Final Post on Mortman/Hutton and the Beginning of the End of the Beginning (Hopefully)
The last post on the Mortman/Hutton model today is the most important. You see, the primary idea (to me) behind the Mortman/Hutton model was never really to come to a strict or broadly accepted model for discussing what factors drive the creation and adoption of exploit code. That was and is a vehicle for what is my (our) primary aim – the sharing of information to help further our understanding of IT risk management and what we might call (for lack of a better term) the science of information security.
You see, a model is only a hypothesis. It is for testing, for falsifying, for evolving. And ours is no different. We welcome criticism and alternate theories. Heck, even I have problems with it: a couple of branches “don’t feel right” (the deductive logic isn’t as strong as I’d like), and the “measurement theory” behind the model as we use it is, to be nice about it, informal. We do welcome improvements.
And to that extent this welcoming of changes to the model is our primary aim in developing and releasing the Mortman/Hutton model. We want it to be the first model to be written about and stored here for others to help evolve. It was birthed to help make this website a resource for those who seek knowledge about what it is that we do.
To that extent we will host our white paper here, and invite others to do the same for the theories/models they produce. Hopefully in the future we’ll expand the sites capabilities, creating a sort of academic storehouse of information not just about ancillary information security science-like topics (like visualization), but of real discussion about the very epistemic nature of information security.
Epistemological Anarchy and Sensationalist Talk Titles
Which brings me to my second part of this blog post, answering a post Adam made that was discussing why he doesn’t like at least the title of David and my SecurityBSides talk – “Challenging the Epistemological Anarchist to Escape our Dark Age”. To be fair, Adam hasn’t heard the talk or really discussed what our assertion against Epistemological Anarchy (E.A.) is. Also, I’m not really all that against aspects of E. A.. But here’s the crux:
Epistemological Anarchy is a philosophical concept offered by Paul Feyerabend. In short, Feyerabend suggests that there is no universal scientific method, or even that if there was one, we would be in jeopardy of tyranny to it rather than to the search for knowledge. Thus he proposed anarchy, that as a reduction of Karl Popper’s falsification to the absurd, the only real universal truth to scientific discovery is “anything goes”.
And there is some appealing aspect to E.A., I’ll admit. At best, it challenges us to not conform to modern theories about our fields of study (and if you’ve read anything by me, you know I love to challenge conventional wisdom about InfoSec – even to a fault). However, at worst, it suggests that we give credence to even the most absurd irrational assertions (Feyerabend himself suggests that someday Rain Dances and Astrology might be “rediscovered” as having some aspect of truth in their claims).
To this extent, I find that many of our most notable “security rock star” types are readily dismissing our ability to apply any scientific method at all. Donn Parker and Marcus Ranum immediately spring to mind as those who not only offer no real rational set course of action in order to build knowledge or increase wisdom, but rather suggest that our version of shamanism is just fine and all we can ever ascribe to. To me, this is a premature abortion of our field, what I would call a newly forming social science. In fact, take for example, what Thomas Kuhn suggests are stages of a natural science (you can look them up or follow my series over on the Verizon security blog).
I have no problem accepting that Kuhn would label us in what he calls the “protoscientific” stage. A stage of science that is described by somewhat random fact gathering (mainly of readily accessible data), and a “morass” of interesting, trivial, irrelevant observations. In the protoscientific stage there are a variety of theories (that are spawned from what he calls philosophical speculation) that provide little guidance to data gathering.(1)
Kuhn goes on to describe a second stage, where a theory comes to dominate all others and a “school” of “disciples” establish a discipline around the theory. Not to re-hash the rest of what Kuhn says about how a science evolves, but I’ll offer this. While I do want to push us out of Kuhn’s protoscience stage, I don’t see a predominant theory (or even despite the title of this blog – a “school” of disciples) forming just yet. Rather, NewSchool seems to me, with all apologies to Churchill, just the beginning of the end of the beginning. Our challenge is to use the positive aspects of Feyerabend’s E.A. to accelerate us past not only Kuhn’s “normal science” stage (where a predominant theory is held up and it spawns ancillary theories and models), but also past his “crisis” stage (where the predominant theory is falsified) into a stage of regular, repeating revolutions (and maybe we can use this crazy Internet technology to our advantage to do so). That, to me at least (irony noted), is what is NewSchool.
But in doing so, we *have* to move beyond absolute dismissal of Information Security and Risk Management as a social science, beyond the Epistemological Anarchist who suggests that a quest for knowledge is futile.
(1) if you’ll indulge a little public naval gazing, I can see how one of my favorite modles, FAIR, could be interpreted to be theory spawned from philosophical speculation. It is, after all, an almost purely deductive model that many have expressed difficulty resolving it’s approach to estimate-based measurement to their desire for precise results. I will offer this, I found FAIR to fit many aspects of Kuhn’s requirements for Theory Choice (esp. the Fruitful aspect):
1. – Accurate – empirically adequate with experimentation and observation
2. – Consistent – internally consistent, but also externally consistent with other theories
3. – Broad Scope – a theory’s consequences should extend beyond that which it was initially designed to explain
4. – Simple – the simplest explanation, principally similar to Occam’s Razor
5. – Fruitful – a theory should disclose new phenomena or new relationships among phenomena