Sage Journals: Discover world-class research

Abstract

I argue that marking a proper distinction between two types of research in the cybersecurity field obviates the present debate concerning a “science of cybersecurity.” Once the terminology has been properly disambiguated, the accurate descriptor for the current state of the practice of cybersecurity becomes apparent: it is a protoscience. Further, once a definition for ‘science’ is specified, it becomes clear that the protoscientific state is capable of trending in the proper direction, namely toward science and away from pseudoscience.

Keywords

Philosophy of science cybersecurity science of cybersecurity

1 Introduction

In a recent publication, Alexander Kott notes that “the central role of models in science is well recognized; it can be argued that a science is a collection of models, or that a scientific theory is a family of models or a generalized schema for models.” (Kott,¹ p. 30). Although there are alternative proposed solutions to the demarcation problem, taking Kott’s model-based approach to defining science affords the opportunity to address—and make progress toward solving—the recent debate concerning a potential “science of cybersecurity.”ⁱ Kott references the debate in terms of a lacuna in our present categorization of cybersecurity research:

even for those in the cyber security community who agree with the need for a science of cyber—whether it merits an exalted title of a new science or should be seen merely as a distinct field of research within one or more of [the] established sciences—the exact nature of the new science, its scope and boundaries remain rather unclear. (Kott,¹ p. 1)

Kott’s statements provide the backdrop for two tasks, both of which I aim to accomplish here. The first is to articulate, in an accessible fashion, a disambiguation of the phrase “science of cybersecurity.” Doing so addresses Kott’s query about the scope of a science of cybersecurity. The second task is a consequence of the first: it is an assessment of the current state of the practice of cybersecurity in terms of whether it is, or can be, scientific.

I argue that marking a proper distinction between two types of research in the cybersecurity field obviates the present debate concerning a science of cybersecurity. Once the terminology has been properly disambiguated, the accurate descriptor for the current state of the practice of cybersecurity becomes apparent: it is a protoscience. Further, if we adopt a definition for “science” in line with the one chosen by Kott, we can see that the protoscientific state is capable of trending in the proper direction: toward science and away from pseudoscience.

Section 2 is spent identifying the distinction between the referents of the terms cybersecurity and science of cybersecurity. With that distinction in place, Section 3 proceeds with an analysis of the present state of “cybersecurity” and “science of cybersecurity,” with the aim of establishing that cybersecurity is protoscientific. Section 4 contains concluding remarks.

2 Cybersecurity: Science and practice

The process of disentangling cybersecurity from science of cybersecurity requires an explicit effort to symmetrize the terminology itself. Cybersecurity is a practice. It is, roughly, the activity of defending the technological assets of some entity from an adversary’s attempts to meddle with those assets in some way. The “defending” can take many forms, including straightforwardly responding to attacks, preemptively researching human motivational and game theoretic tendencies to anticipate the actions of attackers, or deciding what actions to take upon gaining knowledge of an as-yet-unexploited vulnerability.ⁱⁱ When we refer to cybersecurity, we refer to actions of this sort—to the practice of cybersecurity. Accordingly, in what follows, I will utilize the term practice of cybersecurity, denoted cybersecurity_p, when referring to the act of cybersecurity itself.

By contrast, is it clear that cybersecurity_p is distinct from the (potential) science of cybersecurity, hereafter denoted cybersecurity_s. This is so because the science of cybersecurity—cybersecurity_s—refers to the collective properties of cybersecurity_p, such as its methods, principles, and laws.ⁱⁱⁱ These properties emerge from an analysis of cybersecurity_p discipline-wide; individual instances of cybersecurity_p do not reveal such collective qualities. The different denotation of each of the two terms is the first of three clear indicators that cybersecurity_p and cybersecurity_s are distinct in terms of their research subject matter.

