Monday, October 26, 2009

The art and science of infosec

"The art of war and the science of war are not coequal. The art of war is clearly the most important. It's science in support of the art. Any time that science leads in your ability to think about and make war, I believe you're headed down a dangerous path. "
Lieutenant General Paul K. Van Riper

I think it's no different in infosec, especially in the senior decision-maker roles.Sure, there are cool technology to learn, awesome risk analysis models to study, complex financial calculations to crunch, but in the end, these are but tools for the practicioner, not ends in of themselves. Just because a some report said some risk should be rated high, doesn't mean it should be taken at face value. Nor should any defense be considered adequate for any length of time.

Too many security folk, especially consultants and auditors, seem to fall into the trap of having the science drive their work more than the art. I think there is a tendency to do this since many of us infosec folks started off in engineering. And yeah, in theory, engineering should be tamed by mathematics and science. But security, especially defense, has a huge human element. And this is where the art is necessary.

Optimizing specific defenses with statistical analysis is useful, but remember that attacks evolve. By the time you perfect a defensive technique, it'll be obsolete. For an example, read up on the history of the invincible Fort Pulaski.

But, it's still better than the cargo cult science of best practices in security.

What skills are useful in the art? Obviously experience and people skills. But to be more specific... well, off the top of my head: Good threat modelling (with a healthy dose of game theory), Logistics, Behaviorial Economics, Theory of Mind, what my boss calls "BS detection", Projecting integrity (not tripping other people's BS detectors), conviction and courage.


Christophe Pradier said...

just because it's numbers-based doesn't mean it's science. In fact, the scientific approach only means that postulate hypotheses and see with time and experiments whether they're true. That doesn't mean that you apply any report that has been fed to you, fortunately :-)

I'm completely OK with the content of your article except with the word science, which I feel is improperly used.

Author, Planet Heidi said...

Agreed that numbers != science. Perfect example, qualitative risk assessments - more art than science, but do kick off somewhat useful numbers. Quantitative risk assessments -> science. But in infosec, Quantitative data is as common as unicorns.

I'll stand by Van Riper's use of the word "science" and my appropriation of his idea into the infosec space. Unlike the laws of physics or math, infosec is adversarial. By the time you figure out what works and publish the results, the bad guys will move to a new attack method. Not that I'm saying it's not important to hypothesize and test controls. I'm saying that at this point in the game, the "artistry" of the defender should also be recognized.