Security is often characterised as an ongoing process of identifying and assessing threats, selecting countermeasures and checking their efficacy. In this framing of security as “what” and “how”, it is easy to overlook “why”. Why does this software component have repeated security vulnerabilities? Why is this VPN misconfigured? Why are threat information sharing procedures not always followed? Or simply, why is my system secure?

The user/developer often plays a central role in these questions, and we turn to Qualitative Research methods from the Social Sciences to help understand and diagnose how humans experience security systems. These methods can help us to ask why, and are useful in identifying unknown knowns: those security practices in our socio-technical system, both human and technical, good and bad, that we don’t know we know about.