Theory plus practice

Geraint Price in February 2017

Geraint Price at the first RISCS practitioners panel in February 2017

At the first quarterly RISCS community meeting for 2017, Royal Holloway senior lecturer Geraint Price explained the purpose of the practitioners panel, which he leads. Collaboration, he said, is essential, so that the research RISCS academics undertake has practical relevance to the problems practitioners encounter every day, and so that practitioners can benefit from new insights as they occur.

Practitioners who want to join the community should email briefly outlining their interest in RISCS’ activities and mentioning whether they want to join the practitioners panel or find out more.

Price began with a picture of a hammer: as the saying doesn’t quite go, when the tool you have is a hammer you hit everything you see, whether or not it looks like a nail. Many of the security tools in common use are like this – simplistic and dating to an era with different requirements, chiefly the military and financial sectors in the 1970s. Yet we keep using them anyway, despite the fact that we’re in a different era where many of our requirements have changed.

A key issue is the blinkered perspective caused by the division of disciplines into silos, even within science itself. “As a discipline, we’re drawing far too narrow boundaries,” Price said, going on to quote Leonardo da Vinci: “Learn how to see. Realize that everything connects to everything else.”

Price set out three examples of how changing perspectives and requirements can turn something that works into a disaster or make functional an idea previously dismissed: the de Havilland Comet; Ignaz Semmelweis’s insistence that washing hands between patients would eliminate many infections; and Barry Marshall’s claim that stomach ulcers were caused by bacteria rather than stress, spicy food, or too much stomach acid. In the first case, the de Havilland Comet, there were several instances when the world-first commercial jet airliner dropped out of the sky. These were traced to the combination of a slightly too-acute angle on the corners of the windows coupled with newly-reached higher speeds and altitudes. The combination caused stress fractures that ripped the plane apart; the incidents inspired many advances in materials science.

Semmelweis was right, we now know, but he failed to gain acceptance for his theories in the mid 19th century because the science to explain his findings didn’t exist yet. It was only some years after his death in an insane asylum that Louis Pasteur confirmed the germ theory that explained the effect Semmelweis accurately observed. Unfortunately for Semmelweis, the science at his disposal was not yet mature enough to provide the tools he needed to convince his peers.

Marshall was also correct but, unable to get approval for the necessary research, was ignored until he finally infected himself with h. pylori in order to prove his point. His case shows the way scientists can hold onto inaccurate beliefs for too long when proof is not forthcoming – a problem exacerbated in cyber security by the presence of a vendor industry that funds experts to promote those same beliefs.

Price argued that something of the same situation applies now to the “CIA triad: confidentiality, integrity, and availability. “We need a better way to look at security,” he said. “We are using 1970s ideas to solve 21st century problems.”

The UCL researcher John Adams identifies three kinds of risk (PDF): those that can be perceived directly (riding a bike); those that can be perceived through science (cholera, which requires a microscope); and those we cannot agree on and cannot perceive (for example, climate change or low-level radiation). Price argues that many of the risks we face in the cyber world fall into the third, virtual category, which makes it hard for both researchers and users alike to grapple with those problems.

The results of work done at Royal Holloway, some funded by RISCS, some by the TREsPASS project, suggest that it’s essential to embrace multiple stakeholders rather than the imposition of control from a single viewpoint that is common today. The RISCS Cyber Security Cartographies project used complementary views of the flow of information between people and across the data network to find gaps that would have escaped notice otherwise. TREsPASS has modelled these multiple perspectives in Lego to get a range of people to engage with designing the system; the result is to force them to explain the problems they have and their perspectives. The goal is to change the way people perceive risk.

Cyber security is an area where scientific roots are a problem. It’s not a hard science studying natural phenomena, even though it uses some of the techniques of scientific disciplines such as mathematics for cryptography and computer science for system engineering. Ultimately, however, the “things” security researchers study are all social/societal constructs. This must have some effect on the research paradigm, or work would have stopped at the one-time pad or the Bell-LaPadula model, which offered provably secure access control but was utterly unusable. The only way cyber security can move forward as a science is by listening to others – especially practitioners, who experience the problems at first hand.

In this collaboration, the researchers hope to gain:

  • case studies;
  • new ways of looking at the world;
  • help engaging with different disciplines such as law and others;
  • help showcasing the problems they can solve;
  • joint development of an enlarged toolkit.

In return, the researchers hope practitioners will gain:

  • the ability to help shape the future research agenda so it’s more relevant to their real-world needs;
  • engagement with testing and validating research outputs;
  • new ways of looking at the problems they encounter daily.

Price closed by imagining the state he hopes cyber security will have reached in 2042. By then, he hopes:

  • the field has tapped every discipline which can and should have an impact on information security;
  • methods to facilitate discussion among these disciplines have been developed, taking into account variations in language, style, and methodology;
  • a toolbox of RISCS-style projects has been developed, testing, and fielded;
  • academia and industry have a better track record of collaboration;
  • academia has developed a greater value for research that is interdisciplinary, practical, and explorative.

In the meantime, RISCS welcomes input from practitioners and other research projects.

About Wendy M. Grossman

Freelance writer specializing in computers, freedom, and privacy. For RISCS, I write blog posts and meeting and talk summaries

Leave a Reply