Clear Reasoning about Security
A special issue of Sensors (ISSN 1424-8220). This special issue belongs to the section "Communications".
Deadline for manuscript submissions: closed (20 May 2023) | Viewed by 3164
Special Issue Editor
Special Issue Information
Dear Colleagues,
In a healthy work environment, an important component of professional practice is rational discussion, in which reasoning is used to find, justify, and explain decisions. In cybersecurity, at present, reasoning is not generally clear, and consequently such a healthy environment of discussion, explanation, and consistent improvement is not widespread.
In pure mathematics, reasoning is closely aligned with the concept of proof. It is generally accepted that a pure mathematical paper or text can, in principle, be entirely constructed from definitions and theorems. The books nominally authored by N. Bourbaki (N. Bourbaki is actually an alias for a group of mathematicians) are the best example of this style. In principle, a text in this form can be re-expressed formally in the predicate calculus, also known as formal logic, or first order logic, and a relatively simple, fast algorithm can then be used to check all of the proofs. The process of completing this translation is tedious and rarely completed, but logicians understand, in principle, how to translate the semi-formal mathematical style to formal logic.
In applied mathematics, computer science, and other sciences, reasoning based on the use of mathematical notation and proof is also used, but the concept of proof is only supported informally, by being expressed in a manner similar to formal mathematics, rather than any translation into logic being contemplated. It is not agreed whether or not first-order logic is the right way to formalise proof in fields other than mathematics. It has been proposed, for example, that modal logic is more suitable for security; however, modal logic is really a family of logics, and the precise choice of modal operators and the axioms which support their use is currently a topic of research.
Surprisingly, therefore, although the term proof is frequently used in engineering, computer science, physics, and other sciences, strictly speaking the concept of proof is not clear, except in pure mathematics. Leaving aside whether reasoning is reducible to proof, if it is not clear what constitutes proof in computer science, it is also not clear what we mean by reasoning.
The fact that reasoning in computer science, or in security to be more specific, is unclear is not merely an academic problem. On a daily basis, in countless workplaces where security must be maintained, cybersecurity professionals must make decisions, adopt practices, install and configure security systems, and explain to their colleagues why they have made these decisions. In many cases, the explanations are not available, and in practice, the real reasons behind the decisions are based on authority, trust, convention, and intuition.
The fact that humans in general, and professionals in particular, base their professional practice on social networks of authority and trust should be expected. No one individual can be expected to have mastered all the knowledge and skills required to maintain the complex systems on which our society is based. Nevertheless, these networks of trust constitute a weakness which makes us vulnerable to attack and exploitation.
The common-sense interpretation of this situation is that cybersecurity is too hard to be able to fully reason about, and so our dependence on trust and authority is understandable and should be excused. However, the purpose of the scientific process is precisely to reduce our dependence on informal, and sometimes invalid, reasoning, and to replace it, wherever possible, by reasoning which is more clear and objectively justifiable. In addition, the networks of authority regarding cybersecurity are subject to self-interested influence and intimidation, authority based on power or other types of social leverage rather than objective expertise. These ineffective social strategies for managing cybersecurity inevitably fill the gap created by the absence of a rigorous, rational understanding of cybersecurity.
So, although it is unrealistic and perhaps even unhealthy not to use networks of trusted authorities as a guide for good practice in security, we should continue to improve our understanding of what constitutes sound reasoning in cybersecurity, so that these networks can be rendered safer and more reliable.
It is an undeniable fact that vague, unsatisfactory and unreliable reasoning about cybersecurity is a frequent occurrence in our workplaces at present. We have all experienced imposition or arbitrary constraints on our use of ICT systems, supposedly justified by “security”. At the same time, the discovery and use of previously undiscovered methods of attack continue to accumulate in our history of cybersecurity failures. The expected protections of the legitimate rights to privacy and security by clients of popular Internet services are regularly revealed to be missing or flawed.
In this Special Issue, we seek studies which contribute to our understanding of what constitutes valid, clear reasoning, including examples of good or bad practice, explanations of what is possible or not possible, the contribution and role, or limitations, of formal methods, and in general any contribution which can assist the academic and professional community to reason more clearly about cybersecurity.
Dr. Ron Addie
Guest Editor
Manuscript Submission Information
Manuscripts should be submitted online at www.mdpi.com by registering and logging in to this website. Once you are registered, click here to go to the submission form. Manuscripts can be submitted until the deadline. All submissions that pass pre-check are peer-reviewed. Accepted papers will be published continuously in the journal (as soon as accepted) and will be listed together on the special issue website. Research articles, review articles as well as short communications are invited. For planned papers, a title and short abstract (about 100 words) can be sent to the Editorial Office for announcement on this website.
Submitted manuscripts should not have been published previously, nor be under consideration for publication elsewhere (except conference proceedings papers). All manuscripts are thoroughly refereed through a single-blind peer-review process. A guide for authors and other relevant information for submission of manuscripts is available on the Instructions for Authors page. Sensors is an international peer-reviewed open access semimonthly journal published by MDPI.
Please visit the Instructions for Authors page before submitting a manuscript. The Article Processing Charge (APC) for publication in this open access journal is 2600 CHF (Swiss Francs). Submitted papers should be well formatted and use good English. Authors may use MDPI's English editing service prior to publication or during author revisions.
