Let that think in: Thought experiments and their application to cyber security
02-11, 09:50–10:35 (UTC), Track 1- Dragon Suite

Thought experiments are used in many disciplines - from theoretical physics and biology to linguistics and law - to question assumptions and generate new theories. Perhaps most prominently, they are a critical tool in philosophy, where their usage goes back thousands of years to Socrates and Plato. The insights and knowledge that rigorous, carefully considered thought experiments provide have completely revolutionized thinking in various fields. And yet, in cyber security, we haven’t made much use of them at all, and certainly not in any organized or formalized manner. This talk is an attempt to begin changing that.

In this session, I’ll provide a primer on thought experiments, covering their definitions, types, features, construction, usage, and outputs. I’ll examine some examples, discuss the drawbacks, and explore some unconventional forms which use different formats and ways of thinking.

I’ll then move on to argue a case for using thought experiments more widely in cyber security. I’ll start by focusing on how thought experiments differ from similar activities in security – such as tabletop exercises and ‘thinking like an attacker’ – and suggest several related areas in which thought experiments have proven useful previously, such as AI and cryptography, with examples.

Next, I’ll outline why we need more thought experiments in cyber security, identifying several areas in which they could be used to question common assumptions and theories, and I’ll present some thought experiments I’ve created in these areas, which I’ll invite attendees to use and build on as a starting point for further discussion and exploration.

I’ll then share a guide for creating thought experiments, as a first step towards encouraging their wider design and use in the field of security, and finish by calling for collaboration and cooperation to continue this.

Brief outline of the talk:

  1. INTRODUCTION: who I am, what I do; my interest in thought experiments; aims of the talk

  2. WHAT IS A THOUGHT EXPERIMENT? Competing definitions; history and examples in various fields (philosophy, physics, law); types of thought experiment (destructive, constructive, platonic); format and usage (how they're presented; unfolding of scenario; why they should be used, Kuhnian crises); outputs (models); caveats (biases, where does new knowledge come from, idealisation, imagination as a negative); unusual forms (koans, fiction)

  3. APPLICATIONS TO CYBER SECURITY: Background (usage, distinction vs. tabletop exercises, scenarios, 'thinking like an attacker'); why we need thought experiments (Kuhnian crisis, challenging assumptions); examples of pre-existing thought experiments in related areas (AI, cryptography, privacy); benefits; examples (adapting pre-existing thought experiments and coming up with new ones - examples include attribution, innovation, cyberweapons)

  4. HOW TO DESIGN A THOUGHT EXPERIMENT: destructive and constructive forms; outline of the process

  5. CONCLUSION: Reiterate aims; first step; call for collaboration and cooperation; references, contact details, and questions.

Matt Wixey is a Principal Technical Editor and Senior Threat Researcher at Sophos. He is a former penetration tester, and previously led cybersecurity R&D capabilities at both PwC UK and a specialist unit in the Metropolitan Police Service, digging into emerging attack vectors, vulnerabilities, and new technologies. Matt has spoken at national and international conferences, including Black Hat USA, DEF CON, ISF Annual Congress, BSides LDN, 44con, and BruCon.