pith. sign in

arxiv: 2606.19106 · v1 · pith:VWET7R24new · submitted 2026-06-17 · 💻 cs.CR · cs.CY

Quantifying Compromise Risk in Exceptional Access Architectures Under Sparse and Indirect Evidence

Alan Woodward This is my paper

Pith reviewed 2026-06-26 20:24 UTC · model grok-4.3

classification 💻 cs.CR cs.CY
keywords exceptional accesscompromise riskcryptographic systemsBayesian risk modelattack graphssparse evidenceT-EAOTT-EA
0
0 comments X

The pith

Exceptional access architectures carry strictly higher modelled compromise risk than their no-EA counterparts, independent of calibration.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper constructs a structured uncertainty framework to evaluate systemic compromise risk in lawful exceptional access systems when no direct public dataset of incidents exists. It applies four layers—historical analogues, Monte Carlo scenarios, channel-independence decomposition, and a Bayesian Structural Risk Model on a parallel-subgraph attack graph—to compare transmission-layer EA in carrier infrastructure against over-the-top EA at the platform layer. Both EA classes show higher modelled risk than equivalent no-EA designs, and this ordering does not depend on specific parameter choices. The two classes differ in risk shape: T-EA risk concentrates around central values while OTT-EA risk is driven by the tail under correlated campaigns. Annual probability ranges for T-EA fall between 1.4% and 12.9% under the structured-judgement targeting-premium interval, with cumulative multi-decade risk well above zero.

Core claim

EA-equipped architectures of either class carry strictly higher modelled risk than their no-EA counterfactual, an ordering independent of calibration. T-EA risk is dominated by central tendency while OTT-EA risk is dominated by the tail under correlated campaigns. Calibration-conditional annual probability ranges span 1.4% to 12.9% for T-EA. Over multi-decade horizons cumulative compromise is well above zero; key-material exfiltration is irreversible and weighs more heavily on OTT-EA's larger user populations.

What carries the argument

Bayesian Structural Risk Model on a parallel-subgraph attack graph, combined with historical analogues, Monte Carlo scenario layer, and channel-independence decomposition. The model separates assumption-robust structural findings from calibration-dependent results under sparse indirect evidence.

If this is right

  • The risk increase for EA over no-EA holds independent of calibration choices.
  • T-EA annual compromise probabilities range from 1.4% to 12.9% across the targeting-premium interval.
  • Cumulative compromise probability over multi-decade periods exceeds zero for both classes.
  • OTT-EA risk is more sensitive to correlated attack campaigns due to tail dominance.
  • Key-material exfiltration remains irreversible and affects larger user bases under OTT-EA.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The separation of robust and calibration-dependent results could be tested on other security architectures that lack direct incident data.
  • Policy comparisons of EA designs could use the structural risk ordering even before precise probability values are known.
  • Adding explicit consequence or benefit models would be required to translate the probability increases into net policy trade-offs.

Load-bearing premise

The four analytical layers can separate findings that are robust to assumptions from those that depend on calibration when only sparse and indirect evidence is available.

What would settle it

A documented historical case in which an EA-equipped system experienced lower or equal compromise rates than a matched no-EA system over comparable time and scale, or direct evidence that the channel-independence assumption fails in a way that reverses the modelled risk ordering.

Figures

Figures reproduced from arXiv: 2606.19106 by Alan Woodward.

