The first time I read Herley and van Oorschot's analysis of the scientific shortcomings in security research, I was struck by how well their critique matched my own field experience. And I'm not even a researcher, I should add. Herley and van Oorschot demonstrate that much of what we traditionally regard as "good security principles" is based on claims that cannot be falsified—that is, we lack the means to test them scientifically (Herley & van Oorschot, 2018). The statement "to be secure you must do X and use Y" sounds straightforward. But as Herley and van Oorschot point out, organisations rarely, if ever, know if X and Y are truly necessary, since no one can predict the future or know which techniques attackers will use tomorrow. (science-se...ag-jan2018, PDF)
This perspective is crucial. The cybersecurity industry is full of rules that persist more out of tradition than evidence. A telling example is password policies. For decades, organisations clung to complexity requirements—special characters, numbers, capital letters—even though later empirical studies showed these rules didn't produce genuinely stronger passwords. Herley and van Oorschot highlight precisely this: how an entire industry crafted policies without measuring whether they achieved the intended effect (Herley & van Oorschot, 2018). Researchers like Bonneau (2012), who analysed over 70 million real passwords, showed how users tended to avoid randomness and instead created predictable patterns. The failure was not in the controls, but in human behaviour. And humans failed not because they were "ignorant," but because the rules clashed with human behaviour and cognitive limits. (science-se...ag-jan2018, PDF)
This is where I believe the greatest challenge of cybersecurity lies if we are to truly build safe and secure digital ecosystems. We try to build logical systems but place them in the hands of people who do not operate logically. We write rational policy documents but implement them in organisations driven by time pressure, stress, competitive demands, and culture. It is not the technology that makes security work difficult, it is the human factor.
McLean (2018) makes an interesting point, arguing that security can indeed be scientific, provided we start from empirically testable predictions. For example, if we can measure how quickly a specific machine cracks a particular hash, we can make scientifically valid statements about cracking capability (McLean, 2018). I believe he is correct in this. Under controlled and clearly defined conditions, precise measurements are possible. (msp2018030006, PDF)
But security is rarely controlled. It plays out in complex digital ecosystems where users improvise, attackers invent new methods exploiting this improvisation, suppliers release updates, cybersecurity maturity is low, and organisations evolve faster than we change our underwear. This network of technology, culture, behaviour, psychology, and economic drivers is as far from the laboratory environment where models work as one can get.
That is why I always return to cyberpsychology and putting people first. No matter how advanced our technical solutions are, they will fail because of human behaviour unless we design for people, their realities, and their daily lives. This is repeatedly confirmed in research on security behaviours and success factors in these safe and secure digital ecosystems. People take shortcuts when cognitive loads become too high, when workflows clash with security requirements, or when technology is seen as a barrier rather than a help (Furnell & Clarke, 2012). Humans are not friction in the system, theyarethe system.
So how do we build digital ecosystems that are both scientifically grounded and humanly bearable? The short answer is:through measurability (evidence), a holistic approach (all-risk), and acceptance of "good enough" (proportionality).
The most robust and mature organisations I encounter are not those with the most controls, thickest policies, or most advanced security products. The most mature are those that measure behaviours, see systems as sociotechnical, accept that security will never be perfect, and therefore focus on continuity, resilience, and cultural maturity. These organisations operate almost like scientists: testing hypotheses, measuring outcomes, and adjusting course as reality changes.
This aligns perfectly with what Herley and van Oorschot call for: security must be tied to real, observable outcomes, not abstract assumptions (Herley & van Oorschot, 2018). The threat landscape changes, digital ecosystems change, user behaviours change. Therefore, security measurement methods must also evolve. It is in this process that real scientific validity arises. (science-se...ag-jan2018, PDF)
For me, this is also linked to competitiveness and mission-critical resilience. A company that cannot measure how quickly it detects incidents, how often users make errors, how long recovery takes, or how effectively security measures work, is navigating in the dark. No matter how well frameworks are followed or how much is invested in technology, what isn't measured cannot be improved, and what isn't improved soon becomes a weak link.
That is why I argue that the future of security is not about perfection, but sustainable security. Sustainable technology. Sustainable behaviours. Sustainable processes. Sustainable culture. Sustainable competitiveness. Systems that are "good enough," not because we settle for mediocrity, but because we build for reality, not ideals.
Because in reality, cybersecurity is not truly a framework, norm, or standard. Nor is it a black-and-white battle between attack and defence, even though we often get caught in that reactive bubble. No, cybersecurity is a dance between people, technology, and organisations in sync and harmony. And only when we accept that can we start building digital ecosystems that truly work. Genuine safety and security as DNA.
References
Bonneau, J. (2012).The science of guessing: analysing an anonymised corpus of 70 million passwords. 2012 IEEE Symposium on Security and Privacy, 538–552.
Furnell, S., & Clarke, N. (2012).Power to the people? The evolving recognition of human aspects of security. Computers & Security, 31(8), 983–988.
Herley, C., & van Oorschot, P. C. (2018).Science of Security: Combining Theory and Measurement to Reflect the Observable. IEEE Security & Privacy, 16(1), 12–22.
McLean, J. (2018).On the Science of Security. IEEE Security & Privacy, 16(3), 6–8