The second indicator arises from the traditional scope of scientific research. The distinction between cybersecurity_p and cybersecurity_s fits the landscape of “traditional” sciences. Consider physics, for example. Physicists do physics: they generate theories, they think of clever ways to test the theories, and they experiment to instantiate the clever tests. Additionally, however, there is a set of people who study what the physicists do, how the physicists operate, and what the implications are of what the physicists are reporting. These people—philosophers of physics—study the way the practice of physics is undertaken, as well as the implications of the discoveries of the physicists. The philosophers of physics focus on experimental method, the epistemological foundations that ground the claims of the physicists, and the like. There are other groups of this sort for other sciences, too: philosophers of biology, philosophers of cosmology, and so forth. Collectively, the group comprises the philosophy of science field. Sometimes, the scientists themselves are also philosophers of their respective sciences, but those cases are fairly rare. By and large, but not exclusively, a researcher of the sort under discussion here is chiefly a scientist (a physicist, a biologist, a cosmologist, etc.) or chiefly a philosopher of science. Correspondingly, the distinction between cybersecurity_p and cybersecurity_s fits this structure: cybersecurity_p researchers correspond to the scientists, and cybersecurity_s researchers correspond to the philosophers of science. In that sense, cybersecurity_s could instead be labeled “philosophy of cybersecurity.”^iv

The third indicator that cybersecurity_p and cybersecurity_s are distinct fields of research is that the distinction enables the evaluative element of science to arise for cybersecurity. Just as the physicist could do physics research either scientifically or unscientifically, so, too, a cybersecurity_p researcher is capable of undertaking cybersecurity_p research scientifically or unscientifically.^v Note, importantly, that in both cases, the scientist still undertakes the “base” activity: the physicist still undertakes physics, and the cybersecurity_p researcher still undertakes cybersecurity_p research, regardless of whether the research is done scientifically or unscientifically. Neither researcher undertakes the philosophical task: the physicist (in the example) is not undertaking philosophy of physics while performing physics research, and the cybersecurity_p researcher is not undertaking cybersecurity_s research while performing cybersecurity_p research. These are different fields, with different targets of study. The same separation holds true for the evaluation of the research, as well: the cybersecurity_p researcher, regardless of whether he or she does the work scientifically or not, still does not undertake cybersecurity_s research. If we fail to distinguish cybersecurity_p from cybersecurity_s, we are left only with “cybersecurity research” as a singular bulk entity, and our hunt for a “science of cybersecurity” reduces to the oversimplification of attempting to judge whether cybersecurity research as a whole is scientific. No unifying answer will surface from that inquiry (indeed, none has thus far), chiefly because that task is ambiguous. To disambiguate the task, we need the capability to evaluate cybersecurity_p research and distinguish scientific cybersecurity_p research from unscientific cybersecurity_p research. Cybersecurity_s research is what provides the tools for making that evaluation.

Two small tangent discussions involving the qualities of cybersecurity_s and cybersecurity_p are in order before proceeding.^vi The first involves defining the members of the group labeled “cybersecurity_p researchers.” The uniqueness of the computing discipline blurs the line that separates engineers and scientists in that domain.^vii The blurring introduces a potential complication: insofar as the narrative thus far has correlated cybersecurity_p researchers with “scientists,” it is unclear (for example) whether industry software engineers are scientists—cybersecurity_p researchers—in the same way that university computer science department faculty members are scientists. In the present context, the complication is sidestepped by recognizing that it is not a researcher’s role that invokes the “cybersecurity_p” label, but rather it is the researcher’s action that invokes the label. So long as a researcher is engaged with the activity of defending technological assets (broadly construed, as discussed at the outset of this section), that researcher (for present purposes) is undertaking cybersecurity_p research at that time. Put another way, cybersecurity_p and cybersecurity_s are areas of research, rather than classificatory roles, so specific roles—software engineer, faculty member, etc.—cannot be intrinsically linked to cybersecurity_p (or cybersecurity_s). Just as the same person might, at one time, undertake experimental physics research (as a scientist) and might, at another time, undertake a study of the metaphysical implications of that experimental physics research (as a philosopher of physics), so, too, an industry software engineer (or a university faculty member) might undertake cybersecurity_p research at one time and cybersecurity_s research at another time. The subject matter, not the researcher’s role, delineates cybersecurity_p from cybersecurity_s.

