Working with the IRB

It is widely believed that different IRBs apply different standards when deciding whether or not to approve computer security research. This is likely a result of IRBs having different levels of experience with this kind of research.

We suggest several approaches that security researchers can take to improve the situation with their IRBs:

-1ex

• Researchers should be intimately familiar with both the Common Rule and whatever local regulations their home institutions may have adopted.
• Researchers must learn how to make clear and cogent arguments that their research should be approved under the ``expedited review procedures'' on the grounds that there is ``minimal risk'' to the experimental subjects.
• IRBs have the authority to waive informed consent requirements (§