Docstoc

Frankenstein’s other Monster: Toward a Philosophy of Information Security

Document Sample
Frankenstein’s other Monster: Toward a Philosophy of Information Security Powered By Docstoc
					                                                               (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                                       Vol. 10, No. 4, 2012

                               Frankenstein’s other Monster
                                   Toward a Philosophy of Information Security


                      Paul D. Nugent                                                                Amjad Ali
               Center for Security Studies                                                   Center for Security Studies
        University of Maryland University College                                     University of Maryland University College
                    Adelphi, Maryland                                                             Adelphi, Maryland
                 paul.nugent@gd-ais.com                                                          amjad.ali@umuc.edu


    Abstract—In this paper we take steps toward a philosophy of            zeitgeist (spirit of our time), then Information Security is
Information Security. A review of the current state of the                 fundamental to this spirit.
philosophy of technology reveals a strong bias toward system
capabilities and away from system vulnerabilities. By introducing              But this zeitgeist is quite different than the spirits that have
a systems context to these philosophical dialogues we show that            come before it. Mary Shelly’s Frankenstein is a chilling
vulnerability is as fundamental to both man-made and natural               reminder that while man’s passion to create is noble as far as it
systems as capability and that this creates new spaces for framing         goes, the “creation” may just come to have a mind of its own
technology as well as for thinking about how humans experience             and use its capabilities in ways not intended by its creator.
these technologies. Frankenstein’s well-known monster is often             Indeed, Shelly’s story still resonates in our modern world. The
invoked as a metaphor for the kinds of problems that man
                                                                           reality of wars, terrorism, financial markets, and mass media
encounters when the technological capabilities that he creates are
beyond his control. We contrast this monster with another                  show that Frankenstein’s monster is still very much alive and
monster, also created by man, which captures the problems                  endangering its creator in unintended ways.
arising not from technology’s capabilities, but from technology’s              The gravity of Information Security today, however, attests
vulnerabilities. Frankenstein’s other monster is the set of complex
networked information systems that need to be understood and
                                                                           to the creation of a different monster – what we are calling
protected from various environmental threats. Implications for             Frankenstein’s other monster. While the first monster is
the philosophy of technology and for the theory and practice of            dangerous because of its capabilities, the other monster places
Information Security are discussed.                                        its creator in peril because of its vulnerabilities. In late
                                                                           modernity few would dispute that much of our personal and
                                                                           collective wellbeing is bound up in complex computers,
                                                                           databases, and networks. We depend upon these systems for
    Keywords-philosophy of technology, information security,
systems engineering
                                                                           the availability, integrity, and confidentiality of many things
                                                                           that we greatly value [4]. The “other monster” holds our value
                                                                           and wellbeing and its monstrousness comes from its
                       I.    INTRODUCTION                                  vulnerability and its need to be protected.
    Information Security is playing a greater and greater role in              In this article we argue that there is something intrinsically
both our personal lives and in the protection of government and            unique, philosophically, about this “other” monster. In
commercial Information Technology (IT) systems. Any                        examining existing approaches to the philosophy of technology
Internet user is aware of the ever-present threats of malware              we show that in its current state technology, humans, and
(Trojan horses, viruses, and worms) as well as phishing                    society are framed much like Frankenstein’s first walking,
schemes attempting to steal their personal information [1].                grunting, forehead-scarred monster. This is because the
Companies that depend upon the Internet to serve their                     philosophy of technology has been preoccupied with
customers are frequently brought to their knees by Distributed             technology solely as a capability. We will then reframe
Denial of Service (DDoS) Attacks [2]. Department of Defense                technology from a systems point-of-view because what is
(DoD) systems are designed with a “defense-in-depth”                       unique and important about the new monster and the
philosophy where multiple layers of security controls are used             technologies that it embodies is the degree to which its
to defend against a myriad of potential threats. And even                  creators, its users, or its exploiters understand its complexities
leaders in American Cybersecurity policy/technology are                    and its vulnerabilities.