Second, with respect to the domains of the two fields, the inherent adversarial nature of cybersecurity_p reveals an interesting difference between its output and the output of some of the traditional sciences to which it has been analogized thus far. Because cybersecurity_p researchers operate within a dynamic (adversarial) environment, the results of their research often are rendered obsolete by their adversaries. Accordingly, cybersecurity_p researchers must frequently revisit (and revise) previously-obtained results. Traditional scientists (physicists, for example) face no such dynamic environments. The results obtained by those scientists (assuming the results are veridical) remain valid and can be built upon, so the need rarely arises to return to square one. This distinction potentially explains an apparent mismatch between traditional scientists and cybersecurity_p researchers. Whereas traditional scientists are able to proceed, as part of the traditional scientific trajectory, from obtaining their results to interpreting them (for example, by attempting to generate laws to describe large swaths of results), cybersecurity_p researchers instead must contend with adversarial actions that render obsolete their previously-obtained results.^viii In these cases, tasks (such as the foundational unification of data and results into law-like generalities) that would normally be undertaken by scientists (cybersecurity_p researchers) fall instead into the domain of cybersecurity_s researchers.

Because cybersecurity_p is in a nascent state, it is only beginning to develop its own set of researchers focused on cybersecurity_s. At this early stage, the cybersecurity_s literature arises mainly from a select few researchers in cybersecurity_p who branch out with the occasional publication addressing cybersecurity_s. Examples of this sort include Roy Maxion (with his focus on experimental practice in cybersecurity_p), Fred Schneider (with his focus on urging cybersecurity_p researchers to search for potential scientific laws of cybersecurity_p), and Alexander Kott (with his approach to defining science and evaluating the fit between that definition and cybersecurity_p).^1,11,12 Although the bulk of the work done by these researchers lies in the cybersecurity_p domain, they address cybersecurity_s when they study the way cybersecurity_p is undertaken.

Although cybersecurity_s could be referred to by a different label (perhaps, as suggested earlier, ‘philosophy of cybersecurity’), it has instead received the ambiguous label ‘science of cybersecurity’, which has generated the confusion that the present work is aiming (in part) to disentangle. Indeed, the distinction between cybersecurity_p and cybersecurity_s has, in fact, been identified in several places in the literature. For example, the abstract to the 2010 JASON report opens by stating:

JASON was requested by the DoD to examine the theory and practice of cyber-security, and evaluate whether there are underlying fundamental principles that would make it possible to adopt a more scientific approach, identify what is needed in creating a science of cyber-security, and recommend specific ways in which scientific methods can be applied. (JASON,¹³ p. v)

In the present terminology, JASON was contracted to investigate cybersecurity_p to determine whether cybersecurity_s could be developed. The following year, the US Government issued its strategic plan for cybersecurity research, in which it is noted that “the science of security has the potential of producing universal laws that are predictive and transcend specific systems, attacks, and defenses.” (Executive Office of the President,¹⁴ p. 11). It is not cybersecurity_p that would produce the universal laws; rather, cybersecurity_s would generate the laws that would thereby facilitate a higher level of success for cybersecurity_p.^ix

Nonetheless, in the years since, the debate concerning the “science of cybersecurity” has devolved due to the loss of keeping the referents of cybersecurity_s and cybersecurity_p distinct from each other. To illustrate, I will close this section with a clear, extended example of the field’s deep-rooted conflation of cybersecurity_s with cybersecurity_p. Although what follows is merely a single episode, it accurately exemplifies the lack of the distinction between cybersecurity_s and cybersecurity_p in the cybersecurity field.

In a two-issue burst in 2012, the National Security Agency’s The Next Wave periodical covered the subjects of “Developing a blueprint for a science of cybersecurity”¹⁵ and “Building a national program for cybersecurity science.”¹⁶ The titles of the two issues suggest an emphasis on cybersecurity_s, but the contents of the issues instead reflect a decidedly even mixture of pieces focused on cybersecurity_p and pieces focused on cybersecurity_s.

Then, in 2015, The Next Wave revisited the topic with its issue entitled “Building a Science of Cybersecurity: The Next Move.”¹⁷ In that issue, the same mixture of cybersecurity_s and cybersecurity_p contributions emerges. However, the Guest Editor’s Column that opens the publication, penned by Stuart Krohn, offers hope that the distinction between cybersecurity_p and cybersecurity_s has taken root. Krohn identifies several important cybersecurity_s foci in the column, particularly when he writes:

