What would a 'Science of Security' look like? This question has received considerable attention over the past 10 years. No one argues against the desirability of making security research more 'scientific.' But how would one would go about that? We argue that making progress on this requires clarifying what 'scientific' means in the context of computer security, and that has received too little attention. We pursue this based on a review of literature in the history and Philosophy of Science and a belief that work under the theme 'Science of Security' should align with and ideally, benefit from what has been learned over a few hundred years in science. We offer observations and insights, with a view that the security community can benefit from better leveraging past lessons and common practices well-accepted by consensus in the mainstream scientific community-but which appear little recognized in the security community.

Additional Metadata
Keywords cybersecurity research, deduction, empirical research, IEEE Symposium on Security and Privacy, induction, limitations of models, Science of Security, security
Persistent URL dx.doi.org/10.1109/MSP.2018.1331028
Journal IEEE Security and Privacy
Herley, C. (Cormac), & Van Oorschot, P. (2018). Science of Security: Combining Theory and Measurement to Reflect the Observable. IEEE Security and Privacy, 16(1), 12–22. doi:10.1109/MSP.2018.1331028