Jonathan D. Pincus,
jon {at} achangeiscoming {dot} net
Originally posted on research.microsoft.com, January 2005
"There is only one holistic system of systems É"
(Paddy
Chayevsky,1974, as sampled in Snog's "Corporate Slave")
OK, maybe this is obvious to everybody outside the field of
computer science; but within the field, we are in the process of a major
paradigm shift -- when I get excited, I describe it as a Kuhnian "scientific
revolution in progress", which might be stretching things, but just a
little. Computer scientists have historically identified either as
mathematicians (ah, the purity) or physicists (pretty good purity and much
better government funding); but if you look at the kinds of problems we are
trying to solve now (bunches of different aspects of the security problem,
privacy, usability of pervasive computers, changing business models,
e-voting) it seems pretty clear that the key issues relate to people and
the way they communicate and organize themselves, rather than discovering the
underlying physical laws of the universe -- in short, the domain of social sciences.
The intersection of this new perspective with traditional computer
science is probably farthest advanced in the area of HCI, and permeates the
areas of intellectual property protection (e.g., Copyleft and Creative Commons) and the whole blogging/social
networking software area. However,
these are all areas that are well outside the mainstream of computer
science. Some aspects of these
ideas come up in the work of people in related fields (a short list
appears as an appendix); in particular, the field of software engineering is based on computer
science as well as other disciplines, and so inherently involves consideration
of the social and organizational aspects of software. However, if you start to look around at
some of interesting kinds of approaches people are investigating and/or
putting into practice in many different areas, it becomes clear that many of
them are exploring this area (consciously or not). In this brief essay, I'll concentrate
primarily on the sub-disciplines of network/software security, and software
architecture/development.
In the security space, the now-obvious economic aspects of the problem,
"social engineering" attacks, and what is often mistakenly referred to as "the
stupid user problem" make it hard to avoid. Many people point to the relatively new
field of "usable security" (starting with the Alma Whiten's seminal Why
Johnny Can't Encrypt) as another example of considering broader
perspectives. Work by people like Ross Anderson
at Cambridge, Hal Varian at UC Berkeley, Shawn Butler at CMU, and Eric Rescorla at RTFM starts from an
economic perspective and asks some very interesting questions here; it seems to
me that traditional computer science techniques aren't really able to address
these problems. There are now
workshops devoted to Economics and
Information Security (although some of the work there is still extremely
immature; one economist told me, "a lot of this reads like people have just
taken their first economics course and think they understand everything"), and
people like Andrew Odlyzko and Alessandro Acquisiti are extending this approach
to privacy considerations as well.
On the software development side, agile methodologies and the various
approaches to community in software development (including, but not limited to,
open source/free software) both approach the problem primarily and explicitly
from a social perspective -- as can clearly be seen in sources such as Eric Raymond's
The Cathedral and the Bazaar and the Agile Movement's Manifesto
and Principles.
At Microsoft, the Root Cause Analysis work is the most obvious example of
explicitly applying a social sciences approach to software development; we are
currently attempting to cross-pollinate this with perspectives from the "new
look" movement in error analysis (e.g., Robin Cook and David Woods) and Chick
Perrow's Normal
Accident Theory, as well as the more traditional engineering approach of
FMEA.
Some of the most interesting research going on is relates to this
paradigm shift, and much of it is starting to get to the point where it's
beyond "pure research".
Some other important areas that haven't received as much attention:
It's interesting that this change is in general being overlooked. One good example is the Economist's recent
articles on software (e.g., the 11/27 article on "Managing Complexity"); while
the diagnoses of the problems of software were quite good, their focus on
tools as a "solution" is an example of what they like to refer to as
"woolly" thinking: yes, tools are good, but they only get you so far. On the other hand, it's not like there
are a lot of better broadly-deployed solutions out there that the Economist missed;
I would argue one of the reasons for this lack of obvious next steps is that it's
being considered from the wrong perspective.
I've been mentioning this idea frequently over the last year (that is,
2004), and the response has generally been fairly positive; in fact, many of
the examples above come from people who have said "oh, yeah, for example É." One interesting point that several
people have mentioned when I've run this idea past them is that social sciences
are in general more successful at description rather than prescription. Unlike many (all?) of the other social
sciences, at least part of the computer science problem domain is explicitly
"constructed" and relatively easily manipulable. It's not clear how to reconcile this;
perhaps the traditional computer science perspective can provide some insights
into social sciences as well.
The implications of this different view of computer science are so huge
that it's hard to assess all the implications. In a couple of the areas that
are farthest advanced, some of the specific that are happening as part of the
rethinking are discussed above.
More generally, I wonder if this new view is a key towards the possible different
approaches to the reworking of computer science/software engineering education
that most people agree need to happen.
Most high schools and colleges today provide essentially vocational
training -- people learn to program and do some projects-- but industry expresses
a belief that new college graduates don't have the right skills in terms of
abstract thinking or exposure to important concepts such as security and
maintainability. A few of the top-tier schools in the U.S., and many European
universities, take a far more scientific approach; in many cases, though,
moving to industry is a jarring experience for these students because the
concepts they have learned are nowhere to be found. Today, with software
production practiced as a craft, apprenticeship winds up being the most
effective training mechanism; but that clearly isn't the entire solution. Could a "social science" perspective be
a better lens through which to view computer science --and could this in turn
clarify the ways in which software engineering, like other engineering
disciplines, applies the results of underlying science?
(This should obviously grow into a detailed annotated bibliography at
some point, rather than the current "sketchy notes".)
In addition to the fairly explicit connections mentioned above, the
following people and works have laid the basis for much of my (and many
others') thinking.
Alan Cooper (in particular his Inmates are
Running the Asylum)
Chick Perrow's Normal Accidents
the "new look"movement
in error analysis (involving David Woods and Richard Cook amongst tothers)
Mike Godwin
Larry Lessig
Bruce Schneier; Secrets and Lies is a good starting place
Peter Neumann and Risks forum
Barry Boehm, Capers Jones et. al. in the area of economics of software
engineering
Kevin Sullivan's work looking at economic models for more general
software engineering questions -- e.g., using real options
to model software development investment decisions
Relatively few of these people identify as computer science or
software engineering types (Peter Neumann, Barry Boem, Capers Jones, and Kevin Sullivan being the obvious exceptions; although
some of the others such as Alan Cooper could if they wanted, they choose not
to) ... this is probably more than a coincidence.
I first remember making this suggestion (somewhat in jest) to Andreas
Zeller during a conversation at ISSTA 2000: my response to yet another outbreak
of the "math vs. physics" debate was "we don't want to admit it, but we should
really be debating whether we're more like sociologists or economists". He
noted that he sees himself more as a 19th century 'naturalist" -- in particular,
observational as well as experimental, a view that I tend to think of as compatible. A visit by across-disciplinary
group from CMU to Microsoft Research sometime in 2002 was a key step towards
making me believe that maybe I wasn't joking. Since then, discussions with many people
helped refine these ideas and led me to conclude that they are ready toair; I
would especially like to thank Jeannette Wing, Jeff Wallace, Mike Howard,
Window Snyder, Pierre de Vries for the "consilient" viewpoint, Tony Hoare,
Butler Lampson, Mary Shaw, Dan Gillmor, Cornell West for the insight that the
prophetic/Constantinian distinction could apply to other things besides religion,
and all of my colleagues on the CSTB SufficientEvidence panel.