It is essential that this new science be grounded on common definitions. Throughout the years, there has been much debate about the nature of science—what it is, and what methods are best. The works of Karl Popper on falsifiability, of Pierre Duhem on the testing of hypotheses as parts of whole bodies of theory, and of Thomas Kuhn on shifts in scientific paradigms, are fine examples of this. No doubt we will continue that broader discussion in relation to security science… (Krohn,¹⁷ p. i)

The mention of Popper, Duhem, and Kuhn, all of whom are renowned philosophers of science, highlights the earlier-articulated relationship between philosophers of science and cybersecurity_s researchers. The inclusion of those philosophers of science in the discussion appears to bode well for the establishment of the distinction between cybersecurity_s and cybersecurity_p. However, what follows the ellipsis in the quote above reveals that cybersecurity_s and cybersecurity_p are, instead, viewed as interchangeably as they ever have been: “…but that is not our interest here.” (Krohn,¹⁷ p. i). Krohn then describes the contents of the issue, which is dedicated to “the next move” in “building a science of cybersecurity”:

This issue of TNW describes research contributing to the development of security science. Included are highlights of two workshops initiated by the Special Cyber Operations Research and Engineering subcommittee: one on the adoption of cybersecurity technology, the other on computational cybersecurity in compromised environments…. Interspersed are several more in-depth papers on topics including power grid security, phishing, privacy, cyber-physical systems, and a competition aimed at building better code. (Krohn,¹⁷ p. i)

Despite directly distinguishing cybersecurity_s research and accurately identifying it as the philosophy of science correlate to cybersecurity_p, Krohn proceeds to conflate cybersecurity_s with cybersecurity_p by classifying material that unambiguously falls under cybersecurity_p as “research contributing to the development of security science.” The result is that the issue dedicated to building a science of cybersecurity—dedicated to cybersecurity_s research of the sort initially mentioned by Krohn in his column—instead is filled with cybersecurity_p research.

We see, then, that when one inquires whether there can be a “science of cybersecurity,” there are two significant questions being asked simultaneously:

“Can cybersecurity_p be scientific?”

“Can cybersecurity_s exist?”

The “debate” about the issue arises when discussants intend to address one interpretation of the question without acknowledging which interpretation is intended. By distinguishing cybersecurity_p from cybersecurity_s, we are able to navigate the ambiguity.

3 Cybersecurity as protoscience

Karl Popper notes that “science must begin with myths – and with the criticism of myths; neither with the collection of observations, nor with the invention of experiments, but with the critical discussion of myths, and of magical techniques and practices.” (Popper,¹⁸ p. 177). This longer view of scientific development involves the protoscientific state, which comes before the transition to fully-fledged science.^x Popper places observational models and experimental design chronologically after the protoscientific stage because those are precisely the qualities that he deems necessary for scientific status. He frames those qualities in terms of falsifiability: a theory qualifies as a scientific theory if it is falsifiable, which means that it makes testable predictions that would render the theory false if actually observed.^xi Thus, for Popper, the collection of observations and the design of experiments are qualities of sciences, not protosciences.^xii

From this protoscientific state, two possible trajectories follow. On one trajectory, the protoscience could develop the observation-gathering, experiment-designing, model-based capabilities cited by Popper and Kott as the requisite qualities for genuine science. On the other trajectory, the protoscience could remain in the myth-criticizing state whereby its techniques and practices are neither fundamentally understood nor rigorously reliable. This latter type of development is one from protoscience to pseudoscience.^xiii

Distinguishing cybersecurity_p from cybersecurity_s leaves us in position to ascertain where cybersecurity_p rests on the trajectory of scientific development. More specifically, because classifying cybersecurity_p is a task that lies under the purview of philosophy of science, we see that assessing the scientificity of cybersecurity_p is a cybersecurity_s task.^xiv The argumentation contained in the previous section, then, can be put to work to indicate whether cybersecurity_p is scientific. It will be cybersecurity_s, particularly with respect to its overlap with philosophy of science, that will provide answers about whether cybersecurity_p is scientific.

