Security Design: Why It’s Hard To Do Empirical Research
نویسنده
چکیده
I am frustrated and disappointed at the number of weakly validated software engineering research results. I have found none that specifically address my research problems and only a few examples that generally apply. In particular, I have looked for accepted research techniques that can be used with relatively few data points and research methods that address variability issues across organizations. I believe that software engineering researchers are hindered because of limited access to industrial data, system complexity and variability, and inexperience with qualitative research methods. My research validation also suffers from these factors. Social scientists and design researchers share some of these problems but have established validations techniques to deal with them. Although software engineering researchers face some unique challenges, I am hopeful that research methods from other disciplines can improve validation of my results.
منابع مشابه
More Security or Less Insecurity (Transcript of Discussion)
This is actually work done by Partha, it’s his talk, but the UKBA decided we could do without him, which is why it’s me talking rather than him. The purpose of this talk is to explore the possibility of an exploitable analogy between approaches to secure system design and theories of jurisprudence. The prevailing theory of jurisprudence in the West at the moment goes back to Hobbes. It was deve...
متن کاملTowards analysing the rationale of information security non-compliance: Devising a Value-Based Compliance analysis method
Employees’ poor compliance with information security policies is a perennial problem. Current information security analysis methods do not allow information security managers to capture the rationalities behind employees’ compliance and non-compliance. To address this shortcoming, this design science research paper suggests: (a) a Value-Based Compliance analysis method and (b) a set of design p...
متن کاملPhish Phodder: Is User Education Helping or Hindering?
Mostly, security professionals can spot a phish a mile off. If they do err, it’s usually on the side of caution, for instance when real organizations fail to observe best practice and generate phish-like marketing messages. Many sites are now addressing the problem with phishing quizzes, intended to teach the everyday user to distinguish phish from phowl (sorry). Academic papers on why people f...
متن کاملWhy Research-Oriented Design Isn’t Design-Oriented Research: On the Tensions Between Design and Research in an Implicit Design Discipline
Human–computer interaction (HCI) is the discipline concerned with the design, evaluation, and implementation of interactive computing systems. Unlike many empirical sciences, HCI researchers do not typically solely study existing technologies, styles of interaction, or interface solutions. On the contrary, one of the core activities in contemporary HCI is to design new technologies – in the for...
متن کاملConceptualizing Communications Security: a Value Chain Approach
Cybersecurity has become a top priority for policymakers these days, but as the engineering saying goes: “if you don’t know what you want, it’s hard to do it right.” This paper finds considerable shortcomings in current conceptual and legal frameworks for communications security policymaking. The misleading concept of cybersecurity incorporates a wide range of social issues under its umbrella, ...
متن کامل