Figure 1
Figure 1. Figure 1: Overview of the three-pillar framework. Each pillar uses a distinct evidence type and inferential role; their outputs are complementary rather than interchangeable, and are interpreted as decision-support inputs rather than as point estimates. Alt text: Diagram of the three-pillar framework: three labelled boxes (Pillar I: historical analogy; Pillar II: Monte Carlo scenarios; Pillar III: structural decompo… view at source ↗
Figure 2
Figure 2. Figure 2: Simplified attack-surface schematic for a transmission-layer (Class T) exceptional-access architecture, in which key material K and ciphertext data D are operationally co-located. Solid arrows show the primary data-flow paths; dashed red arrows indicate where each risk class attaches. The mandate creates compromise pathways concentrated around orchestration, escrow, and operator trust boundaries that do no… view at source ↗
Figure 3
Figure 3. Figure 3: Architecture-conditional sensitivity of the meta-analysis projection to the EA targeting premium. The empirical base rates (pooled centralised single-operator: 0.545%/yr, k = 17, E = 3,120 system-years from Streams A and B; Stream A T-EA-anchored: 0.92%/yr; Stream C OTT-EA-anchored: 0.95%/yr) are multiplied by a premium representing elevated EA targeting. Applicable premium ranges differ across architectur… view at source ↗
Figure 4
Figure 4. Figure 4: Per-scenario mean annual compromise contribution under the Pillar II central parameterisation (105 iterations, seed 2024). Error bars show 5th–95th percentile range on access-pathway probability. Hatched bars give mean technical compromise probability per scenario. The dominant contributors are S1 (stolen credentials, ∼2.2%), S3 (edge exploitation, ∼1.8%), and S5 (insider, ∼1.7%). EA-specific specialist sc… view at source ↗
Figure 5
Figure 5. Figure 5: Per-scenario mean annual operational compromise contribution under the Pillar II OTT-EA central parameterisation, with each scenario’s contribution weighted by its operational-compromise factor p op,seg i = ξi + (1 − ξi)P3P4. Side-by-side comparison with T-EA contributions shows that S4 (lateral / supply chain) retains its relative contribution because of its high cross-cutting fraction (ξ = 0.55), while S… view at source ↗
Figure 6
Figure 6. Figure 6: Compound attack-graph schematic for an OTT-EA (Class A) architecture. Cross-cutting infrastructure nodes (top, orange) have outgoing edges to both the key-side subgraph G OTT key and the data-side subgraph G OTT data (dashed orange edges). Reaching the operational-compromise AND-node requires either (i) traversing both subgraphs independently through their respective subgraph-internal edges, or (ii) traver… view at source ↗
Figure 7
Figure 7. Figure 7: Architecture-conditional comparison of prior predictive distributions for the year-1 annual probability q1 (left) and 10-year cumulative Q10 (right) under the full dependence model. T-EA distribution (blue) and OTT-EA distribution (orange) overlaid. The OTT-EA distribution sits below the T-EA distribution at the median but the upper tails cross over at approximately the 95th percentile, with OTT-EA exhibit… view at source ↗
Figure 8
Figure 8. Figure 8: Generalised Pareto Distribution goodness-of-fit comparison across architectures. Left: T-EA, where the empirical CDF of exceedances above the 90th percentile (threshold u = 0.118) closely tracks the fitted GPD curve (ˆξ = 0.27, σˆ = 0.066); Anderson–Darling pAD = 0.28 and Kolmogorov–Smirnov pKS = 0.13 both fail to reject the GPD null. Right: OTT-EA, where the empirical CDF systematically deviates from the … view at source ↗
Figure 9
Figure 9. Figure 9: Architecture-conditional comparison of cumulative compromise probability trajectories over a 20-year deployment horizon. T-EA (blue) and OTT-EA (orange) full-dependence trajectories with 90% credible bands. The corresponding independence-baseline trajectories (not shown for clarity) sit below the dependence trajectories at every horizon, with the gap quantified in [PITH_FULL_IMAGE:figures/full_fig_p054_9.png] view at source ↗
Figure 10
Figure 10. Figure 10: Cumulative EA technical (solid) and access-pathway (dashed) compromise probability under the Pillar II independence-conditional central T-EA parameterisation, with the non-EA baseline and the Fréchet–Hoeffding lower and upper bounds for the technical-compromise curve. The technical-compromise curve under independence crosses 50% near year 10. The lower bound of 2.2% yields approximately 20% over 10 years.… view at source ↗
Figure 11
Figure 11. Figure 11: Maximum defensible deployment horizon T ∗ (τ ) as a continuous function of the cumulative￾acceptability threshold τ (defined, as in [PITH_FULL_IMAGE:figures/full_fig_p056_11.png] view at source ↗
Figure 12
Figure 12. Figure 12: Architecture-conditional CCDFs for q1 (left) and Q10 (right) under the full dependence model. T-EA (blue) sits above OTT-EA (orange) at low thresholds (the median region), but the curves cross deep in the upper tail and OTT-EA exceeds T-EA at the extreme. The crossover threshold for q1 is approximately τ ≈ 16–17% (near the 95th percentile of both distributions), beyond which OTT-EA assigns higher exceedan… view at source ↗
Figure 13
Figure 13. Figure 13: Sensitivity tornado chart: swing in median 10-year cumulative compromise probability Q10 when each uncertain parameter is varied across its prior 10th–90th percentile range (T-EA configuration). The three log-normal modifiers produce comparable swings, with system targeting intensity δtarget the largest; no single parameter dominates. The OTT-EA tornado, which also includes the cross-cutting coupling rati… view at source ↗
Figure 14
Figure 14. Figure 14: Sensitivity tornado chart for the OTT-EA configuration. The three log-normal modifiers produce comparable swings, with δ OTT target the largest; the OTT-EA-specific cross-cutting coupling ratio γX/γ enters as a smaller additional contributor. Under the shifted-lognormal prior on γX/γ (Equation 28, with the structural constraint γX/γ ≥ 1 enforced by construction, 90% credible range [1.52, 2.93]), its prior… view at source ↗
Figure 15
Figure 15. Figure 15: Parameter uncertainty decomposition (T-EA configuration). Left: model output uncertainty as a function of the risk threshold τ , showing where along the risk scale the evidence is most equivocal (peaks near the median q1, where the outcome is most uncertain). Right: percentage of Var(Q10) attributable to each uncertain parameter. The three log-normal modifiers contribute comparable first-order shares, wit… view at source ↗
read the original abstract