admitting that sophisticated attackers are so good at what they
do that new security models are needed to address what they
call an “advanced persistent threat” [3]. These new models                      II.     PHILOSOPHY OF TECHNOLOGY: CAPTURING THE
concede that no matter how masterful the protection of network                          ESSENCE OF FRANKENSTEIN’S MONSTER
perimeters is, these well organized and sophisticated “bad                    Despite the profound influence that Information Security
guys” can and will find their way inside. It is no exaggeration,           has on our lives today, the philosophy of technology has, so far,
then, to say that if the “information age” is truly the new                completely ignored it. This is because it has been preoccupied



                                                                      65                                http://sites.google.com/site/ijcsis/
                                                                                                        ISSN 1947-5500
                                                              (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                                      Vol. 10, No. 4, 2012
by the first monster (capability). Technology offers man new              Frankenstein’s monster is modern technology’s luring mankind
tools and new capabilities that can change how we define                  into this inauthentic attitude toward being.
ourselves individually and as a society. For example, few
would dispute that papyrus, the printing press, the typewriter                Many have criticized Heidegger for overly romanticizing
and the computer have had widespread influences on how                    the Greeks in his attempt to highlight the dehumanizing
humans express themselves, share their ideas, organize                    dangers of modern technology that at his time were enabling
themselves into groups, and establish identities.                         horrific wars and weaponry [10]. Ihde respects Heidegger’s
                                                                          analysis for what it is, but argues that it only touches upon a
    Although there are many historical sketches of the                    limited “thousand foot” view of the phenomenology of
philosophy of technology [5][6][7], a paper on                            technology and he endeavors to look more microscopically into
phenomenological approaches to information technology [8]                 the ways in which technology mediates experience, identity,
organizes them into three basic types. The first, “technological          and how the world is framed and understood [11]. For
determinism,” treats technologies as extensions of the self. For          example he looks at how some technologies, such as telescopes
example, the hammer wielder extends his/her capacity to build,            or microscopes, modify our perceptual experiences. Rather
the typist extends his/her capacity to write, and the computer            than seeing this as value-neutral, he says that technologies like
user extends his/her capacity to perform routine tasks quickly.           these magnify or reduce contents in the world relative to our
Therefore in these approaches technology is equivalent to                 pre-technological way of experiencing. Therefore we attend to
“artifacts” or “tools” and this seems reasonable as historically          (focus upon) different foregrounds while all else fades to the
the evolution of our institutions, cities, roads, transportation,         background. Technologies, like maps, can also modify the
commerce, education, etc. is strongly influenced by new and               ways in which we refer to or understand our objective world.
more powerful tools and artifacts.
                                                                              In parallel with Ihde’s work there are sociological studies
    Yet, according to [8] this approach ignores the reality that          that analyze the ways in which the introduction of virtual
many technologies are socially conceived and constructed and              technologies affects human experience and social structure
therefore not inevitable. The struggle between Blu-Ray and                [12][13]14].     These studies debate how Internet-based
HD DVD to become the standard disk format is an example of                communities may differ from traditional communities and the
how many factors, not all of them “technical,” influence the              influence this has on human subjects.
adoption of particular technologies. Also those who study
innovation show that it is not a technical process, per se, but               In summary, the philosophy of technology has restricted
rather is embedded in social systems where the innovator must             itself to phenomenological and ethical questions about how
convince others to invest in the new idea [9]. Here we see                technology introduces new capabilities that alter human
technology as an activity that is embedded in social practices            subjects (experiencers, builders, perceivers) and how
and is an outcome of them (rather than the other way around).             technology alters how we define objects in our world.
                                                                          Unfortunately this exclusive focus on capabilities through a
    Up until now, then, we have only addressed how                        predominantly subject-object lens is limiting in two ways.
technologies empower human endeavors or how social                        First, technologies, if we are to view them as “means to an
practices compete for and create emergent technological                   end,” can represent more than just capabilities. Every system
capabilities. The third approach, what [8] refers to as                   that provides capabilities also possesses vulnerabilities.
