The definition of an—observational science—is a field of science where controlled observations cannot be made in order to study causes and effects. An example of a pure observational science is astronomy, where a person cannot change the movement or any aspect of the sun, moon, and stars, nor can he visit them.
It seems clear that Cybersecurity is (at least partially) an observational science—the same being one where observations of causes and effects may be extremely difficult—if not impossible to—identify, model, affect and/or control.
For Cybersecurity this is so due to the hugely complex—plus constantly evolving—nature of (for example) a computer connected to the open network. Whereby not only will that same computer be (potentially) subject to countless (difficult to understand) Cyberthreats and constantly changing exploit vulnerabilities; but also we may have (multiple) human antagonists (plus their machine ‘helpers’) present—who try to sweep aside any security protections that happen to be in place. Ergo, Cybersecurity must be—at least to some extent—potentially—unpredictable/out-of-control.
Accordingly constant analytical observation of real-world security system(s); becomes a critical part of any practical Cybersecurity scenario whatsoever.
What about cause-and-effect relationships within the highly technical field of Cybersecurity?
Whilst we do not prescribe to the wholly ‘unscientific’ proscription—and/or ‘unscientific’ stereotyping— of Cybersecurity, we do recognise that Cybersecurity is at least in some senses similar to a war or political struggle. In other words our (networked) computer systems exist in a constantly changing plus highly unstable (social and technical) environment where an unknown number of (unknown) enemies may at any moment launch a successful Cyber-attack.
Notable however—is that wars are won by the application of science!
But it seems that science alone may not be sufficient to protect us forever. Clever opponents (armed with ever-improving technical tools/methods) work constantly to try and break any security measures that are put in place. Consequently, we must accept that Cybersecurity (if it is a science) is not governed by purely logical predictive method(s) alone—but rather requires observational methods by testing threat countermeasures in the real environment in which the system is/can/will be deployed.
It is not that cause-and-effect relationships are unimportant when it comes to Cybersecurity, or that they have become in some way redundant; but rather that causality becomes difficult to source/follow/predict/employ—and/or may be masked by complexity—or else rendered inapplicable in a deliberate fashion by the deceptive and illicit methods of an opponent.
In sum, I would suggest that we should not turn our backs on science/logic when it comes to Cybersecurity analysis/design/implementation. But rather we must make visible/cogent all of the (eminently logical) factors involved—including detailed knowledge of both real and potential threats/countermeasures; and through application/wielding of theory, perceptive and monitoring skills, classification, modelling—plus above all—by using the principles of logical analysis.
A Descriptive science is a category of science that involves observing, recording, describing, and classifying phenomena. Descriptive research is sometimes contrasted with hypothesis-driven research, which is focused on testing a particular hypothesis by means of experimentation.
Application of a descriptive science would seem to be a highly appropriate methodology for an observational subject matter, and especially for a (potentially) unpredictable science such as Cybersecurity. Whereby emphasis is placed on recognising what is occurring, could, can or may just possibly occur; and in terms of a totality of multi-dimensional environmental-factors/eventualities.
Overall, we do accept that Cybersecurity does possess elements that seem to be in close accordance with those features recognisable as a descriptive science.
Design and Modelling
Some experts have used the terms “descriptive sciences” and “design sciences” as an updated version of the distinction between basic (or theoretical) and applied science. Descriptive sciences are those that seek to describe reality, while design sciences seek useful knowledge for human activities.
Now in our article—What Kind Of A Science Is Cybersecurity?—we introduced the interesting idea that Cybersecurity might be more akin to an engineering school that develops and teaches a Science of Design; whereby teachers/theory can only offer useful guidance, but no set of hard and fixed rules, to the developer of a security system.
The principles of a science of design are highly applicable to Cybersecurity subject matter(s)—whereby participants can benefit from the opportunity to outwit their opponents by means of the application of creative and inventive measures.
Science Of Cybersecurity Framework (SCF)
In order to establish a logically coherent statement of basic theory, and to enable orderly progression for the same; we have defined the Science Of Cybersecurity Framework (SCF) Version 1.0. Whereby, the SCF comprises all of the various principles, axioms, concepts and term definitions contained on this site/book—amounting to a complete characterisation of the entire subject matter of Cybersecurity.
In summary, and taking all factors into consideration, it would seem to be the case that—Cybersecurity is a science that would be best served/applied (fundamentally)—as a science that focusses on observation and definition; wherein the partitioner places emphasis on classification, axioms and establishing taxonomies of threats and countermeasures—plus topic: structure/relationship ‘maps’ for all concepts/objects and processes/events etc.
In a nutshell, we recommend embracing the methods of observation, description and design, plus also adding in the ‘magic’ ingredient of logical cause and effect. Cybersecurity applications can thereby retain all the trusted benefits of the observational and theoretical approaches; whilst leaving room for creative (and inventive) countermeasure solutions.