On the Science of Security

In a recent article,1 Cormac Herley and P.C. van Oorschot present an extremely informed discussion on the philosophy of science in general and the prospects for a science of security in particular.Editors note For related work, see the sidebar. Although I agree with most of what Herley and van Oorschot say, they include a claimmade originally by Herley and van Oorschot in SOK Science, Security, and the Elusive Goal of Security as a Scientific Pursuit2 and by Herley in an even earlier paper3which I think is misguided and which has the danger of doing damage to the field. All three articles claim that computer security fails to avoid unfalsifiable claims and statements. Insofar as this statement is simply pointing out that security practitioners often make statements that are vague or imprecise, I dont disagree. One could argue that we all know what they really mean, but as Herley and van Oorschot point out in SOK Science, Security, and the Elusive Goal of Security as a Scientific Pursuit,2 Ive already noted that the use of hidden assumptions is the path to neither science nor security. 4 However, Herley, in his earlier paper, and Herley and van Oorschot, in their more recent articles, clearly believe that this unfalsifiability is somehow inherent in the study of security, per se. As the authors put it in both of their joint articles claims of necessary conditions for real-world security are unfalsifiable. Claims of necessary conditions for formally-defined security are tautological restatements of assumptions. To gain a better understanding of why I think that this claim is misguided, it is worthwhile to consider an example that is presented in both articles in support of it.