“phenomenological approaches” to technology, addresses the                Second, in framing technology solely as a medium between
social psychology of technology. By this, we mean that these              man and world the philosophy of technology has failed to
approaches do not see technology as a neutral capability, but             recognize the “systems” nature of modern technology. In the
rather as something that directly affects how humans                      next two sections we will explore these areas and how they are
experience their world and conceive of themselves as human                needed to take steps toward a philosophy of Information
beings. In what is easily the most influential piece on the               Security.
philosophy of technology, The Question Concerning
Technology, Martin Heidegger [5] argues that technology is far                         III. CAPABILITY AND VULNERABILITY
from neutral to humans and to societies because certain forms
of technology influence our most fundamental and taken-for-                   In this section we will think about how vulnerability is
granted attitudes toward the world. Unlike the early Greeks,              intrinsic to systems and technology. Consider, for example, a
who sought to achieve harmony between what they created and               maple tree. Much of its “design” is responsive to its
what they believed should simply be left to be, he believes that          capabilities – chlorophyll for photosynthesis, phloem and
we moderns have been conditioned by our technologies to see               xylem for the transport of water and nutrients, and a
everything as a well-ordered potential resource to serve our              branch/leaf structure that maximizes exposure to sunlight. But
ends. He calls this attitude enframing. He laments this because           the tree is also designed to protect against vulnerabilities such
he believes, consistent with the central tenets of his influential        as wind, extreme temperatures, and parasites. Extending this
landmark Being and Time, that enframing represents an                     line of thought, it is difficult to think of any simple or complex
inauthentic way of relating to the world. The Greeks, he                  system in our world that does not protect against vulnerabilities
believed, were more authentic and less prone to self-destruction          to internal or external threats in some way.
because, based on his analysis of their culture and language,                The etymology of the word “capable” reveals that this
they approached their world not as a resource at hand, but as             word’s origins stem from capax meaning “able to hold much”
fellow beings that possessed intrinsic value. To Heidegger,               as well as from capare “to take, grasp” [15]. Therefore




                                                                     66                               http://sites.google.com/site/ijcsis/
                                                                                                      ISSN 1947-5500
                                                              (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                                      Vol. 10, No. 4, 2012
capability captures the ability to hold and to grasp something in         Stephen Barley observed how the introduction of new imaging
one’s environment. Capability is therefore a reaching out and             technologies into a physician’s office shifted the division of
grasping – a reaching out from the subject that somehow joins             labor between the doctors, technicians, and clerical workers
the subject to the previously external object. The object                 [22]. The new roles and identities were not necessarily more or
becomes part of the subject through the technology. Through               less “human,” but they did show that technology represented an
this coupling, then, the subject is extending him/herself into an         “opportunity for structuring,” and that in some cases this could
environment because as much as the object is now part of the              redefine roles for the better in the context of a purposeful
subject, it still also exists in a world physically outside of the        organization [22]. Even more to the point, ethnographers such
subject. For example, a hunter may reach out to grasp and hold            as Shoshana Zuboff in her 1988 book In the Age of the Smart
his prize as “his,” but this does not mean that it cannot be taken        Machine, have shown that while some more direct/sensorial
away by another hunter or by some other hungry creature. The              skills are taken away through automation, workers stationed at
hunter, by virtue of grasping and holding, can be hurt/wounded            the computers/consoles gained a more extensive view and
in doing so, or can lose what is grasped. From the words                  understanding of the overall manufacturing process [23].
vulnerare “to wound” and also vellere “pluck, tear,” comes the            Therefore technology has the capacity to also inform
more familiar word – “vulnerable” [15].                                   (“informate”) them to a broader (albeit less direct/sensorial)
                                                                          appreciation of the production process [23].
    Thus, at a fundamental level, man cannot have capability
without vulnerability. To grasp and to hold is to put oneself                  Thus, technology can do much more than merely affect our
into a situation where the part of oneself that is grasping and           attitude toward the world in general (e.g., Heidegger’s
holding can be wounded and that which is held (valued) may                enframing), be a map to refer to the basic layout of our world
be compromised or taken away. In Frankenstein’s first                     (e.g., Ihde), or extend our capabilities to do things [10].
monster, man grasps (creates) and holds something that he can             Technologies may also serve to protect man from
no longer control and that, in turn, grasps and holds him/her as          Frankenstein’s other monster. They do this by revealing this
an object. In Frankenstein’s other monster, man grasps                    monster’s vulnerabilities so that protections may be conceived
(creates) and holds something that is so complex and so                   and implemented. This is an ontological move toward a
exposed to environmental threats, that he or she must create              systems-centric way of framing subjects and the world because
new technologies (e.g., guards and shields) to maintain the               it is only in this context that we can more fully appreciate the
grasp.                                                                    essence of security in general, and Information Security in
                                                                          particular.
