Shostack + Friends Blog Archive


Everybody Should Be Doing Something about InfoSec Research

Previously, Russell wrote “Everybody complains about lack of information security research, but nobody does anything about it.”

In that post, he argues for a model where

Ideally, this program should be “idea capitalists”, knowing some people and ideas won’t payoff but others will be huge winners. One thing for sure — we shouldn’t focus this program only on people who have been “officially” annointed by some hierarchy, some certification program, or by credentials alone.

I agree that a focus on those anointed won’t help, but that doesn’t mean it’s easy to set up such an institution.

The trouble with the approach is that we have such institutions (*ARPA, venture capital) and they’ve all failed for institutional reasons. However high their aspirations, such organizations over time get flack from their funders over their failures, their bizarre and newsworthy ideas and the organizations become conservative. They trend towards “proven entrepreneurs” and incrementalism. The “Pioneer Fellows” idea does not overcome this structural issue. (There is an argument that the MacArthur genius grants overcome it. I’m not aware of any research into the relative importance of work done before and after such grants, but I have my suspicions, prejudices and best practices.)

Of course, I might be wrong. If you have a spare million bucks, please set this up, and we can see how it goes. An experiment, if you will.

Experiments are a big part of why Andrew and I focused on free availability of data. With data, those with ideas can test them. There will be a scrum of entrepreneurial types analyzing the data. Fascinating stuff will emerge from that chaos. With evidence, they will go to the extant ‘big return’ organizations and get funding. Or they’ll work for big companies and shift product directions.

That is, the issue in infosec is not a lack of interesting ideas, it’s the trouble in testing them without data. We need data to test ideas and figure out how they impact outcomes.

8 comments on "Everybody Should Be Doing Something about InfoSec Research"

  • Chris says:

    I have an idea about how to solve this, but I haven’t been offered enough money to reveal it :^)

  • Rob Lewis says:

    As long as those experiments and data gathering/analysis start with the status quo, the best that will likely be achieved are incremental improvements along the first curve.

    Think about technologies that have jumped the curve. Icebox to refridgerator, lantern to electric light bulb, vacuum tubes to transitors to integrated circuits….was it necessary to measure in order to prove improvement? They were intuitively, visibly, conceptually better…by such a huge margin that one did not have to measure. Perhaps as long as the industry is busy measuring, it is still on the first curve, but maybe measuring itself out of the chaos is the only option for infosec at the moment.

    So yes everyone should be thinking about infosec research but infosec needs research to move it to the second curve. The question I will respectfully ask you again Adam,is, wouldn’t this be a better goal for a “New School” and who on the first curve has the vision and capability to think out of the box? To top it off, you have just posted the case that institutional inertia is an additional barrier to success.

    • Thanks for helping me maximize shareholder value through your stakeholder contribution! The dialog and learnings are invaluable!

    • Adam says:


      You keep asking the same question, and to be perfectly frank, I have yet to understand what you mean. I don’t understand why you think jargon about “first curve” and “second curve” makes your question more clear. I don’t understand what box you think I’m thinking in.

      If you keep asking the same question and not getting an answer, maybe you should ask different questions.


  • Rob Lewis says:

    Those are very generic terms which are not even industry specific Adam, which were used by Guy Kawasaki in his Art of Innovation talk. They are simple, make sense and have implications for this discussion.

    As an observer of infosec who was quite free of the “blinders” that members of the herd were issued, I think I was able to gain a different perspective.

    To use the simplest example I can think of, a dyke analogy, there is lots of research to determine how to use fingers and toes more efficiently to plug holes when they appear and even how to better predict where the leaks are going to appear along the series of dykes so they can be plugged “faster”, but from where I sit, NO ONE IS FIXING the dykes so they no longer spring leaks. The industry sits there saying we are getting better and faster at plugging leaks.

    Everyone has read Ranum’s 6 Dumbest Mistakes in infosec essay. Based on it, with the exception of application whitelisting, what research based on the current broken security model amounts to anything more than flogging a dead horse? My comments are to present the possibility that there is also a psychological barrier that the industry might have to overcome in order to find, or accept, real innovation.

    • Russell says:

      Rob — I suspect that we actually agree with one of your main points, even though we are using different langauge. Rather than debate language, let’s focus on the main issue:

      What kind of research is going to make a big improvement in information security? (Specifically, to solve the “hard problems” detailed in the reports.)

      If you haven’t already, I suggest that you read the reports I referenced. They are very well written (most of them) and cover the problems and possible solution approaches quite well. Using your words, the common theme is “how to jump the curve”.

      If you only read one, I recommend “Toward a Safer and More Secure Cyberspace” .


      As a side note, I think you are misunderstanding the New School book and the New School approach. “New School” is a way of thinking and making decisions based on evidence and scientific thinking, in contrast to the “old school” of folk wisdom, so-called best practices, unsubstantiated vendor claims, unrealizable academic claims, etc. Generally speaking, New School can apply to any sort of improvement — incremental or radical. However, (I think) everyone associated with this blog believes that InfoSec needs a radical makeover, and that *one* of the keys to getting to that goal is via scientific thinking and methods. Some of us (Alex and me) believe that we even need breakthroughs in our analysis and reasoning methods before we can achieve breakthroughs in InfoSec decision-making, design, economics, etc.

      Where we differ with you, I think, is your view that the “new curve” solutions will just be obviously better and thus everyone will adopt them without resistance, that measurment or evaluation will not be necessary because the benefits will be so obvious to all. As you said above:

      “…was it necessary to measure in order to prove improvement? They were intuitively, visibly, conceptually better…”

      Without going into a long essay about disruptive innovation in technologies and industries, I’ll just say that most people I respect believe that any such disruptive innovations will not sweep aside the existing solutions and investments soley because they are “intuitively, visibly, conceptually better”. Discovering, designing, and proving the breakthrough solutions will require scientific methods and evidence-based reasoning. Getting organizations and governments to spend money to implement them will require justification based on evidence, and also incentives tied to benefits and results.

      The reason is because of the high switching costs and also the fact that information security is not about technology alone, but it’s enmeshed with economics, organization dynamics, sociology, law, and politics, and also related domains such as privacy, digital rights, and information protection.

      In sum, we agree with you that “jumping the curve” is necessary. We disagree that measurement and evidence-based decision-making are irrelevant or a distraction. We think it’s essential.

  • Rob Lewis says:

    Hi Russell,

    Thanks for the thoughtful response. I do understand the New School approach; I commended the authors for it in my review. In fact, I don’t think that I found anything unfavourable about it except that it did not have enough of the radical. I have my reasons for it, and I would not mind taking it offline to discuss with you. I just don’t have faith that anything will result from efforts that will propagate the big evolutionary jump going that path.

    I would like to tell you about our “Leap Year” experience as an example, and ask you how it would relate to your Pioneer research proposal.

    I have looked at many of the references that you listed, except for the one you most recommended for some reason and I just read the summary pdf. Its good but APT has provided the lack of urgency component identified in it.

    If you are up for a discussion about this, please ping me.

  • “The reason is because of the high switching costs and also the fact that information security is not about technology alone, but it’s enmeshed with economics, organization dynamics, sociology, law, and politics, and also related domains such as privacy, digital rights, and information protection”.

    In my opinion this hits the nail on the head. Information Security research has traditionally focused on the technological issues which is only part of the problem, however, there are academic researchers including Robert Willison, Mikko Siponen and James Backhouse who are focusing on the human part of the equation. They are drawing on Psychology and Criminology research to understand the human element in computer abuse and crime. I believe that this is currently some of the most important research being performed and published on Information Security.

Comments are closed.