Facts Security Part 1: Security, Data, Information, and Facts

August 25 2023
~870 words, ~4-5 min read.
Introduction
To form a simple yet concise explanation of what Information Security is,
I'm going to interpret it as Facts Security. Facts are an easier concept to
grasp than Information, helping us understand why it is crucial to secure
certain Facts.
The Information that we want to secure are Facts. The knowledge of specific
Facts could lead to interesting outcomes such as the ability to access
something that required that Fact, the ability to modify, delete, and/or
exfiltrate Data/Information, the ability to restrict access, the ability
to locate, the ability to discover identity, or the ability to impersonate.
I'll be focusing this topic in the context of the individual person, as
the context of a group or organization is a different beast in itself.
What is Security
Defining 'Security' seems to lead us to think about a particular state of
being free (or secure) from things like harm, danger, threat, or risk.
It sounds like being safe or secure is being prepared in such a way that
aids us in evading an outcome that we wish to avoid, outcomes which
commonly involve some form of pain.
In everyday life I can see cases where one would want to secure physical
items such as money, jewellery, diaries, password notes, personal pictures,
digital storage media, homes, and so on. Some of these are irreplaceable,
have sentimental value, and thus would be painful to lose.
Trickiness of Defining 'Information'
Information includes Facts, and also things like opinions, beliefs,
interpretations, and subjective assessments. The wide spectrum of things
we would label as Information makes it hard to classify and label
specifically the Information that we should secure.
Consider a world where it is True that Bob's opinion is that four letter
passwords are the best. The statement "four letter passwords are the best"
is an opinion, whereas "it is Bob's opinion that four letter passwords are
the best" is a Fact. The latter statement is a Fact because in this
hypothetical example that is truly Bob's opinion and it can be verified by
asking Bob himself. The former statement "four letter passwords are the best"
is not a Fact because it is neither True (without more context) nor
verifiable (without more context).
The opinion "four letter passwords are the best" by itself is hard to justify
as Information we must secure. However, the Fact that "Bob's opinion is that
four letter passwords are the best" might lead to someone trying to break into
Bob's accounts with four letter passwords. If this was Information that we
need to secure, then are we securing opinions or Facts?
Data, Information, Facts
Data is the raw pieces that are not yet Information. By processing and
analyzing Data, it can be transformed into Information.
Information is ABOUT something, while Data by itself isn't necessarily about
anything. Information, given the right context, becomes a Fact.
'Monday' is a piece of Data. 'Today is Monday' is Information ABOUT 'today,'
and it also happens to be a Fact 1 day a week on Mondays.
Facts are a subset of Information; they are statements that are True and
Verifiable. In this context, I want to define truth as actually existing in
the world, such that a True statement is about something that actually exists
in the world. Something that is verifiable would mean that we can execute some
sort of process or test that allows us to confirm its existence in the world.
Say for example, we have knowledge of a string of characters '1q2w3e4r'. By
itself it's just a piece of Data. Say we analyze the Data and infer "1q2w3e4r
is a password." This is now Information, it is saying something ABOUT the string,
that 1q2w3e4r is a password. In order to be a Fact, it needs to be True and
Verifiable.
We need to add some more context to transform this statement into a Fact. We
could add a conditional, and say "if passwords are any strings with at least
8 characters and starts with a letter or number, then 1q2w3e4r is a password."
With this added context, this statement is now a Fact. Perhaps you've noticed
that this Fact isn't very useful at all, especially when considering security.
The context applied to Information is important for understanding and identifying
the kinds of Facts that we want to secure.
Suppose "1q2w3e4r is used as a password" is a Fact. It's not hard to believe
that at least one person in the world currently uses this as a password. I'm
going to go as far as to say that this is undeniably True, and I can guarantee
that by using it as a password myself. I can verify this by using 1q2w3e4r to
log into one of my accounts. A bit closer, but still... doesn't seem very useful
yet.
Now let's look at the statement "1q2w3e4r is the password to Bob's email account
bob@example.com." We can verify this by attempting to log into bob@example.com
with the password 1q2w3e4r. If we are successful, we know that this statement
is True and indeed a Fact. Now, this looks like the kind of Fact that we would
want to secure.