    Security in general, and Information Security in particular,
can then be viewed as technological functions that man must                   Heidegger’s most biting critique in his essay The Question
evolve in order to keep the part of himself that is grasping from         Concerning Technology addresses how we moderns tend to
being wounded and to keep what is being held from being                   approach “things” or “beings” in our world as merely their
taken away.                                                               categorical function as a resource. While one could counter
                                                                          him by saying that we moderns also have many spheres in our
       IV.   ONTOLOGY: TOWARD A SYSTEMS CONTEXT                           lives that escape this attitude (such as our appreciation of loved
                                                                          ones, a beautiful sunset, a mountain stream, etc.), it is more
    Now let us turn our attention to what might make a                    important to question his dismissal of “abstract categories” and
philosophy of Information Security intrinsically different from           “resources” as somehow being an inauthentic attitude toward
the philosophies of technology that have hitherto dealt with              being. We would argue, instead, that framing the world as
capabilities rather than with vulnerabilities. As previously              functional elements in systems, as systems, as systems-of-
stated, the philosophical essence of capability technologies              systems, and as environments is not only authentic for humans,
stems from the ways in which human beings use these                       but fundamental to understanding any part of our world in a
technologies (enact their capabilities). In contrast, we believe          meaningful way in the first place.
that the philosophical essence of security technologies stems
from how human beings understand systems and environments                     Wonder is the very essence of confronting an unknown
so that they may identify and address their vulnerabilities.              world and hungering for an understanding of it [24].
                                                                          Individually and collectively, man builds these understandings
    As philosophers of technology were dwelling on the anti-              through the acquisition of language. This understanding is
utopian (dystopic), or “dark side” of modern technology, so too           built up from labels, typifications, categories, etc. with which
were many sociologists. Here, instead of large-scale war and              we assess sameness and difference across the objects in our
destructive weapons, these sociologists went inside mills and             world [25][26]. We learn that not only do similar objects, e.g.,
organizations to observe what was happening when machines                 oranges, exist in our environment, but that these objects are
were doing what was previously done by humans                             grown, distributed, and sold via various interlocking systems of
[16][17][18][19][20][21]. The “deskilling hypothesis” is the              agriculture, distribution channels, and markets. We never
argument that as machines (automation in general) replace                 know in any absolute or Platonic way the ontological nature of
basic human abilities, human beings become alienated from                 the elements in the system nor their exact behaviors, but we do
their “true” nature. Yet, these researchers were so preoccupied           know enough about their nature and their behaviors to
with what was being lost that they did not bother to consider             understand how they work together to form a coherent,
what also could be gained. It was not until much more recently            consistent, predictable system [25]. We understand, for
that sociologists began to discover there were also potential             example, that by learning and enacting roles that students,
“plus-sides” to automation. For example the sociologist                   teachers, and administrators form a “school system.” We



                                                                     67                               http://sites.google.com/site/ijcsis/
                                                                                                      ISSN 1947-5500
                                                              (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                                      Vol. 10, No. 4, 2012
understand that farmers, seeds, soil, irrigation, wells, sunlight,        represent the truth of being that becomes concealed from us
pesticides and harvesting equipment interact meaningfully in              when we enframe the world in inauthentic ways [5]. Yet, we
an agricultural “farm system.” It is no surprise, then, that              would argue, it is only through abstraction (language) and a
children’s books and television shows focus not just on                   systems context that truths about the natural and man-made
identifying objects, but also showing children how these                  worlds are revealed to us. Truth is the unique configurations,
elements are supposed to work together in a system - a market,            architectures, and patterned behaviors of the system. The truth
a playground, a firehouse, and around a dinner table.                     of the Da Vinci’s Mona Lisa is not in any single brushstroke or
                                                                          any single element of color but in how they are composed into
    Information Security technology cannot be adequately
                                                                          a painting. The ontological “truth” of a playground is not in
understood outside of this systems context. For example,                  any one apparatus, any child, parent, or time of day, but how
according to the Certified Information Systems Security                   these come together to form an identifiable whole. Only
Professional (CISSP) handbook, Information Assurance (IA)                 through this process can we come to understand ecosystems,
technology domains entail:                                                playgrounds, farms, and computer networks as systems in our
        •    Access control systems and methodology                       complex world. Therefore if we are to reapply Heidegger’s
                                                                          concept of aletheia as a revealing of truth, then aletheia entails
        •    Telecommunications and network security                      the extent to which we grasp the breadth and depth of systems.