In fact, there is a very clear sense in which the “science of cybersecurity” case is an ideal candidate for adjudication via the philosophy of science literature. Sven Ove Hansson characterizes the denotation of our use of the word ‘science’ as follows:

It [our usage of the term ‘science’] can focus on the descriptive contents, and specify how the term is actually used. Alternatively, it can focus on the normative element, and clarify the more fundamental meaning of the term. The latter approach has been the choice of most philosophers writing on the subject. (Hansson,⁸ p. 4)

We see (from the material presented in Section 2) that the cybersecurity literature currently conflates the two possible denotations—cybersecurity_p and cybersecurity_s—of our usage of the ‘science of cybersecurity’ terminology. These correspond to Hansson’s descriptive and normative uses, respectively. Cybersecurity_p is the term that describes the activity—the practice—of cybersecurity. By contrast, cybersecurity_s is the term that captures the “normative element,” the “fundamental meaning” of the term ‘cybersecurity,’ in terms of the discipline’s properties and whether they qualify the practice of cybersecurity as scientific. Accordingly, by distinguishing the two uses, we are in position to put that distinction to work by using cybersecurity_s to analyze cybersecurity_p. The remainder of this section takes the first steps—but only the first steps—down that path.

It is worth considering the scientific status of cybersecurity_p because understanding that status can guide our expectations about the evolution of the field and the results we hope to achieve via cybersecurity_p. Indeed, perhaps the impetus behind the recent urgency to establish cybersecurity_s is the fear that cybersecurity_p could end up being pseudoscientific. This is the first clue that cybersecurity_p is protoscientific: those who are pioneering the cybersecurity_s literature raise concerns that cybersecurity_p exhibits traits that are symptoms of a pseudoscience. For example, nearly all calls for the development of a “science of cybersecurity” cite the present lack of predictive ability, the lack of repeatable results, and the need to resort to reacting to attacks (rather than the ability to anticipate them) that pervade cybersecurity_p:

We need a science of cybersecurity [emphasis in the original] that puts the construction of secure systems onto a firm foundation by giving developers a body of laws for predicting the consequences of design and implementation choices (Schneider,¹² p. 47).

In cyber security we also need measurements that are dependable and error-free; undependable measurements make for undependable values and analyses, and for invalid conclusions. A rigorous experimental methodology will help ensure that measurements are valid, leading to outcomes in which we can have confidence (Maxion,¹¹ p. 344).

These claims suggest a concern that cybersecurity_p is pseudoscientific. This would cast cybersecurity_p with the same lot, for example, as astrology, climate change denial, and psychokinesis. Those pseudosciences present sparse and uncontrolled evidence for their claims, fail under comprehensive scrutiny, lack metrics for accurate measurement, and are unable to generate the reliable predictive claims that legitimate sciences are capable of generating. Some of those qualities appear to be applicable to cybersecurity_p presently.

To characterize these concerns a bit more formally, we return to the work of Hansson. Hansson advances, through extended analysis, the following definition for ‘pseudoscience’: “A phenomenon is pseudo-scientific if and only if it belongs to a doctrine such that: (1) the doctrine is not scientific, and (2) major proponents of the doctrine try to create the impression that it is scientific.” (Hansson,²⁰ p. 174).^xv Because Hansson defines ‘pseudoscience’ in terms of ‘science,’ a proper application of his definition requires the deployment of a definition for ‘science.’ This is where Kott’s definition of ‘science’ re-enters the discussion: insofar as science involves a collection or family of models, a pseudoscience is a movement such that: (1) it does not involve well-established models; and (2) the proponents of the movement try to create the impression that its models are well-established.^xvi Thus, cybersecurity_p can avoid a pseudoscientific fate so long as: (1) it involves well-established models; or (2) its proponents do not illegitimately aim to create the impression that its models are well-established. A case can be made that neither disjunct is overwhelmingly satisfied at this point in the development of cybersecurity_p.

Concerning (1), cybersecurity_p has not yet reached a state where its models are well-established. Indeed, a driving motivation for this special issue is to investigate the very utility of models and their use in cybersecurity_p. Finer features of the models that Kott deems worthy to generate a scientific cybersecurity_p include the requirements that the models:

Are expressed in an appropriate rigorous formalism;

Explicitly specify assumptions, simplifications and constraints;

Involve characteristics of threats, defensive mechanisms, and the defended network;

Are at least partly theoretically grounded;

Yield experimentally testable predictions of characteristics of security violations (Kott,¹ p. 3).^xvii

