1 / 16

Computer Science as a Social Science: Applications to Computer Security Jon Pincus, Microsoft Research (joint work with

Computer Science as a Social Science: Applications to Computer Security Jon Pincus, Microsoft Research (joint work with Sarah Blankinship, Microsoft STU) Feburary 3, 2006 Computer science generally studies social problems rather than physical ones … … so computer science is really

Gideon
Télécharger la présentation

Computer Science as a Social Science: Applications to Computer Security Jon Pincus, Microsoft Research (joint work with

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Computer Science as a Social Science: Applications to Computer Security Jon Pincus, Microsoft Research (joint work with Sarah Blankinship, Microsoft STU) Feburary 3, 2006

  2. Computer science generally studies social problems rather than physical ones …

  3. … so computer science is really a social science.

  4. Does this make sense for computer security?

  5. -- from Bypassing PatchGuard on Win64, skape and Skywing, in Uninformed (3), December 2005 “In the caste system of operating systems, the kernel is king. And like most kings, the kernel is capable of defending itself from the lesser citizens, such as user-mode processes, through the castle walls of privilege separation. However, unlike most kings, the kernel is typically unable to defend itself from the same privilege level at which it operates. Without the kernel being able to protect its vital organs at its own privilege level, the entire operating system is left open to modification and subversion if any code is able to run with the same privileges as the kernel itself.”

  6. Security: not primarily a technology problem “Secure systems have to resist not only technical attacks, but also coercion, fraud, and deception by confidence tricksters. For this reason, as well as physics, chemistry and mathematics, [security engineering] involves aspects of social science, psychology and economics.” -- wikipedia on Security Engineering See also: Ross Anderson’s 2001 book Security Engineering

  7. Today’s security landscape • A “holistic system of systems” • Identity theft • Database theft, phishing, insiders, … • Organized crime is engaged • Significant economy around vulnerabilities, etc. • Strategic corporate battleground • Sony DRM, Microsoft, Oracle, Valve • Geopolitical implications

  8. What social science disciplines have insights for computer security? Does this lens yield insights about specific problems?

  9. Some useful disciplines • Law • Narratology • Organizational behavior • Philosophy of technoscience • Political science • Psychology • Risk management • Systems theory • Anthropology • Criminology • Cultural Studies • Sociology • Economics • Epistemology • Failure analysis • Forensics • Game theory • (Human) error analysis

  10. Some interesting topics • Measurement • “User Error” • Privacy • Sociology of “vulnerabilities” And also: Liability, DRM and Watermarking, Patching/installation, …

  11. Measurement • see part 2 of my Challenges in Security and Privacy (2004) for an overview of today’s limitations • Attack surface measurement (Manadhata and Wing) • Multi-attribute risk assessment (Butler) • Defect Prediction (Li et. al.) • “Days of Risk” (Ford et. al.)

  12. “User Error” • Computer security professionals often dismiss issues as “user error” • In other words, “those users sure are stupid” • Including people like us … so it’s clearly untrue • Resilience engineering • Error analysis • Standpoint theory • Design • Human-computer interaction (HCI)

  13. Privacy • Behavioral Economics (Odlyzko, Acquisiti) • Panoptic society (Bentham, Foucault) • Criminology: do surveillance cameras work? • Systems theory (“law of unintended consequences”) • Overall framing of the debate • Often-illusory “tension between security and privacy” • “You have no privacy - get over it!” • “Where’s the harm?” • “You shouldn’t worry if you have nothing to hide!” • Political science, standpoint theory, cognitive engineering… • Constitutional law and human rights

  14. Sociology of “vulnerabilities” • Ideological differences • Different goals, assumptions, methods • “Responsible disclosure” debate • Economic models • see WEIS05 session on “Incentive Modeling” • ImmunitySec, Tipping Point • Microsoft’s “Blue Hat” workshops

  15. Conclusion • Many social science disciplines have insights for computer security • The “social science” lens yields insights into many specific problems • It arguably does make sense to view computer security as a social science

  16. Computer Science as a Social Science: Applications to Computer Security Jon Pincus Microsoft Research Feburary 3, 2006

More Related