        •    Security management practices                                Frankenstein’s other monster can only be understood
                                                                          ontologically as a complex open system possessing
        •    Applications and systems development security                vulnerabilities in an environment of potential threats.
        •    Cryptography
        •    Security architecture and models
                                                                                      V.    FROM ONTOLOGY TO TECHNOLOGY
        •    Operations security                                              That there are systems and that these systems may be
        •    Business continuity planning (BCP) and disaster              vulnerable in various ways certainly does not imply something
             recovery planning (DRP)                                      that should be called a monster. Yet with the proliferation and
                                                                          networking of computers within the Internet, Wide Local Area
        •    Laws, investigations, and ethics                             Networks (WLANs), Virtual Local Area Networks (VLANS),
        •    Physical security [27]                                       Local Area Networks (LANs), etc., it is clear that that man’s
                                                                          grasp for capability has produced highly complex systems that
    To understand Information Security, then, is to assume a              are not just vulnerable to a myriad of threats, but for man to
user that is accessing a complex system, assume the existence             understand what these vulnerabilities are is becoming
of systems that support communications between users, assume              increasingly challenging.
institutional practices and processes (social systems) are in
place, assume hardware systems exist that can host software,                  Today the practice of Information Security entails
and assume wider regulative and legal institutional contexts.             institutionalized processes to assess threat environments,
What is also clear simply from an inspection of these categories          identify system vulnerabilities, and mitigate these threats [4].
is that these systems are not grasped in a common way by                  For most systems exposed to the Internet environment these
humans in general, but understood differently by various                  mitigations are likely to include ways to “harden” Operating
stakeholders. Stakeholders such as the system designer, the               Systems, web browsers, web servers and network components,
system user, and the system exploiter each understand the                 encrypt data in motion, create a demilitarized zone for the
system and its environment in different ways and to different             organization’s website, locate and configure routers and
degrees.                                                                  firewalls to filter unauthorized communications, and use
                                                                          intrusion detection systems (IDSs) to monitor and control for
    How then do these stakeholders come to know the system?               known types of Internet attacks [28]. In addition host based
What role does technology play in this understanding of                   security systems (HBSSs) are commonly implemented to
complex systems? These questions, we argue, lie at the heart              monitor and record network configurations and activities and
of a philosophy of security in general and a philosophy of                support system audits. Finally, technologies are commonly
Information Security in particular. The move to a systems                 used to test to see if the system is protected against known
context represents a move away from a romantic framing of                 kinds of threats. For example network scanners such as
things as primordial or elemental “beings” whose                          Microsoft Baseline Security Analyzer, Retina, and Gold Disk
configurations or activities do not matter. It is also a move             gather information about network components and reveal what
away from the assumption that as soon as things are created               kinds of known vulnerabilities are not being protected in the
and viewed as resources, then their meaningfulness to human               system’s configuration.       In addition, technologies and
beings is forever transformed to something “inauthentic.”                 processes for penetration testing are used to perform various
Rather, in line with Wittgenstein, and the “linguistic turn” in           kinds of attacks against the system to ensure that the system is
philosophy, meaning is a function of context and the contexts             robust to them [28].
that matter in our late modern era are systems [25].
