research-article

Practicing a Science of Security: A Philosophy of Science Perspective

Authors:

Jonathan M. Spring,

Tyler Moore, and

David PymAuthors Info & Claims

NSPW '17: Proceedings of the 2017 New Security Paradigms Workshop

October 2017

Pages 1 - 18

https://doi.org/10.1145/3171533.3171540

Published: 01 October 2017 Publication History

Abstract

Our goal is to refocus the question about cybersecurity research from 'is this process scientific' to 'why is this scientific process producing unsatisfactory results'. We focus on five common complaints that claim cybersecurity is not or cannot be scientific. Many of these complaints presume views associated with the philosophical school known as Logical Empiricism that more recent scholarship has largely modified or rejected. Modern philosophy of science, supported by mathematical modeling methods, provides constructive resources to mitigate all purported challenges to a science of security. Therefore, we argue the community currently practices a science of cybersecurity. A philosophy of science perspective suggests the following form of practice: structured observation to seek intelligible explanations of phenomena, evaluating explanations in many ways, with specialized fields (including engineering and forensics) constraining explanations within their own expertise, inter-translating where necessary. A natural question to pursue in future work is how collecting, evaluating, and analyzing evidence for such explanations is different in security than other sciences.

References

[1]

Anderson, R. Security Engineering: A guide to building dependable distributed systems, 2nd ed. Wiley, Indianapolis, IN, 2008.

Digital Library

[2]

Anderson, R., and Moore, T. The economics of information security. Science 314, 5799 (2006), 610--613.

[3]

Balmer, B. Secrecy and science: A historical sociology of biological and chemical warfare. Ashgate Publishing, Ltd., 2013.

[4]

Bechtel, W., and Richardson, R. C. Discovering complexity: Decomposition and localization as strategies in scientific research, 1st ed. Princeton University Press, Princeton, NJ, 1993.

[5]

Bickle, J. Real reduction in real neuroscience: metascience, not philosophy of science (and certainly not metaphysics!). In Being reduced: New essays on reduction, explanation, and causation, J. Hohwy and J. Kalestrup, Eds. Oxford University Press, 2008, pp. 34--51.

[6]

Biddle, R., Chiasson, S., and van Oorschot, P. Graphical passwords: Learning from the first twelve years. ACM Comput. Surv. 44, 4 (Sep 2012), 19:1--19:41.

Digital Library

[7]

Bogen, J., and Woodward, J. Saving the phenomena. The Philosophical Review XCVII, 3 (1988), 303--352.

[8]

Cartwright, N. How the Laws of Physics Lie. Clarendon Press, Oxford, 1983.

[9]

Cartwright, N. Replicability, reproducibility, and robustness: Comments on Harry Collins. History of Political Economy 23, 1 (1991), 143--155.

[10]

Cartwright, N., and Hardie, J. Evidence-based policy: a practical guide to doing it better. Oxford University Press, New York, 2012.

[11]

Caulfield, T., and Pym, D. Improving security policy decisions with models. IEEE Security & Privacy 13, 5 (2015), 34--41.

Digital Library

[12]

Collinson, M., Monahan, B., and Pym, D. A Discipline of Math. Systems Modelling. College Publns., 2012.

[13]

Courtault, J., Galmiche, D., and Pym, D. J. A logic of separating modalities. Theor. Comput. Sci. 637 (2016), 30--58.

Digital Library

[14]

Craver, C. F. Explaining the brain: mechanisms and the mosaic of unity of neuroscience. Oxford University Press, 2007.

[15]

Creath, R. Logical empiricism. In The Stanford Encyclopedia of Philosophy, E. N. Zalta, Ed., spring 2014 ed. Metaphysics Research Lab, Stanford University, 2014.

[16]

Darden, L. Reasoning in Biological Discoveries: Essays on Mechanisms, Interfield Relations, and Anomaly Resolution. Cambridge University Press, 2006.

