Empirical research on security and privacy by design: What (not) to expect as a researcher or a reviewer
Research on software security and privacy is very active, and new techniques and methods are proposed frequently. In practice, however, adoption is relatively slow, especially for techniques and methods in the early software engineering phases. There is an increasing awareness both in industry and in academic research that complex non-functional cross-cutting concerns such as security and privacy inherently require up-front attention, much in line with the principles of software quality by design. There is a wide range of goals that an empirical study about secure design can try to tackle. Usually, at the highest level, the goal of a study is to demonstrate that a (new) design approach is "good enough" in practice, or "better" than some other approach. Studies on security and privacy by design usually require a description of some system to work on. Ideally, this is an existing and realistic system for which the security relevant requirements and design decisions have been explicitly articulated.