                                                                              These technologies and processes clearly reflect that man’s
   To confront Heidegger one last time, in The Question                   relationship to these systems goes far beyond the use of their
Concerning Technology he introduces the term aletheia to                  capabilities and is strongly influenced by bounded rationality



                                                                     68                               http://sites.google.com/site/ijcsis/
                                                                                                      ISSN 1947-5500
                                                             (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                                     Vol. 10, No. 4, 2012
vis-à-vis the system’s vulnerabilities [29]. The complexity of           are outside of his direct control/understanding. According to
these systems means that the behavior of their elements in               [30],
concert with one another and the ways in which entities may
use the system (e.g., file access/editing/sharing, E-mail, chat,            In circumstances of uncertainty and multiple choice, the
intranet, etc.) are highly uncertain. While Information Security            notions of trust and risk have particular application.
technologies such as firewalls, guards, and Public Key                      Trust, I argue, is a crucial generic phenomenon of
Infrastructure (PKI) tokens may impose behavioral rules within              personality development as well as having distinctive and
the system, it is other technologies that are used to understand            specific relevance to a world of disembedding
what is going on in the system (e.g., IDSs, HBSSs, network                  mechanisms and abstract systems.            In its generic
scanners, penetration testers) that are unique to the Information           manifestations, trust is directly linked to achieving an
Security realm and are fundamentally different than capability-             early sense of ontological security…. Modernity is a risk
oriented technologies.                                                      culture. I do not mean by this that social life is inherently
                                                                            more risky than it used to be; for most people in
    While the monstrousness of Frankenstein’s first monster                 developed societies that is not the case. Rather, the
derived from its potential to wield its capabilities in ways not            concept of risk becomes fundamental to the way both lay
intended by its creator, the monstrousness of his other monster             actors and technical specialists organize the social world.
stems from the complexity and uncertainty in understanding                  Under conditions of modernity, the future is continually
and protecting its vulnerabilities.                                         drawn into the present by means of the reflexive
                                                                            organisation of knowledge environments. (p. 3)
                    VI.   PHENOMENOLOGY                                      Therefore the fact that we moderns must trust systems that
     As presented earlier, phenomenological approaches to                we cannot understand, and that we accept levels of risk, leads
technology open up important discourses relating to how                  to a constant sense of insecurity. The vulnerabilities of systems
technologies are not just neutral means-to-ends, but also                from an Information Security point of view can be argued to
influence how man frames (enframes) the world or experiences             comprise a large proportion of this trust/insecurity complex.
objects in the world. In this section we will explore the                     While trust/insecurity captures the phenomenology of the
implications that the ontology and technology of Information             general users/dependers of these systems, it is also important to
Security, as previously presented, have on phenomenology.                consider the more localized phenomenology of the system
We will first take the “thousand foot” Heideggarian view and             designers and the system exploiters. In line with Ihde, we may
then come closer to Earth to consider how different subjects             ask how each of these subjects experiences the world through
(i.e., system designers, users, and exploiters) each experience          these technologies. While it would require empirical research,
Frankenstein’s other monster in important ways.                          it is reasonable to say that each of these subjects comes to an
    To Heidegger enframing is a taken-for-granted attitude               understanding of the system that is deeper than the general
toward things in our world conditioned by the treatment of               users who depend upon the system. For example, the designer,
them as merely resources to serve our human ends. Taken to               in addition to best practices for engineering and IT, must
the extreme he laments that this enframing, like Frankenstein’s          understand the system through scanners, testing, etc. to a very
monster, has come back to enframe its creator (humans) as a              intimate level if the system is to be protected.
mere resource (“human resources”). Yet, as we have shown, if             Phenomenologically, then, these subjects may adopt identities
we shift from an ontology focused on primordial being and                and feelings in line with being a protector, guard, shielder, etc.
authenticity to one instead of systems, contexts, and                        In contrast, a great deal of empirical research has attempted
understanding, then our “thousand foot” phenomenology also               to understand the motivations of exploiters/attackers [4][28].
shifts. While to Heidegger to enframe is to conceal other                These motivations range from personal pride/ego, to politics, to
possible ways of conceiving of the being of a thing by reducing          financial gain, to corporate espionage, to national intelligence.
