Characterizing Scientific Reporting in Security Literature: An analysis of ACM CCS and IEEE S&P Papers

Scientific advancement is fueled by solid fundamental research, followed by replication, meta-analysis, and theory building. To support such advancement, researchers and government agencies have been working towards a "science of security". As in other sciences, security science requires high-quality fundamental research addressing important problems and reporting approaches that capture the information necessary for replication, meta-analysis, and theory building. The goal of this paper is to aid security researchers in establishing a baseline of the state of scientific reporting in security through an analysis of indicators of scientific research as reported in top security conferences, specifically the 2015 ACM CCS and 2016 IEEE S&P proceedings. To conduct this analysis, we employed a series of rubrics to analyze the completeness of information reported in papers relative to the type of evaluation used (e.g. empirical study, proof, discussion). Our findings indicated some important information is often missing from papers, including explicit documentation of research objectives and the threats to validity. Our findings show a relatively small number of replications reported in the literature. We hope that this initial analysis will serve as a baseline against which we can measure the advancement of the science of security.

[1]  Marvin V. Zelkowitz,et al.  An update to experimental models for validating computer technology , 2009, J. Syst. Softw..

[2]  Ayse Basar Bener,et al.  Establishing a baseline for measuring advancement in the science of security: an analysis of the 2015 IEEE security & privacy proceedings , 2016, HotSoS.

[3]  Matthias Schwab,et al.  Making scientific computations reproducible , 2000, Comput. Sci. Eng..

[4]  Christian S. Collberg,et al.  Repeatability in computer systems research , 2016, Commun. ACM.

[5]  D. Moher,et al.  A catalogue of reporting guidelines for health research , 2010, European journal of clinical investigation.

[6]  A B Haidich,et al.  Meta-analysis in medical research. , 2010, Hippokratia.

[7]  Z. H. Abramson,et al.  Research methods in community medicine : surveys, epidemiological research, programme evaluation, clinical trials , 2008 .

[8]  Leslie Lamport,et al.  How to Write a Proof , 1995 .

[9]  Thomas A Trikalinos,et al.  Early extreme contradictory estimates may appear in published research: the Proteus phenomenon in molecular genetics research and randomized trials. , 2005, Journal of clinical epidemiology.

[10]  Per Runeson,et al.  Guidelines for conducting and reporting case study research in software engineering , 2009, Empirical Software Engineering.

[11]  J. Farris CONJECTURES AND REFUTATIONS , 1995, Cladistics : the international journal of the Willi Hennig Society.

[12]  Anton Nekrutenko,et al.  Ten Simple Rules for Reproducible Computational Research , 2013, PLoS Comput. Biol..

[13]  Hazhir Rahmandad,et al.  Reporting guidelines for simulation‐based research in social sciences , 2012 .

[14]  L. J. Anthony,et al.  The Blackwell Guide to the Philosophy of Science , 2002 .

[15]  Dietmar Pfahl,et al.  Reporting guidelines for controlled experiments in software engineering , 2005, 2005 International Symposium on Empirical Software Engineering, 2005..

[16]  Peter R. Harris,et al.  Designing and reporting experiments in pyschology , 1986 .

[17]  Alex J. Sutton,et al.  Methods for Meta-Analysis in Medical Research , 2000 .

[18]  N. Laird,et al.  Meta-analysis in clinical trials. , 1986, Controlled clinical trials.

[19]  Alice M. Tybout,et al.  The Concept of External Validity , 1982 .

[20]  Shari Lawrence Pfleeger,et al.  Personal Opinion Surveys , 2008, Guide to Advanced Empirical Software Engineering.

[21]  M. Khoury,et al.  Most Published Research Findings Are False—But a Little Replication Goes a Long Way , 2007, PLoS medicine.

[22]  George K. Thiruvathukal,et al.  Reproducible Research for Computing in Science & Engineering , 2017, Comput. Sci. Eng..

[23]  Thomas W. Edgar,et al.  Applying the scientific method to cybersecurity research , 2016, 2016 IEEE Symposium on Technologies for Homeland Security (HST).

[24]  Earl R. Babbie,et al.  The practice of social research , 1969 .

[25]  Victoria Stodden,et al.  Reproducible Research , 2019, The New Statistics with R.

[26]  Carl F. Craver,et al.  Structures of Scientific Theories , 2008 .

[27]  Jonathan A. Smith Qualitative Psychology: A Practical Guide to Research Methods , 2006, QMiP Bulletin.

[28]  Dietmar Pfahl,et al.  Reporting Experiments in Software Engineering , 2008, Guide to Advanced Empirical Software Engineering.

[29]  Steven E. King,et al.  Science of Cyber Security , 2018, Lecture Notes in Computer Science.

[30]  Jeffrey C. Carver,et al.  The role of replications in Empirical Software Engineering , 2008, Empirical Software Engineering.