Vulnerabilities as monsters: the cultural foundations of computer security (extended abstract)

This paper is part of a project to investigate the philosophical aspects of the scientific discipline of information security. This eld of research investigates the means to protect information systems against attacks, typically by modelling the system according to a certain security model, and verifying the conformance. In this contribution, we study the relation between models of information security, and cultural categories that help us to describe the world. According to Martijntje Smits, cultural categories necessarily produce phenomena that do not fit in the categorisation. From a negative perspective, these phenomena can be characterised as monsters: they have properties of two categories that were thought to be mutually exclusive, like many monsters that appear in films. Smits applies this anthropological approach to explain controversies around the introduction of new technologies in our society, such as the current debate on genetically manipulated food. We translate this framework to the scientific enterprise of information security, by explicating the analogy between Smits's monsters in society and system vulnerabilities in information security. We argue that several important security threats, such as viruses in Word documents, have been produced by phenomena that did not fit into existing cultural categories of computer science, in this case the categories of programs and data. Therefore, they were not included in security models. Based on our analysis, we describe the cultural foundations of information security research, we search for strategies for dealing with vulnerabilities-as-monsters analogous to Smits's strategies for dealing with monsters in society, and we discuss the consequences of our approach for responsibilities of computer scientists.