Computer Science is Really a Social Science

Jonathan D. Pincus,

jon {at} achangeiscoming {dot} net

Originally posted on, January 2005


"There is only one holistic system of systems "

(Paddy Chayevsky,1974, as sampled in Snog's "Corporate Slave")


OK, maybe this is obvious to everybody outside the field of computer science; but within the field, we are in the process of a major paradigm shift -- when I get excited, I describe it as a Kuhnian "scientific revolution in progress", which might be stretching things, but just a little.  Computer scientists have historically identified either as mathematicians (ah, the purity) or physicists (pretty good purity and much better government funding); but if you look at the kinds of problems we are trying to solve now (bunches of different aspects of the security problem, privacy, usability of pervasive computers, changing business models, e-voting) it seems pretty clear that the key issues relate to people and the way they communicate and organize themselves, rather than discovering the underlying physical laws of the universe -- in short, the domain of social sciences. 


The intersection of this new perspective with traditional computer science is probably farthest advanced in the area of HCI, and permeates the areas of intellectual property protection (e.g., Copyleft and Creative Commons) and the whole blogging/social networking software area.  However, these are all areas that are well outside the mainstream of computer science.  Some aspects of these ideas come up in the work of people in related fields (a short list appears as an appendix); in particular, the field of software engineering is based on computer science as well as other disciplines, and so inherently involves consideration of the social and organizational aspects of software.  However, if you start to look around at some of interesting kinds of approaches people are investigating and/or putting into practice in many different areas, it becomes clear that many of them are exploring this area (consciously or not).  In this brief essay, I'll concentrate primarily on the sub-disciplines of network/software security, and software architecture/development.


In the security space, the now-obvious economic aspects of the problem, "social engineering" attacks, and what is often mistakenly referred to as "the stupid user problem" make it hard to avoid.  Many people point to the relatively new field of "usable security" (starting with the Alma Whiten's seminal Why Johnny Can't Encrypt) as another example of considering broader perspectives. Work by people like Ross Anderson at Cambridge, Hal Varian at UC Berkeley, Shawn Butler at CMU, and Eric Rescorla at RTFM starts from an economic perspective and asks some very interesting questions here; it seems to me that traditional computer science techniques aren't really able to address these problems.  There are now workshops devoted to Economics and Information Security (although some of the work there is still extremely immature; one economist told me, "a lot of this reads like people have just taken their first economics course and think they understand everything"), and people like Andrew Odlyzko and Alessandro Acquisiti are extending this approach to privacy considerations as well.


On the software development side, agile methodologies and the various approaches to community in software development (including, but not limited to, open source/free software) both approach the problem primarily and explicitly from a social perspective -- as can clearly be seen in sources such as Eric Raymond's The Cathedral and the Bazaar and the Agile Movement's Manifesto and Principles. At Microsoft, the Root Cause Analysis work is the most obvious example of explicitly applying a social sciences approach to software development; we are currently attempting to cross-pollinate this with perspectives from the "new look" movement in error analysis (e.g., Robin Cook and David Woods) and Chick Perrow's Normal Accident Theory, as well as the more traditional engineering approach of FMEA.


Some of the most interesting research going on is relates to this paradigm shift, and much of it is starting to get to the point where it's beyond "pure research". 


Some other important areas that haven't received as much attention:


  • Mary Shaw and her grad students at CMU are applying quantatitive techniques from the social sciences (risk theory, utility theory, decision theory, etc.) to a host of software development problems.
  • Jeannette Wing, also at CMU, and some of her students (including Somesh Jha, now at University of Wisconsin) have used game theory to model the interactions between hackers and those attempting to defend a system.
  • Various researchers including Nicholas Weaver, Stefan Savage, and ChenXi Wang have shown that epidemiology models can accurately predict the spread of computer worms and viruses.
  • Dawson Engler et. al. from Stanford are getting excellent, and completely unexpected results, by combining statistical analysis with more traditional computer science techniques; their first paper (looking at defect detection, although the approach t could apply to other problems as well) is called Bugs as Deviant Behavior.  [Coverity, one of the new batch of static analysis startups, is currently attempting to commercialize this.]
  • Andreas Zeller of TU Saarbrucken's work includes identifying defects based on the notion of empirically "related changes", as well as his difference-based based automated debugging (e.g,. Ask Igor for Java) could be viewed as falling into this category as well. 
  • In retrospect, the work my colleagues and I have done at Intrinsa [the startup, not the pharmaceutical] and then at Microsoft Research's Programmer's Productivity Research Center (in conjunction with the NT Penetration Team, Secure Windows Initiative, Office Code Quality Team, and many others) has applied these perspectives to leverage technology changes and enable process changes.  Personally, I have been most involved in the deployment of static analysis tools, an area I was heavily involved.  The talks and papers over the last ten years chart a growing awareness and then conscious focus on these social issues as a key to successful adoption of such tools; a 2000 ISSTA keynote of mine, Analysis is Necessary but Not Sufficient is a particularly interesting snapshot.


