What Kind Of A Science Is Cybersecurity?
Our goal is to establish Cybersecurity as a science.
But if Cybersecurity is—in actual fact—a science (or could potentially be established as a science), then we must ask—what kind of a science is Cybersecurity?
In his article: ‘Cybersecurity; From Engineering To Science’, Carl Landwehr asked a related question: “What would a scientific foundation for a cybersecurity science look like? ”.
It is salient to quote from Carl’s article:
Science can come in several forms, and these may lead to different approaches to a Science Of Cybersecurity.
Aristotelian science was one of definition and classification. Perhaps it represents the earliest stage of an observational science, and it is seen here both in attempts to provide a precise characterisation of what security means but also in the taxonomies of vulnerabilities and attacks that presently plague the cyberinfrastructure.
A Newtonian science might speak in terms of mass and forces, statics and dynamics. Models of computational cybersecurity based in automata theory and modelling access control and information might fall in this category, as well as more general theories of security properties and their composability…
A Darwinian science might reflect the pressures of competition, diversity, and selection. Such an orientation might draw on game theory and could model behaviours of populations of machines infected by viruses or participating in botnets, for example.
A science drawing on the ideas of prospect theory and behavioural economics developed by Kahneman,Tversky, and others might be used to model risk perception and decision-making by organizations and individuals.
As I consider Carl’s list of the different kinds of science, I do think that the best way to attack this problem—for a ‘social’ plus ‘technological’ science such as Cybersecurity—would be to include all of these approaches.
However one cannot run before one is able to walk—and so perhaps it is be best to produce an Aristotelean science first. Ergo it would be—above all—a science that focusses on definition, classification, axioms and establishing taxonomies of threats and countermeasures—plus topic: structure/relationship ‘maps’ for all concepts etc.
A Science of Definition, Classification Principles And Axioms
I am in agreement with Carl when he says that he does not believe that it is possible to develop a science of Information Security—without first establishing an observational science that identifies what we are dealing with in the first place (i.e. recognition of particular security-related things/events and subsequent definition of object/process classes etc). Ergo, we become able to know what kinds of phenomena to look for, measure, model and control.
However, as you will see, elements of the other kinds of science described by Carl are evident in our approach—and as described on the present website and also in the 2017 book ‘The Science Of Cybersecurity’. For example our approach is akin to a Newtonian science that places emphasis on fundamental objects, processes, forces and their composability. In this respect, when studying our approach, note the emphasis upon, and identification of, the different kinds of foundational ‘building blocks’ for a science of Cybersecurity.
Socially Secure Communication
In the present context, we began with a comprehensive definition of Security—for a private, secret and/or open datum—as the preservation of social accessibility status. We named this as Socially Secure Communication. This principle is, in fact (or should-be) the central axiom of Information Security; and is based upon a set of underpinning conceptual definitions as follows: Classification of the fundamental types of datum as secret, private and open; datum-copies as primary, secondary and tertiary; network types as primary, secondary and tertiary; demarcation of datum meanings into metrical, descriptive and selectional kinds; plus definition of system entrance apertures that are identified by the following (often nested) entry methods: physical, virtual and meaning gateways etc.
Building upon these axioms, we can establish a set of Absolute Security metrics [ref. Absolute Security: TARGETS/ METHODS]—and accordingly fully prescribe the various classes/types of Cybersecurity: system attack surfaces/vectors/methods, system-access-gateways/entrance-apertures, vulnerabilities plus defensive-methods and protective measures etc.
Overall I would suggest that the over one-hundred new security related definitions, axioms, concepts and principles introduced in our book ‘The Science Of Cybersecurity’; does amount to a logically true, consistent, integrated and also coherent set of natural laws for Cybersecurity in general. Or at least, it is our hope that there may be—detailed here and in that work—at least a few—salvageable definitions, axioms, principles and/or other ideas that may be re-used in relation to the development of a future (yet to be envisaged/foreseen) far more comprehensive: Science Of Cybersecurity.
Carl himself ends his article by putting forward the interesting idea that Cybersecurity might be more akin to an engineering school that develops and teaches a Science of Design; whereby teachers/theory can only offer useful guidance, but no set of hard and fixed rules, to the developer of a security system.
Sensibly therefore, we allow space for a creative approach to security system design—and in order to confidently—stay-ahead-of, mitigate and repel—all human/machine: opponents and hacks.
 Carl Landwehr – “Cybersecurity: From Engineering to Science”, The Next Wave – The National Security Agency’s Review Of Emerging Technologies – Vol 19. No2, 2012.