Cormac Herley presents work done with Paul van Oorshot on some historic ideas that might help us work towards a common science for information security. This is something that we all need in order to progress the field.
“Claims that uniques aspects of security exempt it from a scientific approach are unhelpful.”
There has been a push to make computer research more scientific and develop a “Science of Security”. The principle concepts of sciences involve either the observation and measurement of the world or the logical derivation of facts in order to make predictions. Shortcomings in either of these approaches mean that a claim can be either absolutely true or applicable to the real world. In a world where no claims are true it is difficult to tell which claims are sensible. A way to define a sensible claim is to define how to disprove it. In this way, you can at least tell when it is false. When compared to other scientific fields, security research generally falls short when it comes to respecting these core scientific elements. Security tends to confuse types of claims; make unfalsifiable claims, failing to test; make unclear claims and assumptions; and seek to confirm rather than to disprove claims. Security research would benefit from a better distinction between the types of claims made and more rigorous testing of the application of mathematical security proofs to real-world systems. A security science should also be more attentive to unsupported assertions, undocumented assumptions and authority-based arguments, while focusing on refutation with evidence-supported claims.
The presentation of the work does a lot to reduce the amount of ‘thinly-pain’ associated with applying philosophy to to the problems of security. Mr. Herley works very hard to explain difficult concepts in an accessible manner and also makes the cameraman work hard to keep him in the picture, making for an entertaining presentation.
Look forward to this research appearing in the next digest that can help you raise awareness of this work.