Validating Computer Security Methods: Meta-methodology for an Adversarial Science

Recent explorations on the science or theory of computer security have been hindered by its unique properties. We confront this by precisely defining those properties: that computer security is adversarial and engineered, and that because of this it is contextual. We use these definitions to address the practical question of how we can justify the validity of our methods. To answer this meta-methodological question, we develop a taxonomy of methods, and consider the components of a well-constructed methodological validation. We use strategic theory to derive one such validation, and discuss the uses and properties of validations.