Introduction

Why a methodology book?

Before the concept of cybersecurity was introduced, in the 1960s, computer security was referred to as the "protection of computer programs and data against unauthorized access" [PAY 83]. In the 1990s, the concept of "cybersecurity" emerged. This mainly refers to computer protection in its technical dimension, and some even see it as one of the major challenges for security policies for the coming decades: "One of the biggest challenges for strategic leaders in the 21st Century will be cyber security - protecting computers and the links between them" [JOH 95]. In much of the literature, "cyber" or "computer" technologies are first and foremost imperfect objects, which must be repaired to produce security. However, cybersecurity has a broader remit than computers: the security of cyberspace.

For the past 10 years or so, the human and social sciences (HSS) have been concerned with cybersecurity. Political [DEI 10, QUI 12, CAV 19], legal [GRA 04], strategic and economic readings have been proposed. Journals dedicated to the study of cybersecurity provide human and social science disciplines with spaces for discussing research from multiple viewpoints. These include the Journal of Cybersecurity (Oxford University Press)1, the Journal of Cybersecurity Research (JCR)2, the International Journal of Cybersecurity Intelligence and Cybercrime (IJCIC)3, the National Journal of Cyber Security Law4 and the Journal of Intelligence and Cyber Security5, to name a few. Most of these academic journals have only recently been founded. Cybersecurity, in any case, is in the process of becoming a fully fledged subject of research in the human and social sciences, if it has not already become this. Notwithstanding this observation, research still appears to be relatively scattered and heterogeneous, with each discipline within HSS grasping the issues and posing research questions based on its own approaches, using its own theoretical and methodological apparatus.

Our contribution to this wave of international cybersecurity productions will be a reflection on methodological aspects in the human and social sciences for cybersecurity research. This book therefore poses the following central question: what methods and theoretical tools can mobilize HSS researchers to address cybersecurity? This methodological dimension seemed essential to us for several reasons:

- Publications produced in recent years generally pay little attention to the methodological dimension. Research books and articles naturally address this methodological dimension in the formal framework of their development. However, they generally focus on the treatment of the subject matter of the particular publication. To date, there has been little effort to offer reflections centered on questions of methods and theories specific to the human and social sciences.

- The topic of cybersecurity can be confusing at first glance for young (and sometimes not so young) researchers. The purpose of cybersecurity seems to require mobilization and mastery of multiple fields of knowledge (that of the field specific to the HSS researcher, combined with knowledge of informatics, networks, communication, etc.). It is therefore a question of gathering knowledge that is essential to the researcher, thus a question of methodology.

- Once it has been defined, explained and deconstructed, cybersecurity will quickly appear as a complex object, with multiple components that will each be objects of research (cybercrime, cyberattacks, cyber threats, cyber risk, intelligence issues in cyberspace, etc.). Each of these objects may require specific knowledge, distinct theoretical frameworks and adapted methodologies. The chapters in this book eloquently demonstrate the complexity of the cybersecurity object.

- Moreover, another very important question arises when considering cybersecurity as being composite and complex: what can or should be the place of multidisciplinarity or interdisciplinarity in its study? As a discipline, cybersecurity is under two forms of pressure which are fertile for its development. The first is, of course, the willingness of researchers who see themselves as part of this discipline (in terms of knowledge, methods or techniques) to specialize in order to distinguish the cybersecurity object from the multitude of objects or dimensions that comprise it in the real world, as well as the ability to distinguish this field of research from other contiguous fields such as computer security, data protection and computer engineering. The second pressure is pushing the discipline to broaden its horizons towards HSS, since it is now accepted that cybersecurity is also a social phenomenon. This pressure thus pushes research towards interdisciplinarity or multidisciplinarity to take account of the human and social dimensions of cybersecurity.

- Is cybersecurity relevant to all HSS disciplines? This question implies that the human and social aspects of cybersecurity are potentially intersectional when the HSS address cybersecurity. In other words, theories, methods and analytical frameworks as much as variables from psychology, anthropology, sociology or any other HSS discipline, can contribute in some way to explaining or understanding the phenomenon of cybersecurity. Mobilizing these different research tools and methodological heritages seems beneficial for an integrated analysis of cybersecurity and an unsuspected wealth of knowledge.

- What benefits does cybersecurity derive from its encounter with the human and social sciences? The answer to this question is based on what characterizes the humanities and social sciences and what ultimately distinguishes them from other sciences. The main distinction lies in their ability to analyze complex human phenomena both qualitatively and quantitatively. As a result, a multitude of tools and methodological approaches exist and make it possible, in particular, to refine cybersecurity knowledge and to strongly qualify techno-determinism (or "solutionism" as Morozov calls it [MOR 14]). This dual qualitative and quantitative capacity enables the HSS to identify issues in cybersecurity in three ways. First of all, in a macro way where the globality of the cybersecurity phenomenon is revealed in its structural, systemic and environmental aspects. For example, international geopolitics is being transformed by the importance of cybersecurity in international relations today [DOU 14]. Secondly, in a meso way, where decision-making processes, the roles of the different institutional actors and private organizations are highlighted. We need only think of the formulation of a foreign or defense policy that cannot disregard hybrid threats in terms of cybersecurity. Finally, in a micro way, where the uniqueness and particularity of this same cybersecurity phenomenon are observable in individual behavior or thought, such as the victim of a phishing campaign, for example.

The contribution of HSS is also evident in its capacity to generate social debate on cybersecurity issues and to force the discipline to popularize its basic concepts. The transmission of knowledge and social awareness about cybersecurity issues is thus facilitated. Finally, it provides a context for cybersecurity-related problems or risks by giving historical depth to otherwise impossible to find reflection or debate.

- A final question is, in our opinion, methodologically and theoretically necessary: is it necessary to mobilize pre-existing theoretical frameworks, or is it possible to envisage their renewal? The nature of the cybersecurity object certainly favors multidisciplinarity, but nevertheless creates two obstacles blocking its analysis. On the one hand, cybersecurity combines a technical dimension with a human dimension, which makes this a hybrid and complex research object, as mentioned above. Moreover, few theoretical or methodological frameworks currently exist to address the full human and technical dimensions of cybersecurity so as to gain a holistic or integrated perspective on cybersecurity. On the other hand, the speed of IT development (technical dimension) and the adoption of new technologies (human dimension) make existing analytical frameworks quickly obsolete. These two obstacles must be taken into account in mobilizing existing theoretical frameworks, as well as, and more importantly, in developing new comprehensive analytical frameworks. In order to achieve this, a study on research methods and theoretical tools of the human and social sciences in the study of cybersecurity seemed necessary to us.

Contributions to the book

The seven chapters of this book offer different perspectives on particular aspects of cybersecurity and provide some answers to the various questions outlined above.

In his chapter, Hugo Loiseau discusses the scientificity of cybersecurity studies. This still needs to be defined and demonstrated in the human and social sciences. Among the abundance of research in cybersecurity, in all sciences combined, only a few studies are devoted to the methodological and scientific problems of this emerging discipline. Indeed, in the human and social sciences, from an epistemological point of view, studies on cybersecurity require methodological criticism to improve their scientificity and credibility in relation to computer sciences and engineering. In this chapter, research methods, access to data and the development of a cybersecurity...