Lawful exceptional access (EA) systems hold the cryptographic keys that decrypt protected communications for authorised parties. The debate over their risks has been long and qualitative, complicated by two problems: no public dataset of EA-specific compromise events exists, so assessment must use sparse, indirect evidence; and prior work has treated structurally different designs as equivalent, though transmission-layer EA in carrier infrastructure (T-EA) and over-the-top EA at the platform layer (OTT-EA) differ in how cryptographic keys relate to ciphertext data. This paper builds a structured uncertainty framework for evaluating systemic compromise risk in EA architectures. It does not produce predictive forecasts, which the evidence cannot support; it separates findings robust to assumptions from those that depend on calibration. Four analytical layers are applied to T-EA and OTT-EA: three empirical pillars (historical analogues, a Monte Carlo scenario layer, a channel-independence decomposition) plus a Bayesian Structural Risk Model on a parallel-subgraph attack graph. The central findings are structural. First, EA-equipped architectures of either class carry strictly higher modelled risk than their no-EA counterfactual, an ordering independent of calibration. Second, the classes differ in distribution shape: T-EA risk is dominated by central tendency, OTT-EA by the tail under correlated campaigns. Third, calibration-conditional annual probability ranges span 1.4% to 12.9% for T-EA across the structured-judgement targeting-premium interval. Over multi-decade horizons, cumulative compromise is well above zero; key-material exfiltration is irreversible, weighing heavily on OTT-EA's larger user populations. The framework quantifies compromise probability, not expected harm; consequence modelling and benefit estimation are outside its scope.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper develops a structured uncertainty framework for assessing systemic compromise risk in lawful exceptional access (EA) architectures under sparse and indirect evidence. It applies four analytical layers—historical analogues, Monte Carlo scenario analysis, channel-independence decomposition, and a Bayesian Structural Risk Model on a parallel-subgraph attack graph—to compare transmission-layer EA (T-EA) and over-the-top EA (OTT-EA) against no-EA counterfactuals. The central claims are structural: EA-equipped systems of either class exhibit strictly higher modelled compromise risk than no-EA, with this ordering independent of calibration; T-EA risk is dominated by central tendency while OTT-EA is dominated by the tail under correlated campaigns; and calibration-conditional annual probabilities for T-EA range from 1.4% to 12.9% across the structured-judgement targeting-premium interval. The work explicitly disclaims predictive forecasting and focuses on separating robust findings from calibration-dependent ones.

Significance. If the separation of robust structural results from calibration-dependent outputs is successfully achieved, the framework offers a disciplined approach to quantifying risks in EA systems where direct datasets are unavailable. The multi-layer decomposition and explicit use of attack graphs to model parallel paths represent a methodological contribution for policy-relevant analysis under uncertainty. The emphasis on probability rather than expected harm, combined with the irreversibility argument for key-material exfiltration, provides concrete inputs for longer-horizon discussions. The paper's restraint in not claiming forecasts is a strength.

major comments (2)
  1. [Bayesian Structural Risk Model and channel-independence decomposition] The central claim that the EA > no-EA risk ordering is independent of calibration (abstract and Bayesian Structural Risk Model section) requires explicit verification that the parallel-subgraph attack graph and channel-independence decomposition exclude all parameter regimes in which an EA channel is redundant or negatively correlated with existing paths. If any θ in the structured-judgement targeting-premium interval permits P(compromise | EA, θ) ≤ P(compromise | no-EA, θ) under the Monte Carlo scenario weights, the strict ordering fails and the independence assertion does not hold.
  2. [Four analytical layers and results separation] The separation of findings into robust versus calibration-dependent categories (abstract and § on analytical layers) is load-bearing for the paper's contribution. The manuscript must demonstrate, with concrete derivation steps, which outputs of the four layers remain invariant across the full range of the targeting-premium interval and which vary, rather than asserting the separation without showing the invariance checks.
minor comments (2)
  1. [Notation and calibration parameters] The definition and bounds of the 'structured-judgement targeting-premium interval' are referenced repeatedly but not given an explicit interval or elicitation procedure; this notation should be defined in a dedicated subsection or table.
  2. [Figures and tables] Figure captions for the Monte Carlo scenario layer and attack-graph diagrams should include the exact parameter ranges and independence assumptions used in each panel to allow readers to trace the reported probability ranges.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the detailed and constructive report. The comments correctly identify the need for explicit verification of the structural claims rather than assertion. We address each major comment below. Both points can be resolved by adding formal derivations and invariance checks to the revised manuscript.

read point-by-point responses

  1. Referee: [Bayesian Structural Risk Model and channel-independence decomposition] The central claim that the EA > no-EA risk ordering is independent of calibration (abstract and Bayesian Structural Risk Model section) requires explicit verification that the parallel-subgraph attack graph and channel-independence decomposition exclude all parameter regimes in which an EA channel is redundant or negatively correlated with existing paths. If any θ in the structured-judgement targeting-premium interval permits P(compromise | EA, θ) ≤ P(compromise | no-EA, θ) under the Monte Carlo scenario weights, the strict ordering fails and the independence assertion does not hold.

    Authors: The referee correctly notes that the independence claim requires explicit verification. The attack graph is defined with parallel subgraphs, so the EA channel constitutes an additional disjoint path. The channel-independence decomposition yields P(compromise) = 1 − ∏(1 − p_i) over paths; adding any path with p_EA > 0 therefore strictly increases the probability relative to the no-EA case. The targeting-premium interval is constructed from structured judgement such that the lower bound on p_EA is strictly positive for every θ. Negative correlation between channels is excluded by construction in the decomposition layer, which rests on the distinct attack surfaces (transmission-layer vs. application-layer). We will insert a short lemma in the revised Bayesian Structural Risk Model section proving that, for all θ in the interval and all Monte Carlo scenario weights, P(compromise | EA, θ) > P(compromise | no-EA, θ). revision: yes

  2. Referee: [Four analytical layers and results separation] The separation of findings into robust versus calibration-dependent categories (abstract and § on analytical layers) is load-bearing for the paper's contribution. The manuscript must demonstrate, with concrete derivation steps, which outputs of the four layers remain invariant across the full range of the targeting-premium interval and which vary, rather than asserting the separation without showing the invariance checks.