[17]

Darden, L., and Maull, N. Interfield theories. Philosophy of science 44 (1977), 43--64.

[18]

Das, A., Bonneau, J., Caesar, M., Borisov, N., and Wang, X. The tangled web of password reuse. In 21st Annual Network and Distributed System Security Symposium, NDSS 2014, San Diego, California, USA, February 23-26, 2014 (2014), The Internet Society.

[19]

Dawid, A. P. Beware of the DAG! NIPS Causality: Objectives and Assessment 6 (2010), 59--86.

Digital Library

[20]

Dear, P. The intelligibility of nature: How science makes sense of the world. University of Chicago Press, Chicago and London, 2006.

[21]

Dittrich, D., and Kenneally, E. The Menlo Report: Ethical Principles Guiding Information and Communication Technology Research. Tech. rep., U.S. Department of Homeland Security, Aug 2012.

[22]

Dykstra, J. Essential cybersecurity science: build, test, and evaluate secure systems. "O'Reilly Media, Inc.", 2015.

[23]

Egelman, S., Sotirakopoulos, A., Muslukhov, I., Beznosov, K., and Herley, C. Does my password go up to eleven?: The impact of password meters on password selection. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (New York, NY, USA, 2013), CHI '13, ACM, pp. 2379--2388.

Digital Library

[24]

Elster, J. Nuts and bolts for the social sciences. Cambridge Univ Press, Cambridge, UK, 1989.

[25]

Evans, D., and Stolfo, S. The Science of Security: Guest editors' introduction. Security & Privacy 9, 3 (2011), 16--17.

Digital Library

[26]

Evron, G. Art into Science: A conference on defense. http://artintoscience.com, Jan 25, 2017. Accessed Apr 2017.

[27]

Feitelson, D. G. From repeatability to reproducibility and corroboration. ACM SIGOPS Operating Systems Review 49, 1 (2015), 3--11.

Digital Library

[28]

Galison, P. Trading zone: Coordinating action and belief. The Science Studies Reader (1999), 137--160.

[29]

Galison, P. Trading with the enemy. In Trading zones and interactional expertise. Creating new kinds of collaboration, M. E. Gorman, Ed. MIT Press, Cambridge, MA, 2010, ch. 3.

[30]

Galison, P. Augustinian and Manichaean science. In Symposium on the Science of Security (National Harbor, MD, Nov 29, 2012).

[31]

Galmiche, D., Méry, D., and Pym, D. The Semantics of BI and Resource Tableaux. Math. Structures in Comput. Sci. 15 (2005), 1033--1088.

Digital Library

[32]

Gaw, S., and Felten, E. W. Password management strategies for online accounts. In Second Symposium on Usable Privacy and Security (Pittsburgh, PA, USA, 2006), ACM, pp. 44--55.

Digital Library

[33]

Geer, D. T.S. Kuhn revisited. In NSF Secure and Trustworthy Cyberspace Principal Investigators' Meeting (Arlington, VA, Jan 6, 2015).

[34]

Given, L. M., Ed. The Sage encyclopedia of qualitative research methods. Sage, Thousand Oaks, CA, 2008.

[35]

Glennan, S. Ephemeral mechanisms and historical explanation. Erkenntnis 72 (2010), 251--266.

[36]

Glennan, S. Mechanisms and mechanical philosophy. In The Oxford Handbook of Philosophy of Science, P. Humphreys, Ed. Oxford University Press, Aug 2015.

[37]

Glennan, S., and Illari, P., Eds. The Routledge Handbook of Mechanisms and Mechanical Philosophy. Handbooks in Philosophy. Routledge, London, UK, 2017.

[38]

Halpern, J. Y., and Pearl, J. Causes and explanations: A structural-model approach. Part I: Causes. The British Journal for the Philosophy of Science 56, 4 (2005), 843--887.

