Speculations on the science of web user security

1389-1286/$ see front matter 2012 Published b http://dx.doi.org/10.1016/j.comnet.2012.10.010 ⇑ Tel.: +1 210 458 6081. E-mail address: [email protected] There appears to be consensus among seasoned cyber security researchers that there is substantial disconnect between the research community’s priorities and the real world— notwithstanding numerous intellectual advances in the theory and practice of cyber security over the past four decades. This is in part manifested by recent recurring calls for dramatic shifts in cyber security research paradigms, including so called gamechanging approaches that go beyond the typical computer science and engineering perspectives. This article focusses on a specially important piece of cyber security called web user security where the prime concern is security for the ordinary consumer of web application services. The proliferation of web services and their enthusiastic reception by the ordinary citizen attests to the tremendous practical success of these technologies. As such it is prima facie evident that the current web is ‘‘secure enough’’ for mass adoption. Now, one certain prediction about the web is that it will continue to evolve rapidly. This article gives the author’s personal perspective on what web user security science might be developed to address the need to be ‘‘secure enough’’ in light of continued evolution. To this end the article begins by considering what happened in evolution of the web in the past and how much of it, if any, was guided by ‘‘science.’’ The article identifies some security principles that can be abstracted from this short but eventful history. The article then speculates on what directions the science of web user security should take. 2012 Published by Elsevier B.V.