Security research is attack biased
December 9, 2013  

Surprisingly, while there’s been interest in the security implications of wearable devices, the focus within the research community has been on how these devices might be attacked rather than on how these devices challenge existing social assumptions.

Alex Migicovsky on Freedom to Tinker

I don’t think this is surprising at all. Researchers are rewarded for working on attacks, and, in comparison, penalized for working on defenses.

This attack bias is damaging for security research; we need more defenses, not more attacks. Since some people, at least, don’t realize that there is a such a bias, let’s look at the evidence.

Security research is one of those disciplines that actually gets reported on outside of academia, in more mainstream media. I took a look at all academic papers mentioned in security articles at ArsTechnica so far in 2013:

That’s 27 articles. Out of those 27 I count 3 primarily defensive papers, 1 paper that is evenly balanced between attack and defense, and 2 papers that I would not classify as either attack or defense. The remaining 21 papers I would classify as attack focused. You can see the attack focus of the reporting just by looking at the article headlines.

It’s not surprising that mainstream media outlets would focus on sensationalist stories. Within the academic community itself, things are a bit better. In some fields—cryptography—I don’t think there is an attack bias at all. The attack bias gets stronger as the field gets more applied, culminating in the kind of presentations you see at BlackHat.

In any case, I’m sure most academic security researchers know that the way to get publicity is to work on attacks. The research that Migicovsky mentions in his post is itself a perfect example: it shows how to use smart watches to cheat. That’s attack research, not defense research.