[39]

Halpern, J. Y., and Pearl, J. Causes and explanations: A structural-model approach. Part II: Explanations. The British Journal for the Philosophy of Science 56, 4 (2005), 889--911.

[40]

Hatleback, E., and Spring, J. M. Exploring a mechanistic approach to experimentation in computing. Philosophy & Technology 27, 3 (2014), 441--459.

[41]

Hatleback, E. N. The protoscience of cybersecurity. The Journal of Defense Modeling and Simulation (2017), 1--8.

[42]

Hempel, C. G. The function of general laws in history. Journal of Philosophy 39 (1942), 35--48.

[43]

Herley, C., and van Oorschot, P. SoK: Science, security, and the elusive goal of security as a scientific pursuit. In Symposium on Security and Privacy (Oakland) (San Jose, CA, May 22-24, 2017), IEEE.

[44]

Illari, P. M., and Williamson, J. What is a mechanism? Thinking about mechanisms across the sciences. European Journal for Philosophy of Science 2, 1 (2012), 119--135.

[45]

Ishtiaq, S. S., and O'Hearn, P. W. BI as an assertion language for mutable data structures. In Principles of Programming Languages (London, UK, 2001), ACM, pp. 14--26.

Digital Library

[46]

Jain, R. The Art of Computer Systems Performance Analysis. Wiley & Sons, 1991.

[47]

Jasanoff, S. The fifth branch: Science advisers as policymakers. Harvard University Press, Cambridge, MA, USA, 1990.

[48]

Katz, J. Call for papers: Hot topics in the science of security (HoTSoS), Dec 2016. http://cps-vo.org/group/hotsos/cfp.

[49]

Killourhy, K., and Maxion, R. Comparing anomaly-detection algorithms for keystroke dynamics. In Dependable Systems & Networks (Lisbon, Portugal, Jun 2009), IEEE, pp. 125--134.

[50]

Koen, B. V. Discussion of the method: Conducting the engineer's approach to problem solving. Oxford University Press, New York, 2003.

[51]

Kott, A. Towards fundamental science of cyber security. In Network Science and Cybersecurity, R. E. Pino, Ed. Springer, New York, NY, 2014, pp. 1--13.

[52]

Krol, K., Spring, J. M., Parkin, S., and Sasse, M. A. Towards robust experimental design for user studies in security and privacy. In Learning from Authoritative Security Experiment Results (LASER) (San Jose, CA, 2016), IEEE, pp. 21--31.

[53]

Kuhlmann, D., Chen, L., and Mitchell, C. Trust and legitimacy in security standardization -- a new management issue? In Interoperability for Enterprise Systems and Applications (I-ESA 16) (Guimaraes, Portugal, Mar 29-Apr 1 2016), ISTE Publications.

[54]

Kuhn, T. S. The structure of scientific revolutions, 4th ed. University of Chicago Press, Chicago and London, 2012. Introductory essay by Ian Hacking.

[55]

Leonelli, S. Understanding in biology: The impure nature of biological knowledge. University of Pittsburgh Press, Pittsburgh, PA, USA, 2009, pp. 189--209.

[56]

Machamer, P., Darden, L., and Craver, C. F. Thinking about mechanisms. Philosophy of science 67 (March 2000), 1--25.

[57]

Maxion, R. Structure as an aid to good science. In Workshop on the Science of Cyber Security (Bristol, UK, January 2015), IFIP Working Group 10.4.

[58]

Meijers, A., Ed. Philosophy of Technology and Engineering Sciences, vol. 9 of Handbook of the Philosophy of Science. North-Holland, Amsterdam, 2009.

[59]

Metcalf, L., and Casey, W. Cybersecurity and Applied Mathematics. Syngress, Cambridge, MA, USA, 2016.

Digital Library

[60]

Meushaw, R., Ed. Developing a blueprint for a science of cybersecurity (Fort Meade, MD, 2012), vol. 19:2 of The Next Wave, U.S. National Security Agency.

