Skip to main content

Currently Skimming:

2 The Role of Social, Behavioral, and Decision Sciences in Security Science
Pages 21-33

The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.


From page 21...
... Social, behavioral, and decision sciences provide the reservoir of knowledge for addressing some of these questions and for making other research more useful for those responsible for vulnerable systems. Such expertise can also be vital, especially during design, in revealing any disconnects between intention and actual use and in articulating the variety of potential users and their contexts.
From page 22...
... The primary institutional barrier to utilizing social, behavioral, and decision science expertise is that these disciplines are largely absent from the cybersecurity research community. Indeed, the community often lacks even the absorptive capacity to identify these needs, recruit the exper BOX 2.1 The Law, Policy, and Cybersecurity Research As technology has evolved, law and policy have had to adjust to keep up with cybersecurity challenges ranging from privacy to copyright.
From page 23...
... . Involving the social, behavioral, and decision sciences directly should be more effective than attempting to create cybersecurity versions of those disciplines from scratch.1 Approaches to security and technology need to be seen in the larger context of all that a user or organization must accomplish in the socio­ technical domain in which it operates.
From page 24...
... One example of a project that integrated social and organizational analysis with technical research analyzed the "spam value chain."5 2 Caputo et al. specifically studied software development and barriers to attending to security and usability needs (D.D.
From page 25...
... For example, there are privacy concerns related to data collection and surveillance. Hardware and power constraints mean that approaches to improving security that assume plentiful computing capacity or readily available network connectivity and power will not apply.
From page 26...
... CONTRIBUTIONS FROM SOCIAL, BEHAVIORAL, AND DECISION SCIENCES Collaborating with social, behavioral, and decision scientists would put their substantive theories and methodological procedures at the service of the cybersecurity community. Achieving that integration will, however, require a sustained commitment.
From page 27...
... This work applies theories about multi-team systems to cybersecurity incident response teams. Not only has that work tested existing theories; it has also led to new processes for documenting multi-team systems, whether or not they involve cybersecurity.
From page 28...
... Crossing disciplinary boundaries requires deep, sustained participation from researchers in the relevant disciplines, not just expecting experts in one area to cover topics outside their home discipline or to work in parallel, hoping that the pieces mesh. If the cybersecurity community is to engage social scientists, there must be compelling reasons why research in cybersecurity would enhance their careers.
From page 29...
... . INCENTIVES, RESOURCES, AND RISK IN CYBERSECURITY This section examines in more detail two specific topics of particular importance to cybersecurity practices in real-world environments: (1)
From page 30...
... For instance, an analysis of airport security efforts suggests that sometimes investing in improving non-security aspects of the systems can improve security more than security measures.11 Even considering the narrower challenge of specifically cyber-related attacks and defenses, examining resource availability for each can be instructive. That examination should consider the incentives shaping the cybersecurity actions of all actors, from the most casual "script kiddies" to the most competent agencies of first-rate powers.
From page 31...
... This initiative and its results are an opportunity to understand better what processes, technologies, and structures make efforts to maintain and improve open-source projects effective. Risk Analysis A formal risk analysis provides a way to organize information about different kinds of weaknesses a system may have -- from implementation errors to inadequate backup and recovery mechanisms -- and the kinds of
From page 32...
... The toolkit for such analyses includes systematic analyses of existing performance data, translation of existing research into model terms, and disciplined expert elicitation.14 A much more ambitious way of using risk analysis is to try to assess the absolute level of risk in a system. Often, the latter is unproductive or even counterproductive, as it leads to large, complicated, unreviewable projects with an incentive to leave out things that are not easily quantified.
From page 33...
... Knowledge regarding user and organizational incentives for or obstacles to implementing changes in practice and policies is needed for such changes to be put into place. An assertive approach to multidisciplinary integration could lead to a culture of foundational research that involves a conscious and sustained interplay between technical advances and incorporating results from the social and behavioral sciences about how to change systems, developer practices, user expectations, and institutional policies.


This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More information on Chapter Skim is available.