Practice-Based Cyber Security Research
I recently read about David Gauntlett's "basket of things" approach. It gave me validation to my thinking and the apporach i'd been taking in my own research. for years, the only real inspiration was drawn from a paper by Linda Candy, who had written about practice-based research many years before.
Guide to Practice-Based Research for Beginners
Practice-based research, also known as research-creation, distinguishes itself from traditional research methodologies by integrating hands-on creative practices into the exploration of research questions. Unlike conventional approaches, practice-based research sees making, experimenting, and experiencing as integral components of the research process, leading to the generation of new insights.
Key Principles
Here are some key principles that underpin practice-based research:
- Exploration Through Practice: The core idea is that the researcher doesn't just observe or analyze existing phenomena but actively engages in the creative process of making. This could involve designing artefacts, developing workshops, composing music, or any other form of creative activity relevant to the research question.
- "Basket of Things" Approach: As described by David Gauntlett, a practice-based research project often unfolds as a journey, gathering a collection of processes, experiments, and experiences. Instead of a single, rigidly defined project, practice-based research often involves a series of interlinked "mini-projects" that emerge from the research process itself. Each "mini-project" might offer a partial solution or insight, leading to new questions and the next stage of exploration.
- Real-World Validation: Practice-based research emphasizes the practical relevance of findings. Validation often involves case studies, knowledge transfer to practitioners, and demonstrable impact on real-world practices.
- Ethical Considerations: The sources stress the importance of ethical conduct in practice-based research, particularly in sensitive fields like cyber security. Researchers must carefully consider informed consent, data confidentiality, and the potential impact of their findings.
Tools and Techniques
Practice-based research borrows tools and techniques from both creative practices and qualitative research methods:
- Conceptual Frameworks: These are visual representations that help to organise key concepts and their relationships, evolving as the research progresses. An example is the LACES (Local Authority Cyber Ecosystem) framework, which emerged from a decade-long practice-based research project.
- Ethnography: This method emphasises immersive observation and participation to understand behaviours, motivations, and beliefs within a specific context. The LACES project used ethnography, with the researcher acting as an observer-participant over the ten-year research period.
- Reflective Documentation: This involves systematically recording thoughts, decisions, challenges, and insights throughout the research process. Reflective documentation can take various forms, such as research diaries, journals, or annotated portfolios of creative outputs.
Examples of Practice-Based Research
- The LACES Project: This project exemplifies practice-based research in cyber security. It involved a ten-year study of cyber security in UK local governments, leading to the development of the LACES framework. The research included surveys, workshops, presentations, and case studies to refine and validate the framework.
- Developing a Cyber Security Awareness Game: A researcher might design an interactive game to educate users about cyber threats and prevention methods. The game's effectiveness could be evaluated through user testing and feedback, with findings potentially informing cyber security awareness training programmes.
- Creating a Simulated Phishing Attack Platform: A researcher could develop a platform that allows organizations to simulate phishing attacks on their employees. This platform could be used to assess vulnerabilities, provide training, and improve organizational resilience to phishing attacks.
Reporting Practice-Based Research
Reporting practice-based research often involves a combination of text and creative outputs. A written thesis provides context, explains the research process, and analyzes the findings. However, the creative outputs themselves are crucial for a complete understanding of the research. The thesis might include descriptions of how to interpret the creative outputs, highlighting their significance and contribution to knowledge.
Key Considerations for Beginners
- Clearly Define Your Research Question: Start with a well-defined research question that can be explored through creative practice.
- Embrace the Iterative Process: Be prepared for the research to unfold in unexpected ways, leading to new questions and directions.
- Document Your Journey Thoroughly: Keep detailed records of your thoughts, decisions, and the evolution of your creative outputs.
- Seek Feedback and Validation: Engage with practitioners and experts in your field to get feedback on your work and its practical implications.
- Reflect on Ethical Implications: Carefully consider the potential impact of your research and take steps to mitigate any potential harms.
Practice-based research offers a powerful approach to investigating complex issues and generating new knowledge that is grounded in real-world experience. By embracing the principles and tools of practice-based research, beginners can embark on a journey of discovery and make meaningful contributions to their field.
Enjoy the journey!