Comparison requires valid measurement: Rethinking attack success rate comparisons in AI red teaming
Alexandra Chouldechova, A. Feder Cooper, Solon Barocas, Abhinav Palia, Dan Vann, Hanna Wallach
TL;DR
The paper addresses the invalidity of many ASR-based comparisons in AI red teaming by applying social science measurement theory to jailbreaking. It reframes ASRs as measurements of well-specified estimands derived from a probabilistic threat model, introducing a two-part sufficiency condition: conceptual coherence and measurement validity. Through analysis and case studies, it reveals how mismatches in estimands (e.g., Top-1 vs one-shot) and measurement mis-specifications (e.g., D vs D, J vs s, differential judge errors) bias conclusions about safety and attack efficacy. The authors provide practical recommendations to improve validity and cross-study comparability, with implications for broader genAI evaluation beyond jailbreaking.
Abstract
We argue that conclusions drawn about relative system safety or attack method efficacy via AI red teaming are often not supported by evidence provided by attack success rate (ASR) comparisons. We show, through conceptual, theoretical, and empirical contributions, that many conclusions are founded on apples-to-oranges comparisons or low-validity measurements. Our arguments are grounded in asking a simple question: When can attack success rates be meaningfully compared? To answer this question, we draw on ideas from social science measurement theory and inferential statistics, which, taken together, provide a conceptual grounding for understanding when numerical values obtained through the quantification of system attributes can be meaningfully compared. Through this lens, we articulate conditions under which ASRs can and cannot be meaningfully compared. Using jailbreaking as a running example, we provide examples and extensive discussion of apples-to-oranges ASR comparisons and measurement validity challenges.
