Cyber Security as Social Experiment

Lessons from previous experiences are often overlooked when deploying security-sensitive technology in the real world. At the same time, security assessments often suffer from a lack of real-world data. This appears similar to general problems in technology assessment, where knowledge about (side-)effects of a new technology often only appears when it is too late. In this context, the paradigm of new technologies as social experiments was proposed, to achieve more conscious and gradual deployment of new technologies, without losing the ability to steer the developments or make changes in designs. In this paper, we propose to apply the paradigm of new technologies as social experiments to security-sensitive technologies. This new paradigm achieves (i) inherent attention for the ethics of deploying security-sensitive systems in the real world, and (ii) more systematic extraction of real-world security data and feedback into decision making processes.

[1]  Zofia Lukszo,et al.  Acceptance of ICT-intensive socio-technical infrastructure systems: Smart metering case in the Netherlands , 2014, Proceedings of the 11th IEEE International Conference on Networking, Sensing and Control.

[2]  Vilhelm Verendel,et al.  Quantified security is a weak hypothesis: a critical survey of results and assumptions , 2009, NSPW '09.

[3]  Wolfgang J. Liebert,et al.  Collingridge’s dilemma and technoscience , 2010, Poiesis Prax..

[4]  Bert-Jaap Koops,et al.  Smart Metering and Privacy in Europe: Lessons from the Dutch Case , 2013, European Data Protection.

[5]  A. Juels,et al.  Universal Re-encryption for Mixnets , 2004, CT-RSA.

[6]  Pieter H. Hartel,et al.  Two methodologies for physical penetration testing using social engineering , 2009, ACSAC '10.

[7]  W. Pieters On thinging things and serving services: technological mediation and inseparable goods , 2013, Ethics and Information Technology.

[8]  George Huitema,et al.  The Neglected Consumer: The Case of the Smart Meter Rollout in the Netherlands , 2011 .

[9]  Pieter H. Hartel,et al.  Training students to steal: a practical assignment in computer security education , 2011, SIGCSE '11.

[10]  Jon Crowcroft,et al.  Honeycomb , 2004, Comput. Commun. Rev..

[11]  Matt Bishop,et al.  Quis Custodiet ipsos Custodes?: a new paradigm for analyzing security paradigms with appreciation to the Roman poet Juvenal , 2009, NSPW '09.

[12]  Michael J. Assante Infrastructure Protection in the Ancient World , 2009, 2009 42nd Hawaii International Conference on System Sciences.

[13]  I. Poel Why New Technologies Should be Conceived as Social Experiments , 2013 .

[14]  Wolter Pieters,et al.  Cost-effectiveness of Security Measures: A model-based Framework , 2014 .

[15]  M. Peterson New Technologies Should not be Treated as Social Experiments , 2013 .

[16]  Markus Jakobsson,et al.  Why and How to Perform Fraud Experiments , 2008, IEEE Security & Privacy.

[17]  John Forge,et al.  A Note on the Definition of “Dual Use” , 2010, Sci. Eng. Ethics.

[18]  J. Schot,et al.  Regime shifts to sustainability through processes of niche formation : the approach of strategic niche management , 1998 .

[19]  Markus Jakobsson,et al.  Designing ethical phishing experiments , 2007, IEEE Technology and Society Magazine.

[20]  William H. Sanders,et al.  Model-based Security Metrics Using ADversary VIew Security Evaluation (ADVISE) , 2011, 2011 Eighth International Conference on Quantitative Evaluation of SysTems.

[21]  Wolter Pieters,et al.  Vulnerabilities and responsibilities: dealing with monsters in computer security , 2009, J. Inf. Commun. Ethics Soc..

[22]  Jelena Mirkovic,et al.  Testing a Collaborative DDoS Defense In a Red Team/Blue Team Exercise , 2008, IEEE Transactions on Computers.

[23]  Yanyan Zhuang,et al.  Vulnerabilities as Blind Spots in Developer's Heuristic-Based Decision-Making Processes , 2014, NSPW '14.

[24]  Ibo van de Poel,et al.  Nuclear Energy as a Social Experiment , 2011 .

[25]  Ibo van de Poel,et al.  Sunscreens with Titanium Dioxide (TiO2) Nano-Particles: A Societal Experiment , 2010, Nanoethics.

[26]  Tyler Moore,et al.  The iterated weakest link , 2010, IEEE Security & Privacy.

[27]  Wolter Pieters,et al.  Temptations of turnout and modernisation: E-voting discourses in the UK and The Netherlands , 2007, J. Inf. Commun. Ethics Soc..

[28]  Wolter Pieters,et al.  La volonté machinale: understanding the electronic voting controversy , 2008 .

[29]  Wolter Pieters,et al.  Experimenting with Incentives: Security in Pilots for Future Grids , 2014, IEEE Security & Privacy.

[30]  Bart Jacobs,et al.  Electronic Voting in the Netherlands: From Early Adoption to Early Abolishment , 2009, FOSAD.

[31]  Francien Dechesne,et al.  Ethical requirements for reconfigurable sensor technology: a challenge for value sensitive design , 2013, Ethics and Information Technology.

[32]  P. Vergragt,et al.  Social experiments in the development of environmental technology: a bottom-up perspective , 1995 .

[33]  Helge Toutenburg,et al.  The Social Control of Technology , 1982 .

[34]  Jedidiah R. Crandall,et al.  Holographic vulnerability studies: vulnerabilities as fractures in interpretation as information flows across abstraction boundaries , 2012, NSPW '12.

[35]  Steven Myers,et al.  Emergent Properties & Security: The Complexity ofSecurity as a Science , 2014, NSPW '14.

[36]  Wolter Pieters,et al.  Explanation and trust: what to tell the user in security and AI? , 2011, Ethics and Information Technology.

[37]  Eugene Santos,et al.  Constructing adversarial models for threat/enemy intent prediction and inferencing , 2004, SPIE Defense + Commercial Sensing.

[38]  Francien Dechesne,et al.  Cyber) security in smart grid pilots , 2013 .

[39]  Einar Snekkenes,et al.  Measuring Resistance to Social Engineering , 2005, ISPEC.