It's interesting that this change is in general being overlooked.  One good example is the Economist's recent articles on software (e.g., the 11/27 article on "Managing Complexity"); while the diagnoses of the problems of software were quite good, their focus on tools as a "solution" is an example of what they like to refer to as "woolly" thinking: yes, tools are good, but they only get you so far.  On the other hand, it's not like there are a lot of better broadly-deployed solutions out there that the Economist missed; I would argue one of the reasons for this lack of obvious next steps is that it's being considered from the wrong perspective.

Responses to the idea -- and implications


I've been mentioning this idea frequently over the last year (that is, 2004), and the response has generally been fairly positive; in fact, many of the examples above come from people who have said "oh, yeah, for example ."  One interesting point that several people have mentioned when I've run this idea past them is that social sciences are in general more successful at description rather than prescription.  Unlike many (all?) of the other social sciences, at least part of the computer science problem domain is explicitly "constructed" and relatively easily manipulable.  It's not clear how to reconcile this; perhaps the traditional computer science perspective can provide some insights into social sciences as well.


The implications of this different view of computer science are so huge that it's hard to assess all the implications. In a couple of the areas that are farthest advanced, some of the specific that are happening as part of the rethinking are discussed above.  More generally, I wonder if this new view is a key towards the possible different approaches to the reworking of computer science/software engineering education that most people agree need to happen.  Most high schools and colleges today provide essentially vocational training -- people learn to program and do some projects-- but industry expresses a belief that new college graduates don't have the right skills in terms of abstract thinking or exposure to important concepts such as security and maintainability. A few of the top-tier schools in the U.S., and many European universities, take a far more scientific approach; in many cases, though, moving to industry is a jarring experience for these students because the concepts they have learned are nowhere to be found. Today, with software production practiced as a craft, apprenticeship winds up being the most effective training mechanism; but that clearly isn't the entire solution.  Could a "social science" perspective be a better lens through which to view computer science --and could this in turn clarify the ways in which software engineering, like other engineering disciplines, applies the results of underlying science?

Appendix: antecedents


(This should obviously grow into a detailed annotated bibliography at some point, rather than the current "sketchy notes".)


In addition to the fairly explicit connections mentioned above, the following people and works have laid the basis for much of my (and many others') thinking.


Helen Nissenbaum

Alan Cooper (in particular his Inmates are Running the Asylum)

Chick Perrow's Normal Accidents

the "new look"movement in error analysis (involving David Woods and Richard Cook amongst tothers)

Mike Godwin

Larry Lessig

Bruce Schneier; Secrets and Lies is a good starting place

Peter Neumann and Risks forum

Barry Boehm, Capers Jones et. al. in the area of economics of software engineering

Kevin Sullivan's work looking at economic models for more general software engineering questions -- e.g., using real options to model software development investment decisions


Relatively few of these people identify as computer science or software engineering types (Peter Neumann, Barry Boem, Capers Jones, and Kevin Sullivan being the obvious exceptions; although some of the others such as Alan Cooper could if they wanted, they choose not to) ... this is probably more than a coincidence.




I first remember making this suggestion (somewhat in jest) to Andreas Zeller during a conversation at ISSTA 2000: my response to yet another outbreak of the "math vs. physics" debate was "we don't want to admit it, but we should really be debating whether we're more like sociologists or economists". He noted that he sees himself more as a 19th century 'naturalist" -- in particular, observational as well as experimental, a view that I tend to think of as compatible.   A visit by across-disciplinary group from CMU to Microsoft Research sometime in 2002 was a key step towards making me believe that maybe I wasn't joking.  Since then, discussions with many people helped refine these ideas and led me to conclude that they are ready toair; I would especially like to thank Jeannette Wing, Jeff Wallace, Mike Howard, Window Snyder, Pierre de Vries for the "consilient" viewpoint, Tony Hoare, Butler Lampson, Mary Shaw, Dan Gillmor, Cornell West for the insight that the prophetic/Constantinian distinction could apply to other things besides religion, and all of my colleagues on the CSTB SufficientEvidence panel.