This is a discussion forum post written by Robert Meushaw on the historical archive site.
Developing a concise definition of security science is a challenging task. It's often easier to describe what shouldn't be considered science. Many who work in the area of security consider science to be another way of describing research, but we believe that they are not synonymous. Following is a description of security science which was developed in a number of iterations to help guide research proposals submitted to NSA for funding consderation. Athough this description needs further refinement we believe that it is a good start, and we are offering it to the community for comment.
Security Science - is taken to mean a body of knowledge containing laws, axioms and provable theories relating to some aspect of system security. Security science should give us an understanding of the limits of what is possible in some security domain, by providing objective and qualitative or quantifiable descriptions of security properties and behaviors. The notions embodied in security science should have broad applicability - transcending specific systems, attacks, and defensive mechanisms. The individual elements contained within security science should contribute to a general framework that supports the principled design of systems that are trustworthy, they do what people expect it to do - and not something else - despite environmental disruption, human user, and operator errors, and attacks by hostile parties. Trustworthy system design may include contributions from a diverse set of disciplines including computer science, systems science, behavioral science, economics, biology, physics, and others.
Security Science Research - is work aimed at discovering new elements of Security Science and is not simply a synonym for Security Research. Security Science research may be experimental or theoretical in nature. The discovery process for Security Science may employ scientific methods, formal engineering tools and techniques, etc.; however, not all security research that uses such a process is necessarily Security Science.
Security Science SHOULD:
- Provide a scientific basis for understanding existing system security properties and developing new systems that have desired security properties.
- Permit the ability to predict complex computer and networked system behavior in the face of specified types of attack, to support quantified tradeoffs between system security properties and other desired system properties, and to design and build systems that realize specified system security requirements.
- Develop a scientific basis for the human context in which systems of interest are designed to operate, considering economic, behavioral, social, and organizational factors that influence the deployment and use of cybersecurity technologies.
- Support principled design methodologies and tools for engineering trusted components and systems.
- Establish a sound basis for composing trusted components that are capable of scaling to the size needed for modern, complex systems.
Security Science is NOT:
- The creation of a new security mechanism - unless there is some objective method for comparing it to other approaches
- The development of a "secure" device/capability by scaling previous work
- The creation of a new security (design) principle - unless there is some way to quantify or objectively compare its capabilities/limitations, or "prove" the need for the principle
- Advancing work in some discipline (e.g. software science, formal methods, visualization, etc.) where the security impact is incidental to the new results - unless there is some quantifiable improvement directly linked to security
- Developing new attack techniques - unless there is some way to use the result to create measurable improvements in overall system security
- Developing new analytic techniques without formally describing (quantifying) the extent of their capabilities or of their limitations on system security
- Developing or extending design languages related to security without quantifying their direct impact upon security or objectively comparing it to other approaches
- Extending or developing a new security-related methodology (e.g. risk assessment, vulnerability analysis, statistical analysis, decision strategy, etc.) unless there is some objective technique to quantify its direct impact upon security, or compare it to other approaches.
- Developing new approaches to secure computation (e.g. distributed computing, clouds, multi-processor, privacy preserving, etc.) without objective/quantifiable methods of assessing the improvement.
- Improving or extending security related "tools" without some method of objectively assessing their direct contribution to system security
- Performing scientific experiments without some expectation of how the results will contribute to the development of new science directly related to security
- Developing new "feature identification" approaches (e.g. Intrusion Detection) - without some formal understanding of the specific capabilities/limitations of the technique, or a way to objectively compare it to other techniques
- Developing techniques to "verify" some system characteristic without a quantifiable approach to determine its impact on system security