    Authors: We agree that the robust-versus-calibration-dependent separation must be shown explicitly. In the revision we will add a new subsection that performs an invariance analysis across the targeting-premium interval. For each of the four layers we will: (i) list the layer outputs (risk ordering, distribution shape, probability ranges, etc.); (ii) derive their functional dependence on the targeting-premium parameter θ; (iii) report the min/max values attained over the interval. The strict EA > no-EA ordering and the qualitative distinction between central-tendency dominance (T-EA) and tail dominance (OTT-EA) will be shown to be invariant; the numerical probability bounds will be shown to vary with θ. Tables and step-by-step derivations will be supplied. revision: yes

Circularity Check

0 steps flagged

No significant circularity; derivation relies on explicit model structure and multiple evidence layers without reduction to inputs by construction.

full rationale

The abstract and description present a Bayesian Structural Risk Model on a parallel-subgraph attack graph, combined with historical analogues, Monte Carlo scenarios, and channel-independence decomposition. The central structural claim (EA risk strictly exceeds no-EA independent of calibration) is asserted as following from this layered framework applied to sparse evidence. No equations are quoted or shown that would demonstrate the inequality reducing to a fitted parameter, self-definition, or self-citation chain. The paper explicitly states it separates robust findings from calibration-dependent ones and does not produce predictive forecasts. No self-citations, ansatz smuggling, or renaming of known results appear in the provided text. The derivation is therefore treated as self-contained against its stated assumptions and evidence layers.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

Abstract alone supplies insufficient detail to enumerate free parameters or axioms; the model is described as using Monte Carlo and Bayesian methods on an attack graph, but no specific fitted values or background lemmas are stated.

pith-pipeline@v0.9.1-grok · 5835 in / 1186 out tokens · 18918 ms · 2026-06-26T20:24:44.254996+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

98 extracted references · 21 canonical work pages

  1. [1]

    Bellovin, Josh Benaloh, Matt Blaze, Whitfield Diffie, John Gilmore, Peter G

    Harold Abelson, Ross Anderson, Steven M. Bellovin, Josh Benaloh, Matt Blaze, Whitfield Diffie, John Gilmore, Peter G. Neumann, Ronald L. Rivest, Jeffrey I. Schiller, and Bruce Schneier. The risks of key recovery, key escrow, and trusted third-party encryption. Technical report, MIT Laboratory for Computer Science, 1997

    1997

  2. [2]

    Bellovin, Josh Benaloh, Matt Blaze, Whitfield Diffie, John Gilmore, Matthew Green, Susan Landau, Peter G

    Harold Abelson, Ross Anderson, Steven M. Bellovin, Josh Benaloh, Matt Blaze, Whitfield Diffie, John Gilmore, Matthew Green, Susan Landau, Peter G. Neumann, Ronald L. Rivest, Jeffrey I. Schiller, Bruce Schneier, Michael A. Specter, and Daniel J. Weitzner. Keys under doormats: Mandating insecurity by requiring government access to all data and communication...

    work page doi:10.1093/cybsec/tyv009 2015

  3. [3]

    Vincent A. W. J. Marchau, Warren E. Walker, Pieter J. T. M. Bloemen, and Steven W. Popper, editors.Decision Making under Deep Uncertainty: From Theory to Practice. Springer, 2019. ISBN 978-3-030-05252-2. doi: 10.1007/978-3-030-05252-2

    work page doi:10.1007/978-3-030-05252-2 2019

  4. [4]

    Lempert, Steven W

    Robert J. Lempert, Steven W. Popper, and Steven C. Bankes.Shaping the Next One Hundred Years: New Methods for Quantitative, Long-Term Policy Analysis. RAND Corporation,

  5. [5]

    ISBN 978-0-226-47321-5

  6. [6]

    Sarah Krouse, Dustin Volz, Aruna Viswanatha, and Robert McMillan. U.S. wiretap systems targeted in china-linked hack. The Wall Street Journal, 2024. 5 October 2024; first major report confirming access to lawful-intercept infrastructure and wiretap target lists

    2024

  7. [7]

    good guys

    Joe Mullin and Cindy Cohn. Salt typhoon hack shows there’s no security backdoor that’s only for the “good guys”. https://www.eff.org/deeplinks/2024/10/salt-typhoon-hack-shows- theres-no-security-backdoor-thats-only-good-guys, October 2024

    2024

  8. [8]

    The Athens affair

    Vassilis Prevelakis and Diomidis Spinellis. The Athens affair. https://spectrum.ieee.org/the- athens-affair, 2007

    2007

  9. [9]

    The intelligence coup of the century

    Greg Miller. The intelligence coup of the century. Washington Post investigation, with ZDF and SRF, February 2020. Joint CIA/BND ownership of Crypto AG (1970–2018); manipu- lated cipher devices sold to >100 governments enabled decryption of foreign government communications

    2020

  10. [10]

    Yale University Press, 2017

    Susan Landau.Listening In: Cybersecurity in an Insecure Age. Yale University Press, 2017. 102

    2017

  11. [11]

    Key concepts and current technical trends in cryptography for policy makers

    OECD. Key concepts and current technical trends in cryptography for policy makers. OECD Digital Economy Papers 364, Organisation for Economic Co-operation and Development, Paris, 2024