The fledgling cybersecurity_s work that exists directly challenges the applicability of many of the features on Kott’s list to the existing models in cybersecurity_p, which thereby challenges whether such models qualify as “well-established.” For example, Maxion et al.²¹ lament the lack of transparency in cybersecurity_p experimentation. Schneider¹² notes the present lack of scientific laws in cybersecurity_s research, which impacts the scope of the models that can be generated for use in cybersecurity_p. Rossow et al.²² paint a grim picture of the scientific legitimacy of experimentation in malware research. Hatleback and Spring¹⁰ identify the difficulty of generating sound experimental design when dealing with the engineered mechanisms that are prevalent in computing. This sample of the cybersecurity_s literature shows that it would be quite difficult to argue convincingly that the current models in place in cybersecurity_p could be characterized as “well-established”.^xviii

Concerning (2), the analysis is not as clear-cut. From one perspective—that of the cybersecurity_s researchers—it is very clear that there are no illegitimate claims of scientificity for cybersecurity_p occurring. This much is evident from the selection of the literature that was cited above, all of which identify the places in which cybersecurity_p currently falls short in terms of the qualities articulated by Kott. However, one could argue that the very subset of cybersecurity_p researchers who are the targets of that cybersecurity_s literature are illegitimately creating the impression that their cybersecurity_p models are well-founded.^ixx To adjudicate this discrepancy, it is helpful to appeal to a unique feature of the cybersecurity field that makes an important difference. Because the cybersecurity_s discipline is so nascent, its researchers are, in fact, still heavily involved in cybersecurity_p. Thus, despite the presence of some cybersecurity_p researchers who may be illegitimately creating the impression that the models of cybersecurity_p are well-founded, it certainly is not the case that, on the whole, the proponents of cybersecurity_p are doing so. In this respect, it is the cybersecurity_s researchers who are shielding cybersecurity_p from a potentially pseudoscientific fate.

So, where does that leave the status of cybersecurity_p? Since Hansson’s (1) is satisfied, cybersecurity_p is not scientific (presently). However, since Hansson’s (2) is not satisfied, neither is cybersecurity_p pseudoscientific (presently). Instead, cybersecurity_p occupies that state identified by Popper as pre-scientific. And yet the potentiality remains that cybersecurity_p is actually pre-pseudoscientific. To apply Popper’s description, cybersecurity_p exhibits techniques and practices that seem magical: extant and sometimes effective, yet not wholly manipulable nor universally deployable. Cybersecurity_p is a protoscience.

4 Conclusions

The history of science is a story of disciplines evolving and devolving, finding success and suffering failure. The discipline of cybersecurity is now entering that story. Only hindsight yields the perspective necessary to categorize a discipline accurately. Indeed, as Kuhn observed in the work in which he first defined ‘protoscience,’

I claim no therapy to assist the transformation of a proto-science to a science, nor do I suppose that anything of the sort is to be had…. A sentence I once used when discussing the special efficacy of mathematical theories applies equally well here: “As in individual development, so in the scientific group, maturity comes most surely to those who know how to wait.” Fortunately, though no prescription will force it, the transition to maturity does come to many fields, and it is well worth waiting and struggling to attain. Each of the currently established sciences has emerged from a previously more speculative branch of natural philosophy, medicine, or the crafts at some relatively well-defined period of the past. Other fields will surely experience the same transition in the future. Only after it occurs does progress become an obvious characteristic of a field. (Kuhn,¹⁹ p. 245)

Sometimes, even hindsight is not enough. Renaissance-era alchemy was protoscientific, yet historians remain conflicted about whether it evolved to scientific success in the form of chemistry, or whether it devolved to pseudoscientific failure in the form of a panpsychic, spiritual, or Jungian mysticism.²⁴ Even now, then, it is not clear whether Renaissance-era alchemy was pre-scientific or pre-pseudoscientific. And even in cases where hindsight reveals an incontrovertible pseudoscience, such as the astrology that was practiced contemporaneously with alchemy, scientific giants like Johann Kepler can be found partaking in the pseudoscience.^xx At this early stage of cybersecurity research, then, it seems premature to label cybersecurity_p anything but a protoscience; it is a field for which, as Kuhn would surely agree, we cannot yet judge whether its progress will become substantial enough to cross the threshold into the maturity of established science.

