Quantifying Security
My colleague Satya has an intriguing idea for quantifying security: http://csdl.computer.org/comp/mags/pc/2005/03/b3004.pdf [B]etween the first and second editions, Knuth had become very famous. For many people, his autograph was worth more than $2, so many saved the check as a souvenir rather than cashing it. This suggests a metric for that elusive attribute we call fame: what is the largest amount Knuth could have offered such that some fixed fraction of the checks (say, 50 percent) would never be cashed? That dollar figure is a reasonable metric of fame. ... An operational approach to [security] might proceed as follows: Use software package A to guard some secret (such as a large random number), and welcome Internet attacks on the package for some time period (say, a week). Offer a reward of $X to the first person who discovers and reports the secret. If someone reports the secret, the package is clearly not usable. The interesting case is when no one reports the secret within the...