the thing to a mere resource-at-hand, to understand a complex            Behind these motivations are individuals who are gaining an
world system is to reveal a truth, an ontology, that was                 understanding of the system in order to identify targets of
previously hidden from view. The ontology of ecosystems,                 attacks, discover vulnerabilities, and exploit these
trees, playgrounds, computer networks, paintings, and                    vulnerabilities [31]. Therefore, phenomenologically, these
symphonies inheres in their nature as systems of elements                subjects may experience identities and feelings more attuned to
interacting with one another, interacting with other systems, or         revenge, hatred, greed, and sometimes even altruism when they
interacting with their environment in patterned ways.                    come to believe that through their attacks the system protectors
    Consider now how many systems any individual human                   learn more about the system’s vulnerabilities and ways to
being in the modern world depends upon and the degree to                 control for them.
which that human being understands those systems. It is true                 Interestingly, technologies such as network scanners and
that for any complex information system (IS) there is a handful          penetration testers are used by both system designers/protectors
of individuals (e.g., IT administrators, system architects, etc.)        as well as exploiters. These technologies reveal vulnerabilities
who are responsible for understanding the system to a level              for the purposes of protection or exploitation. In this way these
required to protect it, most who depend upon the system do not           technologies are like a double-edged sword and engage a battle
(and cannot) understand it to that level. As compared to earlier         of sorts between the protectors and the exploiters introducing
epochs, modern man can be characterized by the overwhelming
number of complex systems upon which he depends and which



                                                                    69                               http://sites.google.com/site/ijcsis/
                                                                                                     ISSN 1947-5500
                                                                        (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                                                Vol. 10, No. 4, 2012
yet another phenomenological area for exploration (i.e., a                          [12] A. Borgmann, Holding On to Reality. Chicago/London: University of
war/terrorism context [32]).                                                             Chicago Press, 1999.
                                                                                    [13] H. L. Dreyfus, On the Internet. London: Routledge, 2001.
                                                                                    [14] Ihde, D. (2002). Bodies in Technology. Minneapolis: University of
                         VII. CONCLUSIONS                                                Minnesota Press.
    In this paper we have argued that a systems context is                          [15] Etymology.com, “capable,” “vulnerable.” 2011. Retrieved December 3,
critical in taking steps toward a philosophy of Information                              2011 from http://www.etymonline.com/
Security as well as to augment an already mature philosophy of                      [16] K. Marx, Selected Writings in Sociology & Social Philosophy.
technology. Only within this context are the full ontological                            Translated by T. B. Bottomore. McGraw-Hill: New York, 1956.
and phenomenological implications of Information Security                           [17] M. Weber, Bureaucracy. In Classics of Organization Theory, Shafritz, J.
                                                                                         M. & Ott, J. S. (Eds.), 3rd Ed. Brooks/Cole Publishing Co.: CA, 1973.
systems and technologies possible.             The emphasis on
                                                                                    [18] R. Blauner, Alienation and Freedom. Chicago: University of Chicago
understanding and experiencing the world in a systems context                            Press, 1964.
needs to be adopted by scholars interested in
                                                                                    [19] H. Braverman, Labor and Monopoly Capital. New York: Monthly
studying/anticipating technology development. Without this                               Review Press, 1974.
perspective it is easy to ignore the role that technologies play in                 [20] M. Burawoy, Manufacturing Consent. Chicago: The University of
helping us to comprehend/understand systems rather than                                  Chicago Press, 1979.
merely to enhance their capabilities.           This is especially                  [21] D. Clawson, Bureaucracy and the Labor Process. New York: Monthly
important in what we referred to as essentially a battle between                         Review Press, 1980
those who are interested in protecting systems and those who                        [22] S. Barley, “Technicians in the Workplace: Ethnographic Evidence for
are interested in exploiting them. Finally, this paper also                              Bringing Work into Organization Studies,” Administrative Science
encourages those researchers interested more generally in “late                          Quarterly, 41: 1996, pp. 404-441.
modernity” and the human condition to investigate to what                           [23] S. Zuboff, In the Age of the Smart Machine. Basic Books, 1988.
degree the need to trust systems and accept levels of risk affect                   [24] C. Verhoeven, The Philosophy of Wonder. Macmillan, 1972.
individuals’ sense of security and overall wellbeing.                               [25] L. Wittgenstein, Philosophical Investigations. G.E.M. Anscombe and R.
                                                                                         Rhees (Eds.), G.E.M. Anscombe (trans.), Oxford: Blackwell, 1993.