[61]

Meushaw, R. What is security science?, Oct 19, 2012. http://cps-vo.org/node/6041.

[62]

Mitchell, S. D. Biological complexity and integrative pluralism. Cambridge University Press, Cambridge, 2003.

[63]

MITRE Corporation. Science of cyber-security. Tech. Rep. JSR-10-102, JASON Office, McLean, VA, Nov 19, 2010.

[64]

Morgan, M. S. Nature's experiments and natural experiments in the social sciences. Philosophy of the Social Sciences 43, 3 (2013), 341--357.

[65]

Morgan, M. S. Resituating knowledge: Generic strategies and case studies. Philosophy of Science 81, 5 (2014), 1012--1024.

[66]

Nagel, E. The structure of science: Problems in the logic of scientific explanation, 2nd ed. Routledge & Kegan Paul, London, 1979.

[67]

National Cyber Security Centre. Password guidance: Simplifying your approach, 2017. https://www.ncsc.gov.uk/guidance/password-guidance-simplifying-your-approach.

[68]

National Science Foundation. Federal Cyber Service: Scholarship for Service (SFS). A federal cyber service training and education initiative. Tech. Rep. NSF 01-167, NSF, Directorate for education and human resources, Division of undergraduate education, Arlington, VA, 2001.

[69]

Norton, J. D. There are no universal rules for induction. Philosophy of Science 77, 5 (December 2010), pp. 765--777.

[70]

O'Hearn, P., and Pym, D. The logic of bunched implications. Bulletin of Symbolic Logic 5(2) (1999), 215--244.

[71]

Oltramari, A., Cranor, L. F., Walls, R. J., and McDaniel, P. D. Building an ontology of cyber security. In Semantic Technology for Intelligence, Defense, and Security (Fairfax, VA, USA, Nov 2014), pp. 54--61.

[72]

Oram, A., and Wilson, G. Making software: What really works, and why we believe it. O'Reilly Media, Inc., 2010.

Digital Library

[73]

Pearl, J. Causality. Cambridge University Press, Cambridge, UK, 2009.

[74]

Popper, K. R. The logic of scientific discovery. Hutchinson, London, 1959.

[75]

Pym, D., Spring, J., and O'Hearn, P. Why separation logic works. Submitted, 2017. Manuscript: http://www0.cs.ucl.ac.uk/staff/D.Pym/PSO-SL.pdf.

[76]

Research Institute in Science of Cyber Security. Annual report. Tech. rep., University College London, London, UK, 2016.

[77]

Reynolds, J. C. Separation logic: A logic for shared mutable data structures. In Proceedings of the 17th Annual IEEE Symposium on Logic in Computer Science (Washington, DC, USA, 2002), LICS '02, IEEE Computer Society, pp. 55--74.

Digital Library

[78]

Royal Society. Progress and research in cybersecurity: Supporting a resilient and trustworthy system for the UK. Tech. Rep. ISBN: 978-1-78252-215-7, London, UK, July 2016.

[79]

Scarfone, K., and Mell, P. Guide to intrusion detection and prevention systems. Tech. Rep. SP 800-94, U.S. National Institute of Standards and Technology, Gaithersburg, MD, Feb 2007.

[80]

Shannon, G., Bogner, K., Epstein, J., Fraser, T., King, S., Martin, W. B., Maughan, D., Morrow, J., Newhouse, W., Polk, W. T., and Vagoun, T. Federal cybersecurity research and development strategic plan: Ensuring prosperity and national security. Tech. rep., National Science and Technology Council, Washington, DC, Feb 2016.

[81]

Shirey, R. Internet Security Glossary, Version 2. RFC 4949 (Informational), Aug. 2007.

[82]

Shostack, A., and Stewart, A. The new school of information security. Pearson Education, 2008.

Digital Library

[83]

Simon, H. A. The sciences of the artificial, 3rd ed. MIT press, Cambridge, MA, 1996.

