Computer Science as a Social Science:

Applications to Computer Security

Jon Pincus, Microsoft Research

(joint work with Sarah Blankinship, Microsoft STU)

Feburary 3, 2006

Computer science generally studies social problems

rather than physical ones …

… so computer science is really

a social science.

Does this make sense for computer security?

-- from Bypassing PatchGuard on Win64, skape and Skywing, in Uninformed (3), December 2005

“In the caste system of operating systems, the kernel is king. And like most kings, the kernel is capable of defending itself from the lesser citizens, such as user-mode processes, through the castle walls of privilege separation. However, unlike most kings, the kernel is typically unable to defend itself from the same privilege level at which it operates. Without the kernel being able to protect its vital organs at its own privilege level, the entire operating system is left open to modification and subversion if any code is able to run with the same privileges as the kernel itself.”

Security: not primarily a technology problem“Secure systems have to resist not only technical

attacks, but also coercion, fraud, and deception by confidence tricksters. For this reason, as well as physics, chemistry and mathematics, [security engineering] involves aspects of social science, psychology and economics.”

-- wikipedia on Security Engineering

See also: Ross Anderson’s 2001 book Security Engineering

Today’s security landscape

• A “holistic system of systems”• Identity theft

– Database theft, phishing, insiders, …

• Organized crime is engaged• Significant economy around vulnerabilities, etc.

• Strategic corporate battleground– Sony DRM, Microsoft, Oracle, Valve

• Geopolitical implications

What social science disciplines have insights for computer security?

Does this lens yield insights about specific

problems?

Some useful disciplines • Anthropology

• Criminology• Cultural Studies• Sociology • Economics• Epistemology• Failure analysis• Forensics• Game theory• (Human) error analysis

• Law • Narratology• Organizational behavior

• Philosophy of technoscience

• Political science• Psychology• Risk management• Systems theory

Some interesting topics

•Measurement•“User Error” •Privacy •Sociology of “vulnerabilities”

And also: Liability, DRM and Watermarking, Patching/installation, …

Measurement • see part 2 of my Challenges in Security and Privacy (2004) for an overview of today’s limitations

• Attack surface measurement (Manadhata and Wing)

• Multi-attribute risk assessment (Butler)

• Defect Prediction (Li et. al.)• “Days of Risk” (Ford et. al.)

“User Error”• Computer security professionals often dismiss issues as “user error”– In other words, “those users sure are stupid”– Including people like us … so it’s clearly untrue

• Resilience engineering• Error analysis• Standpoint theory• Design• Human-computer interaction (HCI)

Privacy• Behavioral Economics (Odlyzko, Acquisiti)• Panoptic society (Bentham, Foucault)

– Criminology: do surveillance cameras work?

• Systems theory (“law of unintended consequences”)

• Overall framing of the debate• Often-illusory “tension between security and privacy”• “You have no privacy - get over it!”• “Where’s the harm?”• “You shouldn’t worry if you have nothing to hide!”

– Political science, standpoint theory, cognitive engineering…

• Constitutional law and human rights

Sociology of “vulnerabilities”

• Ideological differences– Different goals, assumptions, methods

• “Responsible disclosure” debate• Economic models

– see WEIS05 session on “Incentive Modeling”

• ImmunitySec, Tipping Point• Microsoft’s “Blue Hat” workshops

Conclusion•Many social science disciplines have insights for computer security

•The “social science” lens yields insights into many specific problems

•It arguably does make sense to view computer security as a social science

Computer Science as a Social Science:

Applications to Computer Security

Jon Pincus

Microsoft Research

Feburary 3, 2006