Practices in Infrastructure as Code: An Empirical
Study [54.669404064111795]
Cloud computing has become popular thanks to the widespread use of Infrastructure as Code (IaC) tools.
scripting process does not automatically prevent practitioners from introducing misconfigurations, vulnerabilities, or privacy risks.
Ensuring security relies on practitioners understanding and the adoption of explicit policies, guidelines, or best practices.
arXiv Detail & Related papers (2023-08-07T23:43:32Z) - New Challenges in Reinforcement Learning: A Survey of Security and
Privacy [26.706957408693363]
Reinforcement learning (RL) is one of the most important branches of AI.
RL has been widely applied in multiple areas, such as healthcare, data markets, autonomous driving, and robotics.
Some of these applications and systems have been shown to be vulnerable to security or privacy attacks.
arXiv Detail & Related papers (2022-12-31T12:30:43Z) - Having your Privacy Cake and Eating it Too: Platform-supported Auditing
of Social Media Algorithms for Public Interest [70.02478301291264]
Social media platforms curate access to information and opportunities, and so play a critical role in shaping public discourse.
Prior studies have used black-box methods to show that these algorithms can lead to biased or discriminatory outcomes.
We propose a new method for platform-supported auditing that can meet the goals of the proposed legislation.
arXiv Detail & Related papers (2022-07-18T17:32:35Z) - Towards Automated Classification of Attackers' TTPs by combining NLP
with ML Techniques [77.34726150561087]
We evaluate and compare different Natural Language Processing (NLP) and machine learning techniques used for security information extraction in research.
Based on our investigations we propose a data processing pipeline that automatically classifies unstructured text according to attackers' tactics and techniques.
arXiv Detail & Related papers (2022-07-18T09:59:21Z) - A System for Interactive Examination of Learned Security Policies [0.0]
We present a system for interactive examination of learned security policies.
It allows a user to traverse episodes of Markov decision processes in a controlled manner.
arXiv Detail & Related papers (2022-04-03T17:55:32Z) - Dos and Don'ts of Machine Learning in Computer Security [74.1816306998445]
Despite great potential, machine learning in security is prone to subtle pitfalls that undermine its performance.
We identify common pitfalls in the design, implementation, and evaluation of learning-based security systems.
We propose actionable recommendations to support researchers in avoiding or mitigating the pitfalls where possible.
arXiv Detail & Related papers (2020-10-19T13:09:31Z) - Reinforcement Learning [36.664136621546575]
Reinforcement learning (RL) is a general framework for adaptive control, which has proven to be efficient in many domains.
In this chapter, we present the basic framework of RL and recall the two main families of approaches that have been developed to learn a good policy.
arXiv Detail & Related papers (2020-05-29T06:53:29Z) - Policy Evaluation Networks [50.53250641051648]
We introduce a scalable, differentiable fingerprinting mechanism that retains essential policy information in a concise embedding.
Our empirical results demonstrate that combining these three elements can produce policies that outperform those that generated the training data.
arXiv Detail & Related papers (2020-02-26T23:00:27Z) - Preventing Imitation Learning with Adversarial Policy Ensembles [79.81807680370677]
Imitation learning can reproduce policies by observing experts, which poses a problem regarding policy privacy.
How can we protect against external observers cloning our proprietary policies?
We introduce a new reinforcement learning framework, where we train an ensemble of near-optimal policies.
arXiv Detail & Related papers (2020-01-31T01:57:16Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.