    2024

  12. [12]

    IETF policy on wiretapping

    IAB and IESG. IETF policy on wiretapping. Request for Comments RFC 2804, RFC Editor,

  13. [13]

    Internet Engineering Task Force policy declining to support wiretap capabilities in IETF protocols; foundational architectural-community statement on exceptional access

  14. [14]

    RFC 8890: The internet is for end users

    Mark Nottingham. RFC 8890: The internet is for end users. https://www.rfc- editor.org/info/rfc8890/, 2020

    2020

  15. [15]

    Principles for a more informed exceptional access debate

    Ian Levy and Crispin Robinson. Principles for a more informed exceptional access debate. Lawfare, November 2018

    2018

  16. [16]

    Open letter to GCHQ on the threats posed by the ghost proposal

    Sharon Bradford Franklin and Andi Wilson Thompson. Open letter to GCHQ on the threats posed by the ghost proposal. Coalition open letter, Lawfare, May 2019. Signed by 47 civil-society organisations, security researchers, and technology companies

    2019

  17. [17]

    Proposal for a regulation laying down rules to prevent and combat child sexual abuse

    European Commission. Proposal for a regulation laying down rules to prevent and combat child sexual abuse. COM(2022) 209 final, 2022

    2022

  18. [18]

    Identifying harmful media in end-to-end encrypted communication: Efficient private membership computation

    Anunay Kulshrestha and Jonathan Mayer. Identifying harmful media in end-to-end encrypted communication: Efficient private membership computation. InProceedings of the 30th USENIX Security Symposium, pages 893–910, 2021

    2021

  19. [19]

    Adam Young and Moti Yung.Malicious Cryptography: Exposing Cryptovirology. Wiley,

  20. [20]

    ISBN 978-0-7645-4975-5

  21. [21]

    The exact security of digital signatures—How to sign with RSA and Rabin

    Mihir Bellare and Phillip Rogaway. The exact security of digital signatures—How to sign with RSA and Rabin. InAdvances in Cryptology – EUROCRYPT 1996, volume 1070 ofLecture Notes in Computer Science, pages 399–416. Springer, 1996. doi: 10.1007/3-540-68339-9_34

    work page doi:10.1007/3-540-68339-9_34 1996

  22. [22]

    Butterworth-Heinemann, 2014

    Jack Freund and Jack Jones.Measuring and Managing Information Risk: A FAIR Approach. Butterworth-Heinemann, 2014. ISBN 978-0-12-420231-3

    2014

  23. [23]

    Gordon and Martin P

    Lawrence A. Gordon and Martin P. Loeb. The economics of information security investment. ACM Transactions on Information and System Security, 5(4):438–457, 2002. doi: 10.1145/ 581271.581274

    arXiv 2002

  24. [24]

    Dynamic security risk management using Bayesian attack graphs.IEEE Transactions on Dependable and Secure Computing, 9 (1):61–74, 2012

    Nayot Poolsappasit, Rinku Dewri, and Indrajit Ray. Dynamic security risk management using Bayesian attack graphs.IEEE Transactions on Dependable and Secure Computing, 9 (1):61–74, 2012. ISSN 1941-0018. doi: 10.1109/TDSC.2011.34

    work page doi:10.1109/tdsc.2011.34 2012

  25. [25]

    CRC Press, 2nd edition, 2018

    Norman Fenton and Martin Neil.Risk Assessment and Decision Analysis with Bayesian Networks. CRC Press, 2nd edition, 2018. ISBN 978-1-4398-0910-5

    2018

  26. [26]

    Boyer, and Miles A

    Xinming Ou, Wayne F. Boyer, and Miles A. McQueen. A scalable approach to attack graph generation. InACM CCS, pages 336–345, Alexandria Virginia USA, 2006. ACM. ISBN 978-1-59593-518-2. doi: 10.1145/1180405.1180446

    work page doi:10.1145/1180405.1180446 2006

  27. [27]

    Using attack graphs for correlating, hypothes- izing, and predicting intrusion alerts.Computer Communications, 29(15):2917–2933, 2006

    Lingyu Wang, Anyi Liu, and Sushil Jajodia. Using attack graphs for correlating, hypothes- izing, and predicting intrusion alerts.Computer Communications, 29(15):2917–2933, 2006. ISSN 0140-3664. doi: 10.1016/j.comcom.2006.04.001

    work page doi:10.1016/j.comcom.2006.04.001 2006

  28. [28]

    Raj Rajagopalan, and Anoop Singhal

    John Homer, Su Zhang, Xinming Ou, David Schmidt, Yanhui Du, S. Raj Rajagopalan, and Anoop Singhal. Aggregating vulnerability metrics in enterprise networks using attack graphs.Journal of Computer Security, 21(4):561–597, 2013. ISSN 0926-227X, 1875-8924. doi: 10.3233/JCS-130475. 103

    work page doi:10.3233/jcs-130475 2013

  29. [29]

    McQueen, Wayne F

    Miles A. McQueen, Wayne F. Boyer, Mark A. Flynn, and George A. Beitel. Time-to- compromise model for cyber risk reduction estimation. In Dieter Gollmann, Fabio Massacci, and Artsiom Yautsiukhin, editors,Quality of Protection: Security Measurements and Metrics, volume 23 ofAdvances in Information Security, pages 49–64, Boston, MA, 2006. Springer US. ISBN 9...

