Given the many colourful vulnerabilities published (with or without logo) and attacks seen in the past 12 months, one wonders if IT Security works at all. Of course, 100% of all statistics are fake, and only looking at the things that went wrong gives a biased impression. So what’s ████ed up with IT Security? Are we on course? Can we improve? Is it still possible to defend the IT infrastructure?
Stefan Schumacher, director of the Magdeburger Institut für Sicherheitsforschung (MIS), will tell you what is wrong with information security and what you (or we) can do about it. He writes about his presentation in his own words:
Science is awesome. You aren’t doing science in infosec. Why not? Seems to be the overriding message of @0xKaishakunin #AusCERT2014
This was one tweet about my talk of security in a post-NSA age at the AusCert conference in Australia this year. It pretty much sums up my opinion about what is currently going on in the IT Security circus.
Why IT security is ████ed up certainly is a strong stance against what is going on at IT security in general and conferences like DeepSec in particular. However, for the last three to four decades modern IT security exists, we have come a long way in securing our machines, processes and networks. However, certain fields of IT security are thoroughly ignored in research and practical application.
This has to do with computer science being the primary science behind IT security. Computer science is the child of mathematics as a formal science and engineering sciences. This limits the scientific methods to those used in that fields.
Unfortunately, IT security is more than just mathemathics and engineering. Neither social engineering nor human behaviour can be explained with CS methods. Nor can it be combated with it. The same goes for political/policy problems, like intelligence services attacking our human rights in the digital space of living. This is a political problem and we need a political solution for it. So political science also plays a role in IT Security.
When we keep this in mind, we see that current IT security lacks further development in certain fields. So I propose to emancipate IT security research from Computer Science and turn it into a new field of science. We can use the methods and tools of CS, Maths and engineering, but also need the methods, tools and philosophies (!) of humanities and social sciences like psychology and pedagogy.
So lets go and create a new Science. It will be fun and games until theories of science clash. 😉