Digital Library

[84]

Spring, J. M., and Hatleback, E. Thinking about intrusion kill chains as mechanisms. Journal of Cybersecurity 2, 2 (2017).

[85]

Spring, J. M., and Illari, P. Mechanisms and generality in information security. Under review (2017).

[86]

Stake, R. E. The art of case study research. Sage, Thousand Oaks, CA, 1995.

[87]

Stodden, V. Reproducing statistical results. Annual Review of Statistics and Its Application 2 (2015), 1--19.

[88]

The Economist. The city of the century: How Vienna produced ideas that shaped the west, Dec 24, 2016.

[89]

Uebel, T. Vienna circle. In The Stanford Encyclopedia of Philosophy, E. N. Zalta, Ed., spring 2016 ed. Metaphysics Research Lab, Stanford University, 2016.

[90]

University College London. The Research Institute in Science of Cyber Security (RISCS). https://www.riscs.org.uk/, 2017. Accessed Mar 6, 2017.

[91]

Ur, B., Kelley, P. G., Komanduri, S., Lee, J., Maass, M., Mazurek, M. L., Passaro, T., Shay, R., Vidas, T., Bauer, L., Christin, N., and Cranor, L. F. How does your password measure up? The effect of strength meters on password creation. In USENIX Conference on Security Symposium (Bellevue, WA, 2012), USENIX Association, pp. 65--80.

Digital Library

[92]

Vincenti, W. G. What engineers know and how they know it: Analytical studies from aeronautical history. Johns Hopkins Studies in the History of Technlogy. Johns Hopkins University Press, Baltimore and London, 1990.

[93]

Wash, R. Folk models of home computer security. In Proceedings of the Sixth Symposium on Usable Privacy and Security (New York, NY, USA, 2010), SOUPS '10, ACM, pp. 11:1--11:16.

Digital Library

[94]

Williamson, J. Evaluating evidence in medicine. https://blogs.kent.ac.uk/jonw/projects/evaluating-evidence-in-medicine/, Jun 1, 2015.

[95]

Winn, J. K. Should vulnerability be actionable? Improving critical infrastructure Computer security with trade practices law. George Mason Univ. Critical Infrastructure Protection Project Papers Vol. II (2004).

[96]

Woodward, J. Making things happen: A theory of causal explanation. Oxford University Press, Oxford, UK, 2003.

Cited By

Pochat V(2024)Reflecting on Research PracticesCommunications of the ACM10.1145/365196567:5(37-39)Online publication date: 1-May-2024
https://dl.acm.org/doi/10.1145/3651965
Demjaha APym DCaulfield TParkin S(2024)‘The trivial tickets build the trust’: a co-design approach to understanding security support interactions in a large universityJournal of Cybersecurity10.1093/cybsec/tyae00710:1Online publication date: 20-Jun-2024
https://doi.org/10.1093/cybsec/tyae007
Woods DSeymour S(2024)Evidence-based cybersecurity policy? A meta-review of security control effectivenessJournal of Cyber Policy10.1080/23738871.2024.23354618:3(365-383)Online publication date: 7-Apr-2024
https://doi.org/10.1080/23738871.2024.2335461
Show More Cited By

Recommendations

Pattern recognition between science and engineering

We aim to reopen a classic debate about the nature of pattern recognitionThe relation between science and engineering is more problematic than we use to thinkPattern recognition is a good example of the interplay between science and technologyWe offer ...
Read More
When is a phenomenologist being hermeneutical?
Abstract
Many philosophers of science and technology who see themselves as coming “after” Husserl also claim that their phenomenology is hermeneutical. Yet they neither practice the same sort of phenomenology, nor do they all have the same understanding of ...
Read More
Computer security research with human subjects: risks, benefits and informed consent
FC'11: Proceedings of the 2011 international conference on Financial Cryptography and Data Security