    work page doi:10.1007/978-0-387-36584-8_5 2006

  30. [30]

    Lawless.Statistical Models and Methods for Lifetime Data

    Jerald F. Lawless.Statistical Models and Methods for Lifetime Data. Wiley-Interscience, 2nd edition, 2003. ISBN 9780471372111

    2003

  31. [31]

    Carlin, Hal S

    Andrew Gelman, John B. Carlin, Hal S. Stern, David B. Dunson, Aki Vehtari, and Donald B. Rubin.Bayesian Data Analysis. CRC Press / Chapman & Hall, 3rd edition, 2013. ISBN 978-1-4398-4095-5

    2013

  32. [32]

    Tibshirani.An Introduction to the Bootstrap

    Bradley Efron and Robert J. Tibshirani.An Introduction to the Bootstrap. Chapman & Hall, 1993. ISBN 978-0-412-04231-7

    1993

  33. [33]

    Hanley and Abby Lippman-Hand

    James A. Hanley and Abby Lippman-Hand. If nothing goes wrong, is everything all right? interpreting zero numerators.JAMA, 249(13):1743–1745, 1983. ISSN 0098-7484. doi: 10.1001/jama.1983.03330370053031. PubMed PMID: 6827763

    work page doi:10.1001/jama.1983.03330370053031 1983

  34. [34]

    Klugman, Harry H

    Stuart A. Klugman, Harry H. Panjer, and Gordon E. Willmot.Loss Models: From Data to Decisions. Wiley, 4th edition, 2012. ISBN 978-1-118-31532-3

    2012

  35. [35]

    Comparing vulnerability severity and exploits using case-control studies.ACM Transactions on Information and System Security, 17(1):1–20,

    Luca Allodi and Fabio Massacci. Comparing vulnerability severity and exploits using case-control studies.ACM Transactions on Information and System Security, 17(1):1–20,

  36. [36]

    doi: 10.1145/2630069

    work page doi:10.1145/2630069

  37. [37]

    Exploit prediction scoring system (EPSS).Digital Threats: Research and Practice, 2(3): 1–17, 2021

    Jay Jacobs, Sasha Romanosky, Benjamin Edwards, Idris Adjerid, and Michael Roytman. Exploit prediction scoring system (EPSS).Digital Threats: Research and Practice, 2(3): 1–17, 2021. doi: 10.1145/3436242

    work page doi:10.1145/3436242 2021

  38. [38]

    Enhancing vulnerability prioritization: Data-driven exploit predictions with community- driven insights

    Jay Jacobs, Sasha Romanosky, Octavian Suciu, Benjamin Edwards, and Armin Sarabi. Enhancing vulnerability prioritization: Data-driven exploit predictions with community- driven insights. InProceedings of the 2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), pages 194–206, 2023. doi: 10.1109/EuroSPW59978.2023. 00027

    work page doi:10.1109/eurospw59978.2023 2023

  39. [39]

    Strom, Andy Applebaum, Doug P

    Blake E. Strom, Andy Applebaum, Doug P. Miller, Kathryn C. Nickels, Adam G. Pennington, and Cody B. Thomas. MITRE ATT&CK: Design and philosophy. Technical Report MTR180076, MITRE Corporation, 2018

    2018

  40. [40]

    ATT&CK enterprise matrix, version 15

    MITRE Corporation. ATT&CK enterprise matrix, version 15. Technical report, MITRE Corporation, 2024. Version 15, 2024

    2024

  41. [41]

    2024 data breach investigations report

    Verizon Business. 2024 data breach investigations report. Technical report, Verizon Business, 2024

    2024

  42. [42]

    2025 data breach investigations report

    Verizon Business. 2025 data breach investigations report. Technical report, Verizon Business,

    2025

  43. [43]

    M-Trends 2024: Special report

    Mandiant. M-Trends 2024: Special report. Technical report, Google Cloud / Mandiant, 2024

    2024

  44. [44]

    2024 global threat report

    CrowdStrike. 2024 global threat report. Technical report, CrowdStrike Inc., 2024

    2024

  45. [45]

    PRC state-sponsored actors compromise and maintain persistent access to U.S

    CISA. PRC state-sponsored actors compromise and maintain persistent access to U.S. critical infrastructure. Technical Report AA24-038A, Cybersecurity and Infrastructure Security Agency, 2024. 104

    2024

  46. [46]

    Joint statement from FBI and CISA on the People’s Republic of China (PRC) targeting of commercial telecommunications infrastruc- ture

    Federal Bureau of Investigation and CISA. Joint statement from FBI and CISA on the People’s Republic of China (PRC) targeting of commercial telecommunications infrastruc- ture. https://www.cisa.gov/news-events/news/joint-statement-fbi-and-cisa-peoples-republic- china-prc-targeting-commercial-telecommunications, 2024

    2024

  47. [47]

    Advanced data protection for iCloud

    Apple Inc. Advanced data protection for iCloud. https://support.apple.com/en- gb/guide/security/sec973254c5f/web, 2024. Accessed 2026

    2024

  48. [48]

    Bellovin, Josh Benaloh, Matt Blaze, Jon Callas, Whitfield Diffie, Susan Landau, Peter G

