The scientificity of cybersecurity studies is yet to be demonstrated in the humanities and social sciences. Among the plethora of cybersecurity research, few studies are devoted to the methodological and scientific problems of this emerging knowledge. Indeed, from an epistemological point of view, cybersecurity studies require a methodological critique to improve their scientificity and credibility in relation to computer science and engineering. In this chapter, research methods, access to data and the contributions of the human and social sciences to cybersecurity studies are assessed. The objective of this chapter is to lay the epistemological foundations for an operationalizable definition of cybersecurity for the human and social sciences.
1.1. Introduction
How can human and social sciences (HSS) studies in cybersecurity claim to be scientific? Several answers to this question come to mind, and based on these, it is necessary to clarify the debate through an epistemological approach to the contribution of HSS to cybersecurity studies, particularly in terms of methodology, all within the framework of the empiricalâanalytical paradigm and post-positivism, both of which are currently dominant in science.
Indeed, according to the principles of the scientific method advocated by these paradigms, it is the method used that distinguishes science from non-science [NĂR 08]. In order to make this distinction, the use of epistemology is unavoidable. The critical study of science enlightens us about the value and significance of science and its results. So, what is the scientific value of human and social sciences studies in cybersecurity?
It could be argued that the HSS perspective on cybersecurity is peripheral, if not unimportant, to the issues raised by this field. Risks and threats from cyberspace directly affect national security and public safety through the deep penetration of computer networks into societies and their reliance thereon. The first reflex of societies is therefore to militarize and securitize1 these issues, and this is what the vast majority of states throughout the world has done.
It could also be argued that HSS research results are very abstract and ideal compared to the results of computer science and engineering that propose concrete software or hardware âsolutionsâ to cybersecurity issues. The contribution of HSS to cybersecurity would therefore be marginal since it would not be immediately applicable to urgent technical or technological problems. What HSS produces in cybersecurity would mobilize too many resources (social awareness, political will, legislative changes, mental representations, etc.) to be qualified as useful. Overall, the contribution of HSS to cybersecurity studies would contribute little to knowledge and its real-world application. In other words, the explanatory and practical scope of the research produced in cybersecurity by HSS would be weak.
Moreover, in the cyber field in general, while Saleh and Hachour praise the merits of a multidisciplinary opening towards cyber-issues in HSS [SAL 12], Bourdeloie invites the community of HSS researchers to a vast epistemological effort for the positioning and constructive criticism of cyber-issues [BOU 14]. There is therefore a need for epistemological reflection on the place of HSS in cybersecurity studies. Once this need is recognized, contemporary epistemology teaches us that the social and human sciences alternate between two references for scientificity, an external one in the natural sciences and an internal one for HSS [BER 12]. Cybersecurity studies are an exemplary example of the tension between these two references, which is revealed in the methodological preferences of researchers. For some, the causality of cyber phenomena can be demonstrated and explained, which is an external reference for scientificity where the possibility of issuing general laws is attainable (positivist approach). Whereas for others, social actors and their behavior are more relevant scientifically, which is an internal reference for scientificity within the HSS, and they must be understood in all their subjectivities (constructivist approach and the related heterogeneity). The debate is not closed and can be seen in cybersecurity studies.
This rapid diagnosis may seem to show a lack of scientificity in HSS studies on cybersecurity, as epistemological issues are poorly addressed in the face of the immediate need for results on issues. A large part of the problem stems from the inability of HSS in cybersecurity studies to reach a level of internal scientificity sufficient to be considered scientific by the computer and engineering sciences, and therefore, by implication, socially credible to the research community that has developed a body of knowledge based on the reference of scientificity used by the natural sciences.
In short, there is a lack of reflection on the epistemology of the HSS in relation to cybersecurity. Yet many research studies and research methods exist and are published under the name of science without any real epistemological contribution. Yet again, there is an astonishing similarity between cybersecurity and the phenomena analyzed by HSS. The nature of cybersecurity and cyber objects, like the vast majority of the objects of HSS, is characterized by hybridity, multi-causality, ephemerality, interpretative ambiguity, etc. Taking these common characteristics into account, we can therefore ask whether it is possible and even desirable to move from cybersecurity studies (essentially descriptive and empirical studies) to a science of cybersecurity (nomothetic and more theoretical studies) in which the HSS would be fully considered as contributors of research results meeting the principles of the scientific method? If this is not the case, then what is lacking in HSS to achieve a sufficient level of consideration both scientifically and socially?
This chapter will address this issue in three parts. The first will address the central question of the methodology used in the HSS to analyze the cybersecurity object. The second part will cover the thorny issue of the data available to the HSS for analyzing cybersecurity. The third part will present a proposed definition of cybersecurity that can be operationalized for and by the HSS in order to clarify the nature of the subject matter dealt with by the HSS. The real purpose of this chapter, beyond epistemological debates, is to reflect on the ideal framework within which cybersecurity studies in the HSS could reach the highest levels of scientificity, according to the rules of the art.
1.2. A method?
The humanities and social sciences are characterized by the diversity of methodological approaches they use for their analyses. The diversity of these methods corresponds to a necessity: that of the diversity and fragmentation of their object of research. For the social sciences, this object comes down to the social relationships that humans have with each other. For the social sciences together with humanities, the scope of their analyses is even broader and represents everything that has to do with human beings. These sciences are also characterized by their disciplinary porosity within their own sciences, where interdisciplinarity (or multidisciplinarity) is the key to the validation of knowledge. The political phenomenon can be explained through the many sub-disciplines of political science, to take just one example. The same is true for all disciplines in the social sciences. The humanities are subject to the same interdisciplinarity. This porosity is also increasingly apparent at the fringes of the HSS. The human causes or consequences of biological, physical and technological phenomena are becoming central in the natural, computer and life sciences. We need to only think of studies on global warming and its anthropogenic causes or of public health to be convinced of this. In short, in the HSS, there is not a precise core of well-circumscribed phenomena that would mobilize a community of researchers towards a growing accumulation of valid knowledge.
HSS have arrived at this diversity through epistemological reflections that have, throughout the 20th and 21st Centuries, highlighted the ontological differences of HSS in relation to other sciences. This has resulted in the development of a whole series of ethical, theoretical, methodological and etiological reflections on the objects of HSS. These are thus non-reproducible in time (we speak of the uniqueness of the object), which prevents the strict application of the experimental method. They are also very limited in terms of predictability, and, to overcome this limitation, HSS research turns to comparative analysis and ex post research. They also correctly develop new criteria of scientificity that form a common epistemic space, according to Berthelot, and define them as a science in their own right [BER 12]. In other words, in HSS, a diversity of theories, methods and paradigms coexist within the same field of knowledge (human and social), to the benefit of the validity of the knowledge produced by disciplines, research programs and communities of researchers.
Without entering too much into this epistemological debate, and beyond the discussion on the very notion of criteria, the issues in HSS concerning the criteria of scientific validity can be summarized in the relevance of transposing criteria from the natural sciences to the social sciences (external reference) and especially how to adjust them to make them consistent with the specific nature of HSS (internal reference) [KEM 12]. For Proulx, generativity, i.e. the
allows the debate to be decided. The generativity of research does not imply evaluating the value of research only on the basis of fixed, pre-existing and independent criteria. Instead, generativity proposes assessing...