Logic Evasion

Facts Security Part 1: Security, Data, Information, and Facts

August 25 2023
~870 words, ~4-5 min read.

Introduction
To form a simple yet concise explanation of what Information Security is, I'm going to interpret it as Facts Security. Facts are an easier concept to grasp than Information, helping us understand why it is crucial to secure certain Facts.

The Information that we want to secure are Facts. The knowledge of specific Facts could lead to interesting outcomes such as the ability to access something that required that Fact, the ability to modify, delete, and/or exfiltrate Data/Information, the ability to restrict access, the ability to locate, the ability to discover identity, or the ability to impersonate.

I'll be focusing this topic in the context of the individual person, as the context of a group or organization is a different beast in itself.

What is Security
Defining 'Security' seems to lead us to think about a particular state of being free (or secure) from things like harm, danger, threat, or risk. It sounds like being safe or secure is being prepared in such a way that aids us in evading an outcome that we wish to avoid, outcomes which commonly involve some form of pain.

In everyday life I can see cases where one would want to secure physical items such as money, jewellery, diaries, password notes, personal pictures, digital storage media, homes, and so on. Some of these are irreplaceable, have sentimental value, and thus would be painful to lose.

Trickiness of Defining 'Information'
Information includes Facts, and also things like opinions, beliefs, interpretations, and subjective assessments. The wide spectrum of things we would label as Information makes it hard to classify and label specifically the Information that we should secure.

Consider a world where it is True that Bob's opinion is that four letter passwords are the best. The statement "four letter passwords are the best" is an opinion, whereas "it is Bob's opinion that four letter passwords are the best" is a Fact. The latter statement is a Fact because in this hypothetical example that is truly Bob's opinion and it can be verified by asking Bob himself. The former statement "four letter passwords are the best" is not a Fact because it is neither True (without more context) nor verifiable (without more context).

The opinion "four letter passwords are the best" by itself is hard to justify as Information we must secure. However, the Fact that "Bob's opinion is that four letter passwords are the best" might lead to someone trying to break into Bob's accounts with four letter passwords. If this was Information that we need to secure, then are we securing opinions or Facts?

Data, Information, Facts
Data is the raw pieces that are not yet Information. By processing and analyzing Data, it can be transformed into Information.

Information is ABOUT something, while Data by itself isn't necessarily about anything. Information, given the right context, becomes a Fact.

'Monday' is a piece of Data. 'Today is Monday' is Information ABOUT 'today,' and it also happens to be a Fact 1 day a week on Mondays.

Facts are a subset of Information; they are statements that are True and Verifiable. In this context, I want to define truth as actually existing in the world, such that a True statement is about something that actually exists in the world. Something that is verifiable would mean that we can execute some sort of process or test that allows us to confirm its existence in the world.

Say for example, we have knowledge of a string of characters '1q2w3e4r'. By itself it's just a piece of Data. Say we analyze the Data and infer "1q2w3e4r is a password." This is now Information, it is saying something ABOUT the string, that 1q2w3e4r is a password. In order to be a Fact, it needs to be True and Verifiable.

We need to add some more context to transform this statement into a Fact. We could add a conditional, and say "if passwords are any strings with at least 8 characters and starts with a letter or number, then 1q2w3e4r is a password." With this added context, this statement is now a Fact. Perhaps you've noticed that this Fact isn't very useful at all, especially when considering security. The context applied to Information is important for understanding and identifying the kinds of Facts that we want to secure.

Suppose "1q2w3e4r is used as a password" is a Fact. It's not hard to believe that at least one person in the world currently uses this as a password. I'm going to go as far as to say that this is undeniably True, and I can guarantee that by using it as a password myself. I can verify this by using 1q2w3e4r to log into one of my accounts. A bit closer, but still... doesn't seem very useful yet.

Now let's look at the statement "1q2w3e4r is the password to Bob's email account bob@example.com." We can verify this by attempting to log into bob@example.com with the password 1q2w3e4r. If we are successful, we know that this statement is True and indeed a Fact. Now, this looks like the kind of Fact that we would want to secure.