    Harold Abelson, Ross Anderson, Steven M. Bellovin, Josh Benaloh, Matt Blaze, Jon Callas, Whitfield Diffie, Susan Landau, Peter G. Neumann, Ronald L. Rivest, Jeffrey I. Schiller, Bruce Schneier, Vanessa Teague, and Carmela Troncoso. Bugs in our Pockets: The risks of client-side scanning.Journal of Cybersecurity, 10(1):tyad020, 2024. ISSN 2057-2085. doi: 10...

    work page doi:10.1093/cybsec/tyad020 2024

  49. [49]

    Fair public-key cryptosystems

    Silvio Micali. Fair public-key cryptosystems. In Ernest F. Brickell, editor,Advances in Cryptology — CRYPTO 1992, volume 740 ofLecture Notes in Computer Science, pages 113–138, Berlin, Heidelberg, 1993. Springer. ISBN 978-3-540-48071-6. doi: 10.1007/3-540- 48071-4_9

    work page doi:10.1007/3-540- 1992

  50. [50]

    Verifiable partial key escrow

    Mihir Bellare and Shafi Goldwasser. Verifiable partial key escrow. InProceedings of the 4th ACM Conference on Computer and Communications Security (CCS ’97), ACM Conferences, pages 78–91. ACM, 1997. ISBN 978-0-89791-912-8. doi: 10.1145/266420.266439

    work page doi:10.1145/266420.266439 1997

  51. [51]

    Denning and Dennis K

    Dorothy E. Denning and Dennis K. Branstad. A taxonomy for key escrow encryption systems.Communications of the ACM, 39(3):34–40, 1996. ISSN 0001-0782, 1557-7317. doi: 10.1145/227234.227239

    work page doi:10.1145/227234.227239 1996

  52. [52]

    Black tulip: Report of the investigation into the DigiNotar certificate authority breach

    Hans Hoogstraaten, Ronald Prins, Daniël Niggebrugge, Danny Heppener, Frank Groenewe- gen, et al. Black tulip: Report of the investigation into the DigiNotar certificate authority breach. Technical report, Fox-IT, 2012. Project PR-110202, Version 1.0, 13 August 2012

    2012

  53. [53]

    TURKTRUST CA problems

    Kaspersky Global Research and Analysis Team. TURKTRUST CA problems. Securelist, January 2013, 2013. Two intermediate CA certificates incorrectly issued as end-entity certificates; theresultingfraudulent*.google.comcertificatewasdetectedbyGoogleChrome’s public-key pinning on 24 December 2012

    2013

  54. [54]

    Common sense guide to mitigating insider threats, seventh edition

    Software Engineering Institute. Common sense guide to mitigating insider threats, seventh edition. Technical report, CERT National Insider Threat Center, Software Engineering Institute, Carnegie Mellon University, 2022

    2022

  55. [55]

    Microsoft Press, 2nd edition, 2004

    Steve McConnell.Code Complete. Microsoft Press, 2nd edition, 2004. ISBN 978-0-7356- 1967-8

    2004

  56. [56]

    Before we knew it: An empirical study of zero-day attacks in the real world

    Leyla Bilge and Tudor Dumitras. Before we knew it: An empirical study of zero-day attacks in the real world. InProceedings of the ACM Conference on Computer and Communications Security (CCS), pages 833–844, 2012. doi: 10.1145/2382196.2382284

    work page doi:10.1145/2382196.2382284 2012

  57. [57]

    CA incident dashboard

    Mozilla. CA incident dashboard. Mozilla Wiki, CA Certificate Program, 2024. Tracks publicly disclosed certificate-authority misissuance and compliance incidents reported through Mozilla Bugzilla. Accessed 2026-05-15

    2024

  58. [58]

    Common CA database (CCADB)

    Common CA Database. Common CA database (CCADB). Online registry maintained by The Linux Foundation; operated collaboratively by the Apple, Cisco, Google, Microsoft and Mozilla root programs, 2024. Population denominator for trusted root Certificate Authorities. Maintenance transferred from Mozilla to The Linux Foundation on 7 May 2024. 105

    2024

  59. [59]

    Alhazmi, Yashwant K

    Omar H. Alhazmi, Yashwant K. Malaiya, and Indrajit Ray. Measuring, analyzing and predicting security vulnerabilities in software systems.Computers & Security, 26(3):219–228,

  60. [60]

    doi: 10.1016/j.cose.2006.10.002

    ISSN 0167-4048. doi: 10.1016/j.cose.2006.10.002

    work page doi:10.1016/j.cose.2006.10.002 2006

  61. [61]

    Alhazmi and Yashwant K

    Omar H. Alhazmi and Yashwant K. Malaiya. Application of vulnerability discovery models to major operating systems.IEEE Transactions on Reliability, 57(1):14–22, 2008. ISSN 1558-1721. doi: 10.1109/TR.2008.916872

    work page doi:10.1109/tr.2008.916872 2008

  62. [62]

    ETSI TS 102 165-1: CYBER; methods and protocols; part 1: Method and proforma for threat, vulnerability, risk analysis (TVRA)

    European Telecommunications Standards Institute. ETSI TS 102 165-1: CYBER; methods and protocols; part 1: Method and proforma for threat, vulnerability, risk analysis (TVRA). Version 5.3.1, February 2025, 2025

    2025

  63. [63]

