Why IT Security Is Fucked Up
1 like1,042 views
This document discusses why IT security is problematic and what can be done to address its issues. It argues that IT security needs to be expanded to information security and take a more interdisciplinary approach, drawing from fields like psychology, sociology, education and political science. Currently, IT security focuses too much on technical issues and not enough on human and social factors. The document calls for establishing information security as its own scientific field backed by various disciplines to help professionalize the field beyond just discussing technical vulnerabilities. This new approach would aim to better understand security from different perspectives and help address issues at political, organizational and societal levels.
Why IT Security Is Fucked Up
- 1. Why IT Security is fucked up ... ... and what we can do about it Stefan Schumacher www.sicherheitsforschung-magdeburg.de Positive Hack Days 2015 Moscow, Russia 2015-05-26 $ Id: ItSec-Input.tex,v 1.4 2014/11/20 16:22:14 stefan Exp $ Stefan Schumacher Why IT Security is fucked up ... Positive Hack Days 2015 1 / 29
- 2. ToC 1 Intro 2 Social Science 3 Psychology 4 What to do? Stefan Schumacher Why IT Security is fucked up ... Positive Hack Days 2015 2 / 29
- 3. ToC 1 Intro 2 Social Science 3 Psychology 4 What to do? Stefan Schumacher Why IT Security is fucked up ... Positive Hack Days 2015 3 / 29
- 4. About me Stefan Schumacher Why IT Security is fucked up ... Positive Hack Days 2015 4 / 29
- 5. About me Head of the Magdeburg Institute for Security Research Editor of the Magdeburg Journal of Security Research Freelance Security Consultant Hacker for 20 years, ex-NetBSD developer Educational Science and Psychology Research on Social Engineering, Security Awareness, Organizational Security psychological profiling for social engineering my PoV is more a psychological PoV Stefan Schumacher Why IT Security is fucked up ... Positive Hack Days 2015 5 / 29
- 6. Psychology of Security Fundamental Research about the Perception of Security Fundamental Research about Personality/Attitudes and Security Organizational Development and Security Cultural Differences Didactics (Teaching Methodology) of Security What to teach? Stefan Schumacher Why IT Security is fucked up ... Positive Hack Days 2015 6 / 29
- 7. ToC 1 Intro 2 Social Science 3 Psychology 4 What to do? Stefan Schumacher Why IT Security is fucked up ... Positive Hack Days 2015 7 / 29
- 8. Security in a Post NSA age? Talk at AusCERT (Australia) 2014 Can there be »security« in a Post NSA age? Are the 5 eyes an almighty adversary? Panopticon Panspectron If so, why and how? If not, shouldn’t we just surrender? Stefan Schumacher Why IT Security is fucked up ... Positive Hack Days 2015 8 / 29
- 9. Security in a Post NSA age? Of course there can and will be security post NSA. Let’s discuss some problems and ideas. And have a holistic view (read: not just technical) use sociological system theory and 2nd order cybernetics use psychology to discuss human behaviour and experience reflect on the foundation of science and how useful are the methods we use? Stefan Schumacher Why IT Security is fucked up ... Positive Hack Days 2015 9 / 29
- 10. Definition (Outrage as a Svc @OaaSvc) Science is awesome. You aren’t doing science in infosec. Why not? Seems to be the overriding message of @0xKaishakunin #AusCERT2014 Stefan Schumacher Why IT Security is fucked up ... Positive Hack Days 2015 10 / 29
- 11. Stand Back! Stefan Schumacher Why IT Security is fucked up ... Positive Hack Days 2015 11 / 29
- 12. Consequences for us? What do the Snowden Leaks mean for us as security researchers? Let’s assume there is an adversary with almost unlimited resources. How do we have to change how security works? What research has to be done? Stefan Schumacher Why IT Security is fucked up ... Positive Hack Days 2015 12 / 29
