Accepted paper:

Practicing a science of security


Jonathan Spring (University College London)

Paper short abstract:

Science of cyber security is a contested academic discipline. Many claim security is not or cannot be science. We dispute this view via context and counterarguments from STS research. Our focus is the security research community's perception of itself and to highlight avenues for STS to engage.

Paper long abstract:

Background: Most people writing about a science of security conclude that security work is not a science, or at best rather hopefully conclude that it is not a science yet but could be.

Method: Literature survey of the discussion of science of security going on within the security research community.

Results: We identify five common reasons people present as to why security is not a science: (1) experiments are untenable; (2) reproducibility is impossible; (3) there are no laws of nature in security; (4) there is no single ontology of terms to discuss security; and (5) security is merely engineering.

Conclusions: Security as practiced is a science. Complaints against this view rely on outdated concepts of philosophy of science derived from broadly logical empiricist approaches. A view of science based on integrative pluralism and mosaic unity of science readily can accept security as a science, and provides tools for solving methodological and epistemic challenges in security.

Impact for STS: This talk introduces the views of practicing security researchers, highlights areas where STS can productively engage, and identifies cultural barriers to the adoption of the perception of security research as a science. This includes the secretive nature of security research, and how undisclosed research impacts social practices and interdisciplinary work.

panel C24
Caring, negotiating and tinkering for IT in/security