Computer Science as a Social Science:

1
Computer Science as a Social Science Applications
to Computer Security Jon Pincus, Microsoft
Research (joint work with Sarah Blankinship,
Microsoft STU) Feburary 3, 2006
2

• Computer science generally studies social
  problems rather than physical ones

3

• so computer science
• is really
• a social science.

4

• Does this make sense for computer security?

5
-- from Bypassing PatchGuard on Win64, skape and
Skywing, in Uninformed (3), December 2005
In the caste system of operating systems, the
kernel is king. And like most kings, the kernel
is capable of defending itself from the lesser
citizens, such as user-mode processes, through
the castle walls of privilege separation.
However, unlike most kings, the kernel is
typically unable to defend itself from the same
privilege level at which it operates. Without the
kernel being able to protect its vital organs at
its own privilege level, the entire operating
system is left open to modification and
subversion if any code is able to run with the
same privileges as the kernel itself.
6
Security not primarily a technology problem

• Secure systems have to resist not only technical
  attacks, but also coercion, fraud, and deception
  by confidence tricksters. For this reason, as
  well as physics, chemistry and mathematics,
  security engineering involves aspects of social
  science, psychology and economics.
• -- wikipedia on Security Engineering
• See also Ross Andersons 2001 book Security
  Engineering

7
Todays security landscape

• A holistic system of systems
• Identity theft
• Database theft, phishing, insiders,
• Organized crime is engaged
• Significant economy around vulnerabilities, etc.
• Strategic corporate battleground
• Sony DRM, Microsoft, Oracle, Valve
• Geopolitical implications

8

• What social science disciplines have insights for
  computer security?
• Does this lens yield insights about specific
  problems?

9
Some useful disciplines

• Anthropology
• Criminology
• Cultural Studies
• Sociology
• Economics
• Epistemology
• Failure analysis
• Forensics
• Game theory
• (Human) error analysis

• Law
• Narratology
• Organizational behavior
• Philosophy of technoscience
• Political science
• Psychology
• Risk management
• Systems theory

10
Some interesting topics

• Measurement
• User Error
• Privacy
• Sociology of vulnerabilities
• And also Liability, DRM and Watermarking,
  Patching/installation,

11
Measurement

• see part 2 of my Challenges in Security and
  Privacy (2004) for an overview of todays
  limitations
• Attack surface measurement (Manadhata and Wing)
• Multi-attribute risk assessment (Butler)
• Defect Prediction (Li et. al.)
• Days of Risk (Ford et. al.)

12
User Error

• Computer security professionals often dismiss
  issues as user error
• In other words, those users sure are stupid
• Including people like us so its clearly untrue
• Resilience engineering
• Error analysis
• Standpoint theory
• Design
• Human-computer interaction (HCI)

13
Privacy

• Behavioral Economics (Odlyzko, Acquisiti)
• Panoptic society (Bentham, Foucault)
• Criminology do surveillance cameras work?
• Systems theory (law of unintended consequences)
• Overall framing of the debate
• Often-illusory tension between security and
  privacy
• You have no privacy - get over it!
• Wheres the harm?
• You shouldnt worry if you have nothing to
  hide!
• Political science, standpoint theory, cognitive
  engineering
• Constitutional law and human rights

14
Sociology of vulnerabilities

• Ideological differences
• Different goals, assumptions, methods
• Responsible disclosure debate
• Economic models
• see WEIS05 session on Incentive Modeling
• ImmunitySec, Tipping Point
• Microsofts Blue Hat workshops

15
Conclusion

• Many social science disciplines have insights for
  computer security
• The social science lens yields insights into
  many specific problems
• It arguably does make sense to view computer
  security as a social science

16
Computer Science as a Social Science Applications
to Computer Security Jon Pincus Microsoft
Research Feburary 3, 2006