The adoption of a model-driven paradigm in the discipline of cybersecurity offers the opportunity for its transition to maturity, particularly if one adopts a model-based definition for science such as the one formulated by Kott. However, for the history of science to include that story, researchers must mark the distinction between cybersecurity_p and cybersecurity_s. The protoscience of cybersecurity_p is capable of transitioning into a science, but it will take the development of cybersecurity_s to enable that transition.

Footnotes

Funding

This research received no specific grant from any funding agency in the public, commercial, or not-for-profit sectors.

Notes

Author biography

Dr. Eric Nelson Hatleback is a Visiting Research Associate Professor in the University of Pittsburgh’s School of Computing and Information. He is also a Security Analysis Researcher at CERT in Carnegie Mellon University’s Software Engineering Institute.

References

Kott

. Towards fundamental science of cyber security. In: Pino

(ed) Network science and cybersecurity. New York: Springer, 2014, pp. 1–13.

Suppes

. Representation and invariance of scientific structures. Stanford: CSLI Publications, 2002.

Cartwright

. How the laws of physics lie. Oxford: Oxford University Press; 1983.

Popper

. The logic of scientific discovery. New York: Basic Books, 1959.

Popper

. Conjectures and refutations: the growth of scientific knowledge. New York: Basic Books, 1962.

Pigliucci

. The demarcation problem: a (belated) response to Laudan. In: Pigliucci

Boudry

(eds) Philosophy of pseudoscience: reconsidering the demarcation problem. Chicago: The University of Chicago Press, 2013, pp. 9–28.

Hansson

. Defining pseudoscience and science. In Pigliucci

Boudry

(eds) Philosophy of pseudoscience: reconsidering the demarcation problem. Chicago: The University of Chicago Press, 2013, pp. 61–77.

Hansson

. Science and pseudo-science. 2014.

Schiaffonati

Verdicchio

. Computing and experiments: a methodological view on the debate on the scientific nature of computing. Philosophy & Technology. 2014; 27: 359–376.

10.

Hatleback

Spring

. Exploring a mechanistic approach to experimentation in computing. Philosophy & Technology 2014, pp. 441–459.

11.

Maxion

. Making experiments dependable. In: Jones

Lloyd

(eds) Dependable and historic computing: essays dedicated to Brian Randell on the occasion of his 75th birthday. Berlin: Springer-Verlag, 2011, pp. 344–357.

12.

Schneider

. Blueprint for a science of cybersecurity. The Next Wave 2012; 19: 47–57.

13.

JASON. Science of cyber-security. Report, McLean, The Mitre Corporation, 2010.

14.

Executive Office of the President. Trustworthy cyberspace: strategic plan for the federal cybersecurity research and development program. Washington DC: National Science and Technology Council, 2011.

15.

Developing a blueprint for a science of cybersecurity (Special Issue). The Next Wave 2012; 19.

16.

Building a national program for cybersecurity science (Special Issue). The Next Wave 2012; 19.

17.

Building a science of cybersecurity: the next move (Special Issue). The Next Wave 2015; 21.

18.

Popper

. Philosophy of science: a personal report. In: Mace

(ed) British philosophy in the mid-century: a Cambridge symposium. London: George Allen and Unwin, 1957, pp. 155–191.

19.

Kuhn

. Reflections on my critics. In: Lakatos

Musgrave

(eds) Criticism and the growth of knowledge: proceedings of the international colloquium in the philosophy of science. London: Cambridge University Press, 1965, pp. 231–278.

20.

Hansson

. Defining pseudo-science. Philosophia Naturalis 1996; 33: 169–176.

21.

Maxion

Longstaff

McHugh

. Why is there no science in cyber science? In: NSPW ’10 Concord, MA, pp. 1–5. ACM.

22.

Rossow

Dietrich

Grier

et al . Prudent practices for designing malware experiments: status quo and outlook. In: IEEE symposium on security and privacy, 2012, pp. 65–79. Piscataway, NJ: IEEE.

23.

Hutchins

Cloppert

Amin

. Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains. Bethesda, MD: Lockheed Martin Corporation, 2011.

24.

Principe

Newman

. Some problems with the historiography of alchemy. In: Newman

Grafton

(eds) Secrets of nature. Cambridge, MA: The MIT Press; 2006, pp. 385–431.

25.

Kepler

. Concerning the more certain fundamentals of astrology. New York: Clancy Publications, 1942.