Next: IRB ``Mission Creep''
Up: .
Previous: The Human Test
It is widely believed that different IRBs apply different standards
when deciding whether or not to approve computer security
research. This is likely a result of IRBs having
different levels
of experience with this kind of research.
We suggest several approaches that security researchers can
take to improve the situation with their IRBs:
-1ex
- Researchers should be intimately familiar with
both the Common Rule and whatever local regulations their home
institutions may have adopted.
- Researchers must learn how to make clear and cogent arguments
that their research should be approved under the ``expedited review
procedures'' on the grounds that there is ``minimal risk'' to the
experimental subjects.
- IRBs have the authority to waive informed consent requirements
(§46.116(c,d)). Researchers should become familiar with this
option and request it where appropriate.
- Researchers should be familiar with protocols that have been
approved by other IRBs. The research community would
also benefit from having an open repository of approved
protocols.
- Security researchers should volunteer to serve on their
organization's IRBs. Bringing security expertise to the IRBs in this
manner will help educate other IRB members and ease the way for
other security research involving human subjects. (We have heard
stories of IRBs that have blocked membership of computer scientists
on the grounds that they were not biomedical researchers and the
position on the IRB reserved for a non-scientist was already
taken. Such positions are a misreading of the Common Rule, which
specifies minimums but not maximums of IRB membership(§46.107)).
Next: IRB ``Mission Creep''
Up: .
Previous: The Human Test
Simson L. Garfinkel
2008-03-21