Floragasse 7 – 5th floor, 1040 Vienna
Subscribe to our Newsletter

Workshop on Empirical Research Methods in Information Security

April 11, 2016 - April 15, 2016
All day
Palais des Congrès

Workshop on Empirical Research Methods in Information Security @ WWW2016

Program (Monday, April 11 – Room 520E)

09.00 – 09.30
Longitudinal study of the use of client-side security mechanisms on the European Web
Ping Chen, Lieven Desmet, Christophe Huygens and Wouter Joosen

09.30 – 10.00
TLScompare: Crowdsourcing Rules for HTTPS Everywhere
Wilfried Mayer and Martin Schmiedecker

10.00 – 10.30
A Work-Flow for Empirical Exploration of Security Events
Martin Pirker and Andreas Nusser

10.30 – 11.00 Coffee Break

11.00 – 11.30
Ettu: Analyzing Query Intents in Corporate Databases
Gökhan Kul, Duc Luong, Ting Xie, Patrick Coonan, Varun Chandola, Oliver Kennedy and Shambhu Upadhyaya

11.30 – 12.00
Empirical Malware Research
Stefan Marschalek, Manfred Kaiser, Robert Luh and Sebastian Schrittwieser

12.00 – 12.30
Chains of Distrust: Towards Understanding Certificates Used for Signing Malicious Applications
Omar Alrawi and Aziz Mohaisen


  • Martin Gilje Jaatun, Sintef, Norway.
  • Michael Huth, Imperial College, London, GB.
  • Lotfi Ben Othmane, Fraunhofer SIT, Germany.
  • Edgar Weippl, SBA Research & Vienna University of Technology, Austria.


There are often technical challenges related to the application of empirical research methods to the applied projects. These challenges show the limitations of existing methods when applied to different domains contexts. Applied researchers are encouraged to share their experience in applying empirical research methods in information security projects; their work should describe the methods they applied, the challenges they faced, and the lessons they learned. This shall help to identify opportunities to improve existing empirical research methods.

Applied research in information security is becoming increasingly important as many large scale cloud systems and complex decentralized networked systems are used today by millions of people. Often, the systems characteristics cannot be observed directly, either because the operators of centralized services do not provide this information (e.g. Facebook, Amazon) or because the decentralized nature does not allow doing so (e.g. crypto protocols used on servers, Tor).

In addition, software development becomes also more complex as software is developed in large teams, distributed globally; one has to operate under the assumption that within any large team there are people who try to incorporate malicious code into the code base. Up to date there is little work that provides any empirical evidence on how widespread such problems are and what effective means exist to mitigate this risk.

This complexity will be amplified in the engineering of future Cyber-Physical Systems, where the established Enterprise Perspective of Information Security needs to be replaced with Risk Management approaches that balances and trades off needs in Safety, Reliability, Privacy, Cybersecurity, and Resiliency. In addition, validation of research results is also important for cyber insurance and aspects of accountability and liability

Research methodology in information security is evolving and many of the earlier well-known empirical research finding are hard to reproduce for two main reasons. First, the original data is not or no longer available or may have been altered. Second, research ethics have changed and experiments such as some early social phishing are no longer an acceptable practice.

The workshop’s goal is to explore different empirical research work and to work on establishing guidelines for different subdisciplines including, but not limited to: security in software engineering, network security, security in social networks and usable security.

Or put simply, we want to address the issue of reliable research that the Economist summarized as having “… exposed the ways, most notably the overinterpreting of statistical significance in studies with small sample sizes, that scientific findings can end up being irreproducible—or, as a layman might put it, wrong.”

CfP/ Topics for submission include but are not limited to the ones below

  • Lesson learned from the application of empirical research methods to security projects
  • Survey papers summarizing empirical research and comparing the methods used.
  • Critical reflections on research methods used in information security research.
  • Discussions, possible guidelines on access to data sets.
  • Comparisons between research methods in information security and other subdisciplines of computer science
  • Comparisons between research methods in information security and other disciplines (e.g. economics, physics, social sciences)
  • Guidelines on how research should be performed, evaluated and reviewed, addressing target audiences such as (junior) researchers, grant reviewers, tenure review committee, hiring committees, etc.


We solicit full research papers (4-6 pages), and short papers (1-4 pages) both in the ACM conference paper style. Papers should be submitted in EasyChair to https://easychair.org/conferences/?conf=ermis2016

Submission guidelines: All submitted papers must be written in English, contain author names, affiliations, and email addresses; they must be formatted according to the ACM SIG Proceedings template (http://www.acm.org/sigs/publications/proceedings-templates) with a font size no smaller than 9pt; be in PDF.