Should Security Researchers Experiment More and Draw More Inferences?

Abstract

Two methodological practices are well established in other scientific disciplines yet remain rare in computer-security research: comparative experiments and statistical inferences. Comparative experiments offer the only way to control factors that might vary from one study to the next. Statistical inferences enable a researcher to draw general conclusions from empirical results. Despite their widespread use in other sciences, these practices are haphazardly used in security research. Choosing keystroke dynamics as an example to study, we survey the literature. Of 80 papers wherein these practices would be appropriate, only 43 (53.75%) performed comparative experiments, and only 6 (7.5%) drew statistical inferences. In disciplines such as medicine, comparative experiments and statistical inferences save lives and cut costs. Rigorous methodological standards are required. We see no reason why security research, another discipline where the stakes are critically high, cannot or should not adopt these practices as well. Failure to take a more scientific approach to security research stalls progress and leaves us vulnerable.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Aug 01, 2011
Accession Number
ADA547672

Entities

People

  • Kevin S. Killourhy
  • Roy A. Maxion

Organizations

  • Carnegie Mellon University

Tags

Communities of Interest

  • Cyber
  • Energy and Power Technologies

DTIC Thesaurus Topics

  • Behavioral Sciences
  • Computer Science
  • Cybersecurity
  • Detection
  • Detectors
  • Information Science
  • Intrusion Detection
  • Intrusion Detection Systems
  • Intrusion Detectors
  • Machine Learning
  • Security
  • Standards
  • Statistical Analysis
  • Statistical Inference
  • Statistics
  • Supervised Machine Learning
  • Surveys

Readers

  • Strategic Security Studies
  • Systems Analysis and Design

Technology Areas

  • AI & ML
  • AI & ML - DoD AI Strategy
  • Cyber