By Dr. Alan Radley, 1 Sep 2017
IF cybersecurity is—in actual fact—a science (or could potentially be established as a science), then we must ask—what kind of a science is cybersecurity? In his excellent article: “Cybersecurity; From Engineering To Science”, Carl Landwehr asked a number of related questions such as: “What would a scientific foundation for a cybersecurity science look like? ”.
It is salient to quote from Carl’s article:
Science can come in several forms, and these may lead to different approaches to a science of cybersecurity. Aristotelian science was one of definition and classification. Perhaps it represents the earliest stage of an observational science, and it is seen here both in attempts to provide a precise characterisation of what security means but also in the taxonomies of vulnerabilities and attacks that presently plague the cyberinfrastructure. A Newtonian science might speak in terms of mass and forces, statics and dynamics. Models of computational cybersecurity based in automata theory and modelling access control and information might fall in this category, as well as more general theories of security properties and their composability… A Darwinian science might reflect the pressures of competition, diversity, and selection. Such an orientation might draw on game theory and could model behaviours of populations of machines infected by viruses or participating in botnets, for example. A science drawing on the ideas of prospect theory and behavioural economics developed by Kahneman,Tversky, and others might be used to model risk perception and decision-making by organizations and individuals.
As I latterly examine—that is consider—Carl’s list of the different kinds of science (some period of time after I developed my own theory of cybersecurity); I do notice that the approach presented here in my book matches most closely with an Aristotelean science (i.e one that focusses on definition, classification and establishing taxonomies plus topic/concept ‘maps’). I am in agreement with Carl when he says that he does not believe that it is possible to develop a science of Information Security—without first establishing an observational science that identifies what we are dealing with in the first place (i.e. recognition of particular security-related things/events and subsequent definition of object/process classes). Ergo, we become able to know what kinds of phenomena to look for, measure, model and control etc.
However elements of the other kinds of science described by Carl are evident in my approach. For example—and especially in terms of a Newtonian science that places emphasis on fundamental objects, processes, forces and their composability. In this respect, note the emphasis upon, and identification of, the different kinds of foundational ‘building blocks’ – or axioms – for a science of cybersecurity.
In my book – The Science Of Cybersecurity, I seek to establish a comprehensive definition of Security—for a private, secret and/or open datum—as the preservation of social accessibility status. We named this as Socially Secure Communication. This principle is, in fact (or should-be) the central axiom of Information Security (communication aspects); and is based upon a set of underpinning conceptual definitions as follows: Classification of the fundamental types of datum as secret, private and open; datum-copies as primary, secondary and tertiary; network types as primary, secondary and tertiary; demarcation of datum meanings into metrical, descriptive and selectional kinds; plus definition of system entrance aperture types that are identified by the following (often nested) entry methods: physical, virtual and meaning gateways etc.
Building upon these axioms, we can establish a set of Absolute Security metrics [ref. Absolute Security: TARGETS/ METHODS]—and accordingly fully prescribe the various classes/types of cybersecurity: system attack surfaces/vectors/methods, system-access-gateways/entrance-apertures, vulnerabilities plus defensive-methods and protective measures etc.
Overall I would suggest that the over one-hundred new security related definitions, axioms, concepts and principles introduced in The Science Of Cybersecurity book; do amount to a logically true, consistent, integrated and also coherent set of natural laws for cybersecurity in general. Or at least, it is my hope that there may be—detailed in that book—at least a few—salvageable definitions, axioms, principles and/or other ideas that may be re-used in relation to the development of a future (yet to be envisaged/foreseen) far more comprehensive: Science of Cybersecurity / Information Security.
Carl ends his article by putting forward the interesting idea that cybersecurity might be more akin to an engineering school that develops and teaches a Science of Design; whereby teachers/theory can only offer useful guidance, but no set of hard and fixed rules, to the developer of a security system. Sensibly therefore, we allow space for a creative approach to security system design—and in order to confidently—stay-ahead-of, mitigate and repel—all human/machine: opponents and hacks.
 Carl Landwehr – “Cybersecurity: From Engineering to Science”, The Next Wave – The National Security Agency’s Review Of Emerging Technologies – Vol 19. No2, 2012.