Thought experiments are used in many disciplines - from theoretical physics and biology to linguistics and law - to question assumptions and generate new theories. Perhaps most prominently, they are a critical tool in philosophy, where their usage goes back thousands of years to Socrates and Plato. The insights and knowledge that rigorous, carefully considered thought experiments provide have completely revolutionized thinking in various fields. And yet, in cyber security, we haven’t made much use of them at all, and certainly not in any organized or formalized manner. This talk is an attempt to begin changing that.

In this session, I’ll provide a primer on thought experiments, covering their definitions, types, features, construction, usage, and outputs. I’ll examine some examples, discuss the drawbacks, and explore some unconventional forms which use different formats and ways of thinking.

I’ll then move on to argue a case for using thought experiments more widely in cyber security. I’ll start by focusing on how thought experiments differ from similar activities in security – such as tabletop exercises and ‘thinking like an attacker’ – and suggest several related areas in which thought experiments have proven useful previously, such as AI and cryptography, with examples.

Next, I’ll outline why we need more thought experiments in cyber security, identifying several areas in which they could be used to question common assumptions and theories, and I’ll present some thought experiments I’ve created in these areas, which I’ll invite attendees to use and build on as a starting point for further discussion and exploration.

I’ll then share a guide for creating thought experiments, as a first step towards encouraging their wider design and use in the field of security, and finish by calling for collaboration and cooperation to continue this.