Empirical research in information security is becoming increasingly important as many large scale cloud systems and complex decentralized networked systems are used today by millions of people. Often, the systems’ characteristics cannot be observed directly, either because the operators of centralized services do not provide this information (e.g. Facebook, Amazon) or because the decentralized nature does not allow doing so (e.g. crypto protocols used on servers, Tor). In addition, software development becomes more complex as software is developed in large, globally distributed teams so that one has to operate under the assumption that within any large team there are people trying to incorporate malicious code into the code base. Up to date there is little work that provides any empirical evidence on how widespread such problems are and whether there are effective means (and which) to mitigate this risk. Research methodology in information security is evolving and many of the earlier well-known empirical research findings are hard to reproduce for two main reasons: First, the original data is not or no longer available or may have been altered. Second, research ethics have changed and some experiments are no longer an acceptable practice. In this presentation I will (1) highlight the impact of our past research in the field, (2) show how promising theoretical concepts can be explored and applied to important empirical problems, and (3) explore future research paths in the field.
After working at a research startup for two years, Edgar spent one year teaching Algorithms, AI and Database Systems as an Assistant Professor at Beloit College, WI. From 2002 to 2004, while with the software vendor ISIS Papyrus, he worked as a consultant in New York, NY and Albany, NY, and in Frankfurt, Germany. In 2004 he joined the TU Wien and founded the research center SBA Research together with A Min Tjoa and Markus Klemen, where he has been working full time as Research Director since 2006. Edgar R. Weippl is member of the editorial board of Elsevier’s Computers & Security (COSE), organizes the ARES conference and was General Chair of SACMAT 2015, PC Chair of Esorics 2015 and is General Chair of ACM CCS 2016. He is member of many PCs including ACM CCS and Esorics. In 2015 he receivedthe ACM SIGSAC Service Award.