- 13. 2nd Order Cybernetics break the circlejerk Cybernetics: transdisciplinary approach for exploring regulatory systems, their structures, constraints, and possibilities. Anything said, is said by an observer (Maturana/Varela) add the observer to the regulatory system: 2nd order cybernetics An observer acting in his field: 1st order cybernetics An observer discussing how he constructs his perception of the field he works in: 2nd order cybernetics (What the hell are we doing here?) Stefan Schumacher Why IT Security is fucked up ... Positive Hack Days 2015 13 / 29
- 14. Trust Trust is one of the buzzwords here needs to be defined or explicated and operationalized (make it measurable) Niklas Luhmann explicated Trust in his 1968 Book Vertrauen as a »mechanism to reduce social complexity« social complexity is reduced with functional specialised subsystems Lawyers a experts for Laws, Hackers for IT-Sec, Physicians for Medicine etc. pp. Stefan Schumacher Why IT Security is fucked up ... Positive Hack Days 2015 14 / 29
- 15. Consequences IT Security needs to professionalize beyond technical problems discussing the 31337th Buffer Overflow of the week won’t fix fundamental problems human factors have to be analysed extend IT Security to Information Security create a new scientific field of Information Security include Psychology, Sociology, Educational Science, Didactics and others operationalize Information Security to make it measurable create a new vocational field of Information Security backed by science Stefan Schumacher Why IT Security is fucked up ... Positive Hack Days 2015 15 / 29
- 16. ToC 1 Intro 2 Social Science 3 Psychology 4 What to do? Stefan Schumacher Why IT Security is fucked up ... Positive Hack Days 2015 16 / 29
- 17. Why Psychology? empirical and theoretical science describes, explains and predicts human behaviour and experiences human development and the internal and external causes and conditions Differential and Personality P., Social P., Industrial P., Organisational P., Pedagogical P. Stefan Schumacher Why IT Security is fucked up ... Positive Hack Days 2015 17 / 29
- 18. What is security? Germany, Informatics VIVA-Kriterien confidentiality integrity availability authenticity Stefan Schumacher Why IT Security is fucked up ... Positive Hack Days 2015 18 / 29
- 19. Paradigm Shift see Thomas S. Kuhn The Structure of Scientific Revolution Paradigm: a distinct concept or thought patterns and basic assumptions Paradigm Shift: change of these assumption let’s change it Stefan Schumacher Why IT Security is fucked up ... Positive Hack Days 2015 19 / 29
- 20. Psychology and IT-Security? My Operationalisation of InfoSec Security is a latent social construct. Stefan Schumacher Why IT Security is fucked up ... Positive Hack Days 2015 20 / 29
- 21. Security and Psychology Security is concluded by making Decisions Individuals make decisions based on their Biography, the Situation and how they perceive their Environment see: von Foerster, Luhmann, Spencer Brown, Baecker et.al. Psychology is the Science which researches these Topics. Therefore, Psychology is required to research Security. Psychology is the only Science able to research the basic fundamentals of Security. Stefan Schumacher Why IT Security is fucked up ... Positive Hack Days 2015 21 / 29
- 22. Washing your Hands two maternity clinics in Vienna, the 1st with MDs the second with midwifes only more pregnant Women died in the 1st one pregnant women would rather give birth in the streets than be sent to the 1st clinic Ignaz Semmelweis discovered that Physicians transmit pathogenic agents (cadaverous poisoning) He proposed that Physicians should wash their Hands the death rate dropped 90% His Idea was rejected and he was considered to be crazy psychiatrised by force in Vienna Stefan Schumacher Why IT Security is fucked up ... Positive Hack Days 2015 22 / 29
- 23. Washing your Hands two maternity clinics in Vienna, the 1st with MDs the second with midwifes only more pregnant Women died in the 1st one pregnant women would rather give birth in the streets than be sent to the 1st clinic Ignaz Semmelweis discovered that Physicians transmit pathogenic agents (cadaverous poisoning) He proposed that Physicians should wash their Hands the death rate dropped 90% His Idea was rejected and he was considered to be crazy psychiatrised by force in Vienna This can only be explained by Psychology Stefan Schumacher Why IT Security is fucked up ... Positive Hack Days 2015 22 / 29
