MetaCRiSP 2026

Thursday, May 25

8:50am - 9:00am

Opening Remarks

9:00am - 10:00am

Keynote: Can We do Better? Security, Science and the Elusive Science of Security
Cormac Herley (Microsoft Research)

Abstract. The success and scale of the modern tech industry wouldn't be possible if computers didn't (mostly) operate securely and reliably. Computer Security deserves considerable credit for this success: in spite of the enormous energy and ingenuity of attackers, the carelessness of users, and a never-ending stream of bugs and zero-days things mostly work out. And yet, it's hard not to wonder whether we might do better. Not only do we lack the structure of the hard Sciences, but also many of the softer ones. We seem to revisit certain questions over and over without decision or progress. Security looks like a mess even compared to other CS disciplines such as Machine Learning. We argue that this is not inevitable, has nothing to do with the newness of the field, or factors unique to security. While we are unlikely to end up with anything resembling Physics, we argue that improvement is possible; there are well-established practices from other discplines that we can take to make the field less unscientific. Doing so involves exiting some comfort zones, recognizing that Science offers no path to certainty, and letting go of the idea that security is somehow exceptional or exempted from rules that apply everywhere else.

Bio. Cormac Herley is at Microsoft Research. His main current interests are statistics, and machine learning for combatting fraud and abuse. He has published widely in the areas of authentication, Usable Security, ML for security, the Economics of Computer Security, and Philosophy of Security. He is inventor of 70 or so US patents and regularly ships technologies protecting hundreds of millions of users. His recommendations on passwords (eg, no composition rules or forced 90-day rotation) were adopted by NIST and much of the industry. He received the PhD degree from Columbia University, the MSEE from Georgia Tech, and the BE(Elect) from the National University of Ireland.

10:00am - 10:30am

Break

10:30am - 12:00pm

Session: Research Practices

On the Mismatch of Disclosure Practices in Security and Privacy Research
Simon Koch (University of Innsbruck), Jannik Hartung (Technische Universität Braunschweig), Rainer Böhme (University of Innsbruck), David Klein (Max Planck Institute for Security and Privacy)
Position Paper: On the (Non-)Precision of Psychological Measures in Security and Privacy Research – Reliability Beyond Reporting Alpha
Nele Borgert (University of Bern), Tim Ulmann (University of Bern), Robin Merchel (Ruhr University Bochum)
What’s in the mandatory USENIX Security 2025 ethics sections? Results from a meta-analysis
Rachel Gonzalez Rodriguez (Paderborn Univerisity), Harshini Sri Ramulu (Paderborn University), Yasemin Acar (Paderborn University & George Washington University)
FAIR Enough? Assessing Open Science Practices on a Top-Tier Security & Privacy Conference
Tiago Heinrich (Max Planck Institute for Informatics), Sebastian Giessler (Universität Tübingen), David Klein (Max Planck Institute for Security and Privacy), Alexandra Dirksen (University of Twente)
Evaluating LLMs Reliability for Coding Adversarial Machine Learning Research Papers
Madhav Khanal (Rollins College), Jasser Jasser (Rollins College), Mina Basirat (University of Central Florida)
Position Paper: Living Artifacts: Enabling Vertical Progress In Cybersecurity Research
Jelena Mirkovic (USC-ISI), David Balenson (USC-ISI)
Experience Paper: Is This the Real Life? Is This Just Fantasy? Hunting for Hallucinated References in Paper Submissions
Gianluca Stringhini (Boston University), Jeremy Blackburn (Binghamton University)

12:00pm - 1:15pm

Lunch

1:15pm - 2:30pm

Session 2: Research Policies

Experience Paper: "This Paper is Quite Unusual:" Metascience and Structural Misalignment in the Security & Privacy Research Community
Henry Hosseini (Institute for Internet Security, Westphalian University of Applied Sciences; Department of Information Systems, University of Münster), Christian Böttger (Institute for Internet Security, Westphalian University of Applied Sciences), Nurullah Demir (Stanford University), Tobias Urban (Institute for Internet Security, Westphalian University of Applied Sciences)
Inspectable AI for Science: A Research Object Approach to Generative AI Governance
Ruta Binkyte (CISPA Helmholtz Center for Information Security), Sharif Abuadbba (Data61, CSIRO), Chamikara Mahawaga Arachchige (Data61, CSIRO), Ming Ding (Data61, CSIRO), Natasha Fernandes (Macquarie University), Mario Fritz (CISPA Helmholtz Center for Information Security)
Position Paper: Replication Crisis in Human-Centered Security Research - Are We There Yet?
Juliane Schmüser (CISPA Helmholtz Center for Information Security), Jan-Ulrich Holtgrave (CISPA Helmholtz Center for Information Security), Florian Schaub (University of Michigan), Sascha Fahl (CISPA Helmholtz Center for Information Security)
From "Available" to "Reusable": Measuring Transparency and Reproducibility of Industrial Control System Datasets under Security Artifact Evaluation Policies
Mohammad Einaam Alim (University of Alabama in Huntsville), Tommy Morris (University of Alabama in Huntsville)
CyCoAnalysis: A Dataset of Cybersecurity Conference Metadata for Meta-Science and Policy Decisions
Marton Bognar (DistriNet, KU Leuven), Lieven Desmet (DistriNet, KU Leuven), Frank Piessens (DistriNet, KU Leuven)
Position Paper: Corrections Not Found - Post-Publication Integrity in Usable Security and Privacy
Nele Borgert (University of Bern), Luisa Jansen (University of Bern), Lukas Jung (University of Bern), Theresa Halbritter (University of Bern), Malte Elson (University of Bern)

2:30pm - 3:00pm

Break

3:00pm - 4:00pm

Panel: TBD
Adam Doupé, Michelle Mazurek, Ben Stock

4:00pm - 4:15pm

Closing Remarks

~6:00pm

Get-together & no-host dinner at TBD

MetaCRiSP 2026

1st Workshop on Metascience and Critical Reflections in Security & Privacy

Co-located with the 47th IEEE Security and Privacy (S&P) Symposium

May 21, 2026

Program

Thursday, May 25