Toward a Science of Cybersecurity

As technology advances and our dependence on systems increases, so do the threats and challenges in cyberspace. In this context, the question arises whether cybersecurity could, at some point, come to be considered a science in its own right. In the following post, we will explore the elements that support and hinder its development as a science, examining its relationship to existing disciplines, the need for systematic approaches, its measurement, and ethical challenges. Through this analysis, we seek to introduce the question and understand the possibilities and limitations of establishing a solid scientific basis for addressing its challenges.

Integrated approach

A scientific approach to cybersecurity has several advantages in quantifying and determining what will prevent, disrupt, or deter attacks. A science of cybersecurity could objectively demonstrate what works without having to rely on opinions, experience, or beliefs to make decisions. The challenge of defining it as such stems from its peculiar aspects, and it is loosely tied to the physical universe, with few a priori constraints for attackers and defenders. As an application of security to cyberspace, it denotes applied research that seeks to understand the extent to which a model meets its design requirements, while experimentation clarifies the behavior of an existing system.

By its very nature, its essential aspects cannot be easily formalized mathematically, which is part of the difficulty in developing it as a science. Practitioners deal with uncertainty and face real-world adversaries who frequently change their techniques, tactics, and procedures, requiring constant adaptation. This complexity makes formal research very demanding, but does not exempt it from relying on the same systematic approach to discovery and validation as other scientific and technological disciplines[1].

Cybersecurity has no inherent laws of nature like physics or chemistry, as it is an applied discipline that draws on mathematical constructs from computer science, such as automata theory, algorithmic complexity, and logic. Many points of intersection with formal fields are in the realm of computer science, such as cryptography, type theory, and model checking. Because the background against which it evolves is almost entirely human-created and digital, the constituent parts are inherently understandable, but the cybernetic universe is complex and sometimes exhibits emergent behavior that is neither predicted nor explained. While scientific disciplines are based on describing and understanding natural things, and engineering proposes how to design and produce artificial artifacts that have desired properties, cybersecurity may contain elements of both. Even before a science is developed, engineering generates rules of thumb and best practices that are useful but do not always work[2].

Moreover, the existence of "good guys and bad guys" requires the management of a dynamic tension to maintain a supposed consensus (analogous to a social contract). Since there are intentional adversaries, reasoning must refer to both the constructed universe and the actions and reactions of the adversaries, which is fertile ground for game theory, which is mathematically based. One can speculate that cybersecurity has mathematics as a natural way of reasoning about it, but no science (exact or social) is similar enough to derive its methods from it, although there are analogies with some fields and it shares features with sciences that provide directions for research[3].

The importance of data

Measurement is fundamental to science, and to quantify security, metrics must change over time to adapt to environments, but much of the experience involved in research is observational, and thus metrics are limited to the observable. For example, listing vulnerabilities and ensuring that a system is not vulnerable to them is at best a retrospective approach. Change detection helps identify anomalies, but correlating them with actual attacks requires more research and the application of insights from other fields. In addition, metrics are empirical and statistical in nature, so they cannot be applied to scenarios that are not well defined, and what cannot be observed (such as an unknown attack) cannot be measured. In addition, repeatability of results is required, which depends on adherence to criteria and standards. Therefore, it is not obvious how to combine measures into a single comprehensive representation, making it difficult to determine universal levels of cybersecurity[4].

The critical feature of data, whether observational or experimental, is that it is generalizable, so experience advances science only to the extent that it is possible to figure out what a result means in more general settings. In any case, there is a dearth of experimental results in cybersecurity, coupled with low standards for conducting and communicating experiments. Many practitioners follow formal principles and methods, even though they have different goals and priorities, which are reflected in procedures and different levels of abstraction or depth. A greater focus on market needs leads to a greater tendency toward applied research and development of real-world deployable technologies and practices, rather than more theoretical or exploratory work, which is also needed[5]. In addition, it is important to use research in other fields as a basis for understanding and solving one's own problems.

One intersection between science and cybersecurity is in what is known as "data science," with common applications of interest such as pattern recognition. One example is data analytics, with today's sophisticated, accurate, and powerful models that include processing and visualization. Another is event analysis, which uses statistical techniques to analyze data from multiple converging sources and is used in advanced monitoring systems. Finally, data-level security itself uses scientific techniques based on cryptography to protect confidentiality.

Modern cybersecurity seeks support from artificial intelligence (a branch of computer science) and, in particular, machine learning, where algorithms are trained to identify patterns, make predictions, or make decisions. This is proposed as an attempt to automate parts of the scientific method through mathematical techniques, so it is a process of knowledge induction in which data is observed to build a model that is shaped as a hypothesis[6].

Analogies and Limits

A search for analogies with other sciences allows us to find paths that have already been taken, according to similar types of problems and characteristics. We can mention economics, for the study of competing agents and trends; meteorology (based on physics), for the study of complex models and predictions; astronomy, for its eminently observational study; and agriculture, for its evolution under continuous attention in the presence of external evolutionary agents. A special mention goes to medicine, for the study of living systems at different levels of abstraction, and for the difficulty of quantifying outcomes for health, which, like safety, deteriorates over time. In particular, the field of immunology is uniquely similar to cybersecurity, as the immune system has an adaptive response, multiple censoring mechanisms, and immediate response to detection, and coincides with the need for controlled experiments and on different time scales[7].

Complexity is often cited as a constraint on scientific cybersecurity, but in many disciplines (such as biology) the objects of study are far from simple, and yet ways have been found to conduct experiments. Ethics is also cited as a limiting factor in defining justifiable research and unacceptable behavior, but in many fields (such as medicine) ethical issues have guidelines that guide experimentation.

According to all this, the apparent obstacles to establishing cybersecurity as a science should not be such, since every science has developed ways forward with its own fundamental constraints. This leads to the need to push for security that is built by design from rational and ethical principles based on logically coherent and publicly visible and criticizable definitions, concepts and theories[8].

Conclusions

Although cybersecurity faces challenges in establishing itself as a science due to its complex nature and lack of inherent natural laws, there are scientific and engineering disciplines that can provide guidance and inspiration. While experimentation and measurement present challenges, it is important to promote security that is built on rational and ethical principles, based on clear definitions and consistent theories. Despite the obstacles, cybersecurity can advance as a scientific discipline through a systematic approach, standards for experimentation and communication, and interdisciplinary research.