- 24. Washing your Hands two maternity clinics in Vienna, the 1st with MDs the second with midwifes only more pregnant Women died in the 1st one pregnant women would rather give birth in the streets than be sent to the 1st clinic Ignaz Semmelweis discovered that Physicians transmit pathogenic agents (cadaverous poisoning) He proposed that Physicians should wash their Hands the death rate dropped 90% His Idea was rejected and he was considered to be crazy psychiatrised by force in Vienna This can only be explained by Psychology Stefan Schumacher Why IT Security is fucked up ... Positive Hack Days 2015 22 / 29
- 25. 1996: Ariane 5 Flight 501 320 000 000 Euro Stefan Schumacher Why IT Security is fucked up ... Positive Hack Days 2015 23 / 29
- 26. ToC 1 Intro 2 Social Science 3 Psychology 4 What to do? Stefan Schumacher Why IT Security is fucked up ... Positive Hack Days 2015 24 / 29
- 27. Societal Problems digital divide economy and IT checks and balances? How do politicians decide about things they don’t understand? (Max Weber again ...) and scientists? Why and How did Rijndael become AES? NSA? NIST? Illuminati? Stefan Schumacher Why IT Security is fucked up ... Positive Hack Days 2015 25 / 29
- 28. Societal Problems digital divide economy and IT checks and balances? How do politicians decide about things they don’t understand? (Max Weber again ...) and scientists? Why and How did Rijndael become AES? NSA? NIST? Illuminati? Stefan Schumacher Why IT Security is fucked up ... Positive Hack Days 2015 25 / 29
- 29. Political Problems Cyber-War? Cyber-Terror? discussed by political scientists – who often don’t understand technology discussed by IT sec – who often don’t understand social implications discussed by the military – who often don’t understand anything discussed by legal experts – who often don’t understand technology and social implications How to discuss Anonymous? Hacktivism? Neutral? Stefan Schumacher Why IT Security is fucked up ... Positive Hack Days 2015 26 / 29
- 30. Political Problems Cyber-War? Cyber-Terror? discussed by political scientists – who often don’t understand technology discussed by IT sec – who often don’t understand social implications discussed by the military – who often don’t understand anything discussed by legal experts – who often don’t understand technology and social implications How to discuss Anonymous? Hacktivism? Neutral? Stefan Schumacher Why IT Security is fucked up ... Positive Hack Days 2015 26 / 29
- 31. Reflection The information technology of society? The hackers of society? The intelligence services of society? Stefan Schumacher Why IT Security is fucked up ... Positive Hack Days 2015 27 / 29
- 32. Conclusion IT-Security needs it’s own research field: security research with it’s own foundation, methods and tools rooted in: Maths as formal science CS/EE as engineering science Sociology, Political Science as social science Jurisprudence as normative science Philosophy as mother of all sciences Psychology as hub science Stefan Schumacher Why IT Security is fucked up ... Positive Hack Days 2015 28 / 29
- 33. Information Security Pedagogy Curriculum Universities Vociational Schools Schools Didactics Whom to teach? What to teach? How to teach? Training JurisprudenceNorms Philosophy Philosophy of Science Political Science Policies Governance Normative Processes Sociology Systems of Society Organisational Sociology Industrial Sociology Psychology Personality Traits and Security Research Methods Perceptions of Security Human Factors Maths Formal Science Electrical Engineering Computer Science
- 34. sicherheitsforschung-magdeburg.de stefan.schumacher@sicherheitsforschung-magdeburg.de sicherheitsforschung-magdeburg.de/publikationen/ journal.html youtube.de/ Sicherheitsforschung Twitter: 0xKaishakunin Xing: Stefan Schumacher GnuPG: 9475 1687 4218 026F 6ACF 89EE 8B63 6058 D015 B8EF Stefan Schumacher Why IT Security is fucked up ... Positive Hack Days 2015 29 / 29