Now two popular articles argue about if cybersecurity can be seen as proof of work.

Interestingly enough, I was thinking of writing an article about how cybersecurity (both access models and operational assumptions) can be modeled as a proof (NOT proof of work) system. By that I mean there is an abstract model with a set of assumptions (policies, identities, invariants, configurations and implementation constraints) from which authorization decisions are derived.

A model is secure if no unauthorized action is derivable.

A system is correct if its implementation conforms to the model's assumptions.

A security model can be analyzed operationally by how likely its assumptions are to hold in practice.