                                                                                    [26] J. Derrida, Speech and Phenomena. Northwest University Press:
                              REFERENCES                                                 Evanston, 1973.
                                                                                    [27] S. Harris, CISSP Exam Guide. Third edition. McGraw-Hill/Osborne,
[1]  M. Workman, “Gaining Access with Social Engineering: An Empirical                   2005.
     Study of the Threat,”         Information Security Journal: A Global           [28] J. R. Vacca, Computer and Information security handbook. Burlington,
     Perspective, Pp. 315-33, Dec. 2007.                                                 MA: Morgan Kaufman Publishers, 2009.
[2] C. Beaumont, . “WikiLeaks: What is a distributed denial of service              [29] H. A. Simon, H. A, Models of Bounded Rationality. Cambridge,
     attack?”      2010.     Retrieved      November     20,    2011   from              Mass./London: MIT Press, 1982.
     http://www.telegraph.co.uk/news/worldnews/wikileaks/8190868/WikiLe             [30] A. Giddens, Modernity and Self-Identity. Stanford University Press,
     aks-What-is-a-distributed-denial-of-service-attack.html                             Stanford California, 1991.
[3] L. Clinton, Webinar: “Cybersecurity-Can Policy Keep Up with the Pace            [31] P. Okeny and T. Owens, “On the Anatomy of Human Hacking,”
     of Technological Change?” 2011. Retrieved November 17, 2011 from                    Information Security Journal: A Global Perspective. Dec. 2007. Pp.
     http://www.umuc.edu/event-                                                          315-331.
     detail.cfm?customel_dataPageID_1416=132410
                                                                                    [32] A. J. Mitchell, “Heidegger and Terrorism,”                Research in
[4] M. Goodrich and R. Tamassia, Introduction to Computer Security (1st                  Phenomenology, 35, 2005.
     ed.). Boston, MA: Pearson, 2010.
[5] M. Heidegger, “The Question Concerning Technology.” In The
     Question Concerning Technology and Other Essays. Harper & Row                                              AUTHORS PROFILE
     Publishers, 1977.                                                              Paul Nugent is a practicing Information Assurance engineer at General
[6] D. Ihde, Philosophy of Technology: An Introduction. New York:                   Dynamics Advanced Information Systems. He holds a masters degree in
     Paragon House Publishers, 1993.                                                electrical and computer engineering from the University of Massachusetts,
                                                                                    Amherst, and a Ph.D. in organization studies from the State University of New
[7] C. Mitcham, Thinking Through Technology: The Path Between                       York at Albany. His research has centered on the formation of trust amongst
     Engineering and Philosophy. The University of Chicago Press, 1994.             engineers enabled by work activities as well as the impacts of new systems
[8] Plato.stanford.edu, “Phenomenological Approaches to Ethics and                  engineering practices. He is currently a post-doctoral fellow at the Center for
     Information Technology.” Stanford Encyclopedia of Philosophy, 2011.            Security Studies at the University of Maryland University College.
     Retrieved            November              1,        2011        from:
                                                                                    Amjad Ali is the Director of the Center for Security Studies and a Professor of
     http://plato.stanford.edu/entries/ethics-it-phenomenology/
                                                                                    Cybersecurity at University of Maryland University College. He played a
[9] A. L. Stinchcombe, Information and Organizations. University of                 significant role in the design and launch of UMUC’s global Cybersecurity
     California Press: Berkeley and Los Angeles, California, 1990.                  programs. He teaches graduate level courses in the area of Cybersecurity. He
[10] D. Ihde, Technology and the Lifeworld: From Garden to Earth.                   has served as a panelist and a presenter in major conferences and seminars on
     Bloomington and Indianapolis: Indiana University Press, 1990.                  the topics of Cybersecurity. In addition, he has published several articles in the
                                                                                    area of Cybersecurity.
[11] D. Ihde, Heidegger’s Technologies:                 Postphenomenological
     Perspectives. New York: Fordham University Press, 2010.




                                                                               70                                      http://sites.google.com/site/ijcsis/
                                                                                                                       ISSN 1947-5500

				
DOCUMENT INFO
Shared By:
Stats:
views:76
posted:5/16/2012
language:English
pages:6