Difference security research and security *science* research

1. From http://cps-vo.org/node/6041
2.  
3. Security Science Research - is work aimed at discovering new elements of Security Science and is not simply a synonym for Security Research. Security Science research may be experimental or theoretical in nature. The discovery process for Security Science may employ scientific methods, formal engineering tools and techniques, etc.; however, not all security research that uses such a process is necessarily Security Science.
4.  
5. Security Science SHOULD:
6.  
7. * Provide a scientific basis for understanding existing system security properties and developing new systems that have desired security properties.
8.  
9. * Permit the ability to predict complex computer and networked system behavior in the face of specified types of attack, to support quantified tradeoffs between system security properties and other desired system properties, and to design and build systems that realize specified system security requirements.
10.  
11. * Develop a scientific basis for the human context in which systems of interest are designed to operate, considering economic, behavioral, social, and organizational factors that influence the deployment and use of cybersecurity technologies.
12.  
13. * Support principled design methodologies and tools for engineering trusted components and systems.
14.  
15. * Establish a sound basis for composing trusted components that are capable of scaling to the size needed for modern, complex systems.
16.  
17. Security Science is NOT:
18.  
19. * The creation of a new security mechanism - unless there is some objective method for comparing it to other approaches
20.  
21. * The development of a "secure" device/capability by scaling previous work
22.  
23. * The creation of a new security (design) principle - unless there is some way to quantify or objectively compare its capabilities/limitations, or "prove" the need for the principle
24.  
25. * Advancing work in some discipline (e.g. software science, formal methods, visualization, etc.) where the security impact is incidental to the new results - unless there is some quantifiable improvement directly linked to security
26.  
27. * Developing new attack techniques - unless there is some way to use the result to create measurable improvements in overall system security
28.  
29. * Developing new analytic techniques without formally describing (quantifying) the extent of their capabilities or of their limitations on system security
30.  
31. * Developing or extending design languages related to security without quantifying their direct impact upon security or objectively comparing it to other approaches
32.  
33. * Extending or developing a new security-related methodology (e.g. risk assessment, vulnerability analysis, statistical analysis, decision strategy, etc.) unless there is some objective technique to quantify its direct impact upon security, or compare it to other approaches.
34.  
35. * Developing new approaches to secure computation (e.g. distributed computing, clouds, multi-processor, privacy preserving, etc.) without objective/quantifiable methods of assessing the improvement.
36.  
37. * Improving or extending security related "tools" without some method of objectively assessing their direct contribution to system security
38.  
39. * Performing scientific experiments without some expectation of how the results will contribute to the development of new science directly related to security
40.  
41. * Developing new "feature identification" approaches (e.g. Intrusion Detection) - without some formal understanding of the specific capabilities/limitations of the technique, or a way to objectively compare it to other techniques
42.  
43. * Developing techniques to "verify" some system characteristic without a quantifiable approach to determine its impact on system security