    A new uncertainty importance measure.Reliability Engineering & System Safety, 92(6):771–784, 2007

    Emanuele Borgonovo. A new uncertainty importance measure.Reliability Engineering & System Safety, 92(6):771–784, 2007. ISSN 0951-8320. doi: 10.1016/j.ress.2006.04.015

    work page doi:10.1016/j.ress.2006.04.015 2007

  64. [64]

    Committee on national security systems (CNSS) policies and instructions

    Committee on National Security Systems. Committee on national security systems (CNSS) policies and instructions. https://www.cnss.gov/CNSS/issuances/Policies.cfm, 2024. Defines governance and separation of U.S. National Security Systems cryptographic domains. Ac- cessed 2026-05-15

    2024

  65. [65]

    Announcing the commercial National Security Algorithm Suite 2.0

    National Security Agency. Announcing the commercial National Security Algorithm Suite 2.0. NSA Cybersecurity Advisory, PP-22-1338, Ver. 1.0, 2022. Documents cryptographic requirements for classified and national security systems. September 2022. Accessed 2026-05- 15

    2022

  66. [66]

    Quantum key distribution (QKD) and quantum cryptography (QC)

    National Security Agency. Quantum key distribution (QKD) and quantum cryptography (QC). NSA Cybersecurity guidance, 2020. Guidance on QKD/QC for securing National Security Systems, published October 2020. Accessed 2026-05-15

    2020

  67. [67]

    Advanced cryptography

    National Cyber Security Centre. Advanced cryptography. https://www.ncsc.gov.uk/paper/advanced-cryptography, 2025. NCSC white paper on advanced cryptographic techniques. Accessed 2026-05-15

    2025

  68. [68]

    Algorithms, key size and parameters report – 2014, 2014

    European Union Agency for Network and Information Security. Algorithms, key size and parameters report – 2014, 2014. ENISA’s cryptographic-recommendations report; latest edition in this series. Accessed 2026-05-15

    2014

  69. [69]

    ANSSI cryptographic mechanisms recommendations

    Agence nationale de la sécurité des systèmes d’information. ANSSI cryptographic mechanisms recommendations. RGSv2.0, AnnexeB1(version2.04)., 2020. Frenchsovereigncryptographic authority publications. Accessed 2026-05-15

    2020

  70. [70]

    Cryptographic mechanisms: Recom- mendations and key lengths

    Bundesamt für Sicherheit in der Informationstechnik. Cryptographic mechanisms: Recom- mendations and key lengths. Technical Guideline BSI TR-02102-1, Version 2026-01, 23 January 2026., 2026. German federal cryptographic governance and standards guidance. Accessed 2026-05-15

    2026

  71. [71]

    NATO information assurance product catalogue (NIAPC), 2024

    NATO Communications and Information Agency. NATO information assurance product catalogue (NIAPC), 2024. Catalogue of evaluated information-assurance products for NATO nations and bodies. Accessed 2026-05-15

    2024

  72. [72]

    Communications assistance for law enforcement act (CALEA)

    United States Congress. Communications assistance for law enforcement act (CALEA). Public Law 103-414., 1994. Establishes lawful intercept capability requirements for telecom- munications carriers. Accessed 2026-05-15

    1994

  73. [73]

    Lawful interception (LI); internal network interfaces; part 1: X1

    European Telecommunications Standards Institute. Lawful interception (LI); internal network interfaces; part 1: X1. Technical Specification TS 103 221-1 V1.23.1, ETSI, 106 March 2026. De facto lawful-interception internal network interface specification, in use across European and global carrier networks. Multi-part series; Part 1 specifies the X1 adminis...

    2026

  74. [74]

    Lawful interception (LI); internal network interfaces; part 2: X2/X3

    European Telecommunications Standards Institute. Lawful interception (LI); internal network interfaces; part 2: X2/X3. ETSI TS 103 221-2 V1.5.2, October 2021, 2021. Defines standardized lawful interception architectures used across European and partner-state telecommunications systems. Standard family includes TS 103 221 (X1/X2/X3), TS 102 232 (handover i...

    2021

  75. [75]

    3GPP lawful interception architecture and functions,

    3rd Generation Partnership Project. 3GPP lawful interception architecture and functions,

  76. [76]

    Accessed 2026-05-15

    Mobile-network lawful interception standards (TS 33.126/33.127/33.128) and as- sociated cryptographic and control interfaces, covering 4G and 5G carrier infrastructure. Accessed 2026-05-15

    2026

  77. [77]

    Open letter to RSA customers

    Arthur Coviello. Open letter to RSA customers. EMC Corporation, SEC Form 8-K Exhibit 99.1, March 2011, 2011

    2011

  78. [78]

    Powerful NSA hacking tools have been revealed online

    Ellen Nakashima. Powerful NSA hacking tools have been revealed online. The Washington Post, 2016. 16 August 2016

    2016

  79. [79]

    Highly evasive attacker leverages SolarWinds supply chain to compromise multiple global victims with SUNBURST backdoor

    FireEye. Highly evasive attacker leverages SolarWinds supply chain to compromise multiple global victims with SUNBURST backdoor. Mandiant Threat Intelligence Blog, 2020

    2020

  80. [80]

    Vault 7: CIA hacking tools revealed, 2017

    WikiLeaks. Vault 7: CIA hacking tools revealed, 2017

    2017

Showing first 80 references.