The choice of preposition – science of security versus science for security – marks an important difference in mental orientation. This post grew out of a conversation last year with Roy Maxion, Angela Sasse and David Pym. Clarifying this small preposition will help us set expectations, understand goals, and ultimately give appropriately targeted advice on how to do better security research.
These small words (for vs. of) unpack into some big differences. Science for security seems to mean taking any scientific discipline or results and using that to make decisions about information security. Thus, “for” is agnostic as to whether there is any work within security that looks like science. Like the trend for evidence-based medicine, science for security would advocate for evidence-based security decisions. This view is advocated by RISCS here in the UK and is probably consistent with approaches like the New School of Information Security.
Science for security does not say security is not science. More accurately, it seems not to care. The view is agnostic and seems to say it does not matter whether security is science. The point seems to be there is enough difficulty in adapting other sciences for use by security, and that applying the methods of other sciences to security-relevant problems is what matters. There are many examples of this approach, in different flavours. We can see at least three: porting concepts, re-situating approaches, and borrowing methods. We’re adapting these first two from Morgan (2014).
Economics of infosec is its own discipline (WEIS). The way Anderson (2001) applies economics is to take established principles in economics to shed light on established difficulties in infosec.
This is when some other science understands something, and we generalise from that instance and try to make a concrete application to security. We might argue that program verification takes this approach, re-situating understanding from mathematics and logic. Studies on keystroke dynamics also re-situate the understanding of human psychology and physical forensics.
We might study a security phenomenon according to the methods of an established discipline. Usable security largely applies psychology- and sociology-based methods, for example. Of course, there are specific challenges that might arise in studying a new area such as security (Krol et al., 2016), but the approach is science for security because the challenges result in minor tweaks to the method of the home discipline.
On the other hand, a science of security looks for a security science to establish itself as an independent, peer discipline of other sciences, with idiosyncratic methods, concerns, and venues. This view is common in the US; the phrasing is directly in the name for the Symposium on the Science of Security and the influential “The Next Wave” special issue on a “blueprint for a science of cybersecurity”.
Almost all the published work on a science of security is pessimistic about its existence or contributions. Spring, Moore, and Pym (2017) summarises this thread of work and argues that the pessimism is unwarranted and unhelpful. This includes arguing against the thinking in Herley and Van Oorschot’s SoK and Schneider’s Blueprint, for example. What we’d like to suggest here is that distinguishing a science of security from science for security will yield more actionable advice on what to do moving forward, and how to make both science of and for security better.
The recent National Academies of Science (NAS) report makes several useful recommendations in this vein. Many of these recommendations are independent of our current discussion. For example, reducing institutional barriers to interdisciplinary research (p. 59) is great advice that is unchanged by our present discussion.
On the other hand, some of the NAS recommendations follow the thinking in Herley and Van Oorschot’s SoK and Schneider’s Blueprint explicitly. In these cases, science for or of security may matter a lot. Is cryptography part of security science, or is it mathematics for security? It seems plausible to treat cryptography as mathematics for security. But if that’s the case, then lessons from crypto have little bearing on methods for a science of security. And we wouldn’t expect lessons from crypto to apply to usable security any more than we expect lessons from mathematics to apply to sociology. Such transmissible lessons can be found, such as with statistics in experiment design, but they are quite context-specific.
This reorientation naturally presents the question of what topics are in a science of security. We think the answer has to be topics that cannot be studied independently of security concerns. Detecting and responding to security incidents, for example. Some topics, like network measurement or crime science, may have large overlaps but are still distinct from security. Other sciences for security, like mathematics or psychology, may be such large home disciplines that the work in adapting them to security may actually be bigger and in some sense more important than the core science of security. One impact of focusing on the core security topic of security incidents is to make clear that one scientific field is not a priori a better source of evidence than any other field.
This reorientation also carves off the question of whether there is a science of security from the question of whether sciences are contributing to security decisions. The answer to the latter is obviously yes. We cannot get “laws” of security generally, but that is irrelevant. We can get models that are applicable to the various sciences for security. These different approaches may constrain each other in useful ways if we can integrate the plurality of viewpoints. In this way, we can build a more general understanding of security. Spring, Moore, and Pym (2017) would call that integration a science, too, but that terminology is less important than understanding how the various sciences for security contribution to that general knowledge.
The question, then, is what do we do about it. Advice on how to conduct structured observations to gather evidence for security-related decisions must be tailored to each discipline – for example, the advice for determining causality in anti-abuse efforts (Jhaveri et al, 2017) versus human behaviour versus building resilient systems. All of these sciences need to build their own advice on how best to collect evidence for security, while still being able to communicate with a core science of security.
This is not to say that a science of security is more important than any of the other sciences for security. To some extent, the core science of security is primarily a translator between and among the other sciences for security. A science of security might also be expected to translate these results to, and get requirements from, at least three other groups: (1) specialists in the security engineering of building systems, (2) forensic investigations of past security failures, and (3) public policy.