In academia as much as in industry and government, the application of mathematics to derive meaning is often equated with something being scientific. This means that there is a tendency to blindly translate qualitative observations into numerical – and measurable – values. Such quantitative approaches are, however, far from always relevant or, indeed, produce meaningful insights. In some cases, these abstractions are empty, wrong and misleading and may, as a result, pose significant risks to the correctness of the findings.
Information security is not exempt from this critique. There is an abundance of examples within the field which rely on mathematical abstractions to reduce or, indeed, redefine qualitative meanings to fit pre-defined quantitative scales, which are then algebraically manipulated without rigorous justification. Thus also failing to acknowledge subtly distinct discoveries and insights found in qualitative interpretations. Moreover, information security research tends to favour quantitative approaches to studying social phenomena over qualitative ones, which in the process are often redefined as psychological phenomena, stripping them of context and their social dimensions. This is evident in, for example, usable security research, which has traditionally focused on individuals' perceptions, cognition and behaviours in order to test and model them. Finally, the mantra "humans are the weakest link" remains popular among practitioners and academics, revealing a worrying role reversal: IT systems are not conceptualised in service of those who depend on them but people are integrated into these systems and surveilled to enforce compliance, while the latter's failures are blamed on the former.
This research area focuses on criticising these approaches by drawing out their inherent fallacies, studying alternative methods and pointing to the shaky social scientific grounding of some established practices in information security.
- Martin R. Albrecht, Jorge Blasco, Rikke Bjerg Jensen, Lenka Mareková: Collective Information Security in Large-Scale Urban Protests: the Case of Hong Kong. USENIX 2021
- Martin R. Albrecht, Rikke Bjerg Jensen: The Vacuity of the Open Source Security Testing Methodology Manual. SSR 2020: 114-147 https://arxiv.org/abs/2010.06377
- Martin R. Albrecht, Rikke Bjerg Jensen. Why Quantifiable Does Not Equal Scientific: The Case of CVSS. ISG Newsletter 2019. https://royalholloway.ac.uk/media/9162/isg%5C_18-19%5C_artwork%5C_screensinglepages.pdf