slide1 l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Computer Science as a Social Science: Applications to Computer Security Jon Pincus, Microsoft Research (joint work with PowerPoint Presentation
Download Presentation
Computer Science as a Social Science: Applications to Computer Security Jon Pincus, Microsoft Research (joint work with

Loading in 2 Seconds...

play fullscreen
1 / 16

Computer Science as a Social Science: Applications to Computer Security Jon Pincus, Microsoft Research (joint work with - PowerPoint PPT Presentation


  • 519 Views
  • Uploaded on

Computer Science as a Social Science: Applications to Computer Security Jon Pincus, Microsoft Research (joint work with Sarah Blankinship, Microsoft STU) Feburary 3, 2006 Computer science generally studies social problems rather than physical ones … … so computer science is really

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Computer Science as a Social Science: Applications to Computer Security Jon Pincus, Microsoft Research (joint work with' - Gideon


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

Computer Science as a Social Science:

Applications to Computer Security

Jon Pincus, Microsoft Research

(joint work with Sarah Blankinship, Microsoft STU)

Feburary 3, 2006

slide3
… so computer science

is really

a social science.

from bypassing patchguard on win64 skape and skywing in uninformed 3 december 2005
-- from Bypassing PatchGuard on Win64, skape and Skywing, in Uninformed (3), December 2005

“In the caste system of operating systems, the kernel is king. And like most kings, the kernel is capable of defending itself from the lesser citizens, such as user-mode processes, through the castle walls of privilege separation. However, unlike most kings, the kernel is typically unable to defend itself from the same privilege level at which it operates. Without the kernel being able to protect its vital organs at its own privilege level, the entire operating system is left open to modification and subversion if any code is able to run with the same privileges as the kernel itself.”

security not primarily a technology problem
Security: not primarily a technology problem

“Secure systems have to resist not only technical attacks, but also coercion, fraud, and deception by confidence tricksters. For this reason, as well as physics, chemistry and mathematics, [security engineering] involves aspects of social science, psychology and economics.”

-- wikipedia on Security Engineering

See also: Ross Anderson’s 2001 book Security Engineering

today s security landscape
Today’s security landscape
  • A “holistic system of systems”
  • Identity theft
    • Database theft, phishing, insiders, …
  • Organized crime is engaged
  • Significant economy around vulnerabilities, etc.
  • Strategic corporate battleground
    • Sony DRM, Microsoft, Oracle, Valve
  • Geopolitical implications
slide8
What social science disciplines have insights for computer security?

Does this lens yield insights about specific problems?

some useful disciplines
Some useful disciplines
  • Law
  • Narratology
  • Organizational behavior
  • Philosophy of technoscience
  • Political science
  • Psychology
  • Risk management
  • Systems theory
  • Anthropology
  • Criminology
  • Cultural Studies
  • Sociology
  • Economics
  • Epistemology
  • Failure analysis
  • Forensics
  • Game theory
  • (Human) error analysis
some interesting topics
Some interesting topics
  • Measurement
  • “User Error”
  • Privacy
  • Sociology of “vulnerabilities”

And also: Liability, DRM and Watermarking, Patching/installation, …

measurement
Measurement
  • see part 2 of my Challenges in Security and Privacy (2004) for an overview of today’s limitations
  • Attack surface measurement (Manadhata and Wing)
  • Multi-attribute risk assessment (Butler)
  • Defect Prediction (Li et. al.)
  • “Days of Risk” (Ford et. al.)
user error
“User Error”
  • Computer security professionals often dismiss issues as “user error”
    • In other words, “those users sure are stupid”
    • Including people like us … so it’s clearly untrue
  • Resilience engineering
  • Error analysis
  • Standpoint theory
  • Design
  • Human-computer interaction (HCI)
privacy
Privacy
  • Behavioral Economics (Odlyzko, Acquisiti)
  • Panoptic society (Bentham, Foucault)
    • Criminology: do surveillance cameras work?
  • Systems theory (“law of unintended consequences”)
  • Overall framing of the debate
      • Often-illusory “tension between security and privacy”
      • “You have no privacy - get over it!”
      • “Where’s the harm?”
      • “You shouldn’t worry if you have nothing to hide!”
    • Political science, standpoint theory, cognitive engineering…
  • Constitutional law and human rights
sociology of vulnerabilities
Sociology of “vulnerabilities”
  • Ideological differences
    • Different goals, assumptions, methods
  • “Responsible disclosure” debate
  • Economic models
    • see WEIS05 session on “Incentive Modeling”
  • ImmunitySec, Tipping Point
  • Microsoft’s “Blue Hat” workshops
conclusion
Conclusion
  • Many social science disciplines have insights for computer security
  • The “social science” lens yields insights into many specific problems
  • It arguably does make sense to view computer security as a social science
slide16

Computer Science as a Social Science:

Applications to Computer Security

Jon Pincus

Microsoft Research

Feburary 3, 2006