Security researchers play an important role in the industry, though one that doesn’t always receive the support needed. In this post, I am proposing the creation of a new non-profit entity, the International Association of Information Security Research Professionals (IAISRP), as a supporting group to push research forward, and provide the tools and resources to improve the quality of work, and the quality of life for those involved in this vital work.
I’ve written in the past about the issues around documenting research, problems with attribution, and the loss of information as the years go on. If you’ve not read “On the need for an open Security Journal”, I encourage you to do so before continuing.
This previously proposed journal would help to bring additional legitimacy to the research happening in the industry and community, and improving the relationship with the academic community. This journal would document, preserve, and support the massive amount of research produced by the security community, and ensure that it’s readily available to all.
This association would also open the door to making other services and resources available; once established, I expect that there would be no end to the ideas and inspiration, allowing this to evolve into something of great value to its members. While the journal would be the initial focus, it may grow to do more beyond that.
There are a few key goals to make this a valuable resource:
- The journal will be available freely to all, at no cost to readers.
- The journal will not charge any fees to authors. Being able to submit research for publication should impose no more burden than absolutely necessary.
- The association would seek non-profit status in the United States, and be overseen entirely by members of the industry.
- Existing research would be eligible for publication, not just new research. This is to ensure that as much as possible is documented and preserved.
- The association would reach out to conferences around the world, and attempt to integrate itself as part of the CFP process, streamlining and coordinating the publication with conference talks.
- The journal would be operated under a unique set of rules, different from traditional academic journals, to ensure that it serves the needs of the community it represents.
Non-Profit & Funding
The goal would be to establish the association as a non-profit entity, under section 501(c)(3) of the IRS code as a scientific & education organization. This is a non-trivial task, though based on IRS rules, should not be an issue. The most important part of this is that it allows receipt of tax-deductible donations to fund staffing and operations.
Funding this association will be a challenge, and perhaps the most important challenge to be addressed. Offering paid memberships & corporate sponsorships (à la OWASP); this would address some of the costs, though donations or other income would likely be needed to provide a comfortable level of support.
With donations being tax deductible, donation matching, and leveraging volunteers & members to push their employers to donate, fundraising will hopefully be minimally painful. For security companies, sponsorship acts to get their name out more, shows community support, and can be helpful for recruitment. There would be real value for companies to direct money to this association.
Starting and running a non-profit is a complex and time consuming effort, and will require volunteers, and possibly paid consultants to ensure that all laws are complied with, and that the organization is and remains viable. This will require a number of people to ensure that no single person is working beyond the time they can commit and not exceeding their skillset. This is, first and foremost, an organization by and for the security research community, and will respect the time of everyone involved.
There are a variety of expenses that will likely be incurred, including hosting, design services, software licenses, legal and financial services, and similar expenses; there will likely also eventually be full-time employees, most likely being the journal’s editor and staff to prepare submitted research for publication. There may be additional expenses as time goes on, including reimbursing leadership for their time, accounting and financial management, fundraising, and the like.
While the work of volunteers would be critical, there are limits to the amount of time that can be asked of members of the community.
Unlike a typical academic journal, the motivations and commitments are fundamentally different in this case, and attempting to follow all of the norms of an academic journal would almost certainly lead to failure. In academia, being published is vital for ones career, here, it’s doing a favor to the community.
As a result, different standards will need to apply. Research would go through a lightweight peer review as well as a plagiarism review and would err on the side of publishing versus not - the standard of review would be different than a top-tier academic journal. This difference in standards would be well documented, and while not up to the standards of academia, would help to ensure that as much is published as possible, and that as much history as possible is preserved.
The journal would establish an editorial board which would be responsible for defining these requirements, and overseeing their enforcement and evolution.
Keeping in mind that this serves a community that doesn’t typically operate within the rigid structure of proper academic publishing, it has to function in a middle-ground between the two. It won’t be perfect, but it would be better than what’s available today.
Existing & Historic Research
As noted above, the goal would not to be only publishing new research, but existing research that has been published elsewhere. This is an enormous project, one that would take many years, but it essential to the overall mission of capturing and preserving as much as possible for the future.
Existing research would follow the same process as possible, though may contain editor’s notes explaining variations that took place out of necessity. Such research would likely be published in a separate “section” of the publication, clearly indication its nature.
As notes above, this is a project by and for the community, and would be possible only with the support of the community. To have any future, there must be enough support - interest, time, effort, money - to make this a viable project.
I am publishing this in hopes of starting a conversation; this may be the beginning of something that has broad impact on the industry, or it may die here on an individual’s blog. The future of this effort, my dear reader, is up to you.