Computer security research frequently entails studying real computer systems and their users; studying deployed systems is critical to understanding real world problems, so is having would-be users test a proposed solution. In this paper we focus on ...
Read More

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

NSPW '17: Proceedings of the 2017 New Security Paradigms Workshop

October 2017

138 pages

ISBN:9781450363846

DOI:10.1145/3171533

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

In-Cooperation

NSF: National Science Foundation
ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 October 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

NSPW '17

NSPW '17: 2017 New Security Paradigms Workshop

October 1 - 4, 2017

CA, Santa Cruz, USA

Acceptance Rates

Overall Acceptance Rate 62 of 170 submissions, 36%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

27
Total Citations
View Citations
520
Total Downloads

Downloads (Last 12 months)42
Downloads (Last 6 weeks)3

Other Metrics

View Author Metrics

Citations

Cited By

Pochat V(2024)Reflecting on Research PracticesCommunications of the ACM10.1145/365196567:5(37-39)Online publication date: 1-May-2024
https://dl.acm.org/doi/10.1145/3651965
Demjaha APym DCaulfield TParkin S(2024)‘The trivial tickets build the trust’: a co-design approach to understanding security support interactions in a large universityJournal of Cybersecurity10.1093/cybsec/tyae00710:1Online publication date: 20-Jun-2024
https://doi.org/10.1093/cybsec/tyae007
Woods DSeymour S(2024)Evidence-based cybersecurity policy? A meta-review of security control effectivenessJournal of Cyber Policy10.1080/23738871.2024.23354618:3(365-383)Online publication date: 7-Apr-2024
https://doi.org/10.1080/23738871.2024.2335461
Kocksch LSørensen E(2023)Towards a Typology of Interdisciplinarity in Cybersecurity: Trade, Choice, and Agnostic-AntagonistProceedings of the 2023 New Security Paradigms Workshop10.1145/3633500.3633510(116-129)Online publication date: 18-Sep-2023
https://dl.acm.org/doi/10.1145/3633500.3633510
Le Pochat VJoosen W(2023)Analyzing Cyber Security Research Practices through a Meta-Research FrameworkProceedings of the 16th Cyber Security Experimentation and Test Workshop10.1145/3607505.3607523(64-74)Online publication date: 7-Aug-2023
https://dl.acm.org/doi/10.1145/3607505.3607523
Tricomi PFacciolo LApruzzese GConti MShehab MFernandez MLi N(2023)Attribute Inference Attacks in Online Multiplayer Video Games: A Case Study on DOTA2Proceedings of the Thirteenth ACM Conference on Data and Application Security and Privacy10.1145/3577923.3583653(27-38)Online publication date: 24-Apr-2023
https://dl.acm.org/doi/10.1145/3577923.3583653
Harris WSadok M(2023)How do professionals assess security risks in practice? An exploratory studySecurity Journal10.1057/s41284-023-00389-yOnline publication date: 10-Jul-2023
https://doi.org/10.1057/s41284-023-00389-y
Parkin SChua YGroß TViganò L(2022)A cyber-risk framework for coordination of the prevention and preservation of behavioursJournal of Computer Security10.3233/JCS-21004730:3(327-356)Online publication date: 1-Jan-2022
https://dl.acm.org/doi/10.3233/JCS-210047
Woods DCeross A(2021)Blessed Are The Lawyers, For They Shall Inherit CybersecurityProceedings of the 2021 New Security Paradigms Workshop10.1145/3498891.3501257(1-12)Online publication date: 25-Oct-2021
https://dl.acm.org/doi/10.1145/3498891.3501257
Parkin SArnell SWard J(2021)Change that Respects Business Expertise: Stories as Prompts for a Conversation about Organisation SecurityProceedings of the 2021 New Security Paradigms Workshop10.1145/3498891.3498895(28-42)Online publication date: 25-Oct-2021
https://dl.acm.org/doi/10.1145/3498891.3498895
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents