Anton Chuvakin is not necessarily known for his subtle comments. One of his longer-standing objections is that academic research should address real problems and address things that really matter. Like Anton, I also have a background in academia (PhD in information systems), and I cannot help but agree with him.

After having lived and worked "in the real world" for a number of years, I cannot but come to the conclusion that most information security research is not science. Instead, it should be viewed as engineering.



Engineering uses models of reality to design complex products
that can be built. When an engineer is done with his job, he has
produced a design and delivered a plan that can be used to build a real "thing". Designing a product requires a thorough understanding of the
problem domain, and an even better understanding of the techniques that
can be used to build.


Most security engineers I run into are great a configuring existing software,
but lack real understanding of the domain in which their products
are deployed and of the purpose for which they are used. Most do not even care.

The first point element of my definition of engineering is the use of models of reality. A model is a simplified representation of a problem domain expressed using some form of formal notation. Using modeling techniques to figure out what we secure, where we need to secure it, and what the best way to do it is something that we really are not able to do yet. That would be a good research topic, and definitely something that I would be interested in.


Engineering is
about creating new things; the traditional scientific method is meant
for explaining phenomena. It is time to acknowledge something that most of us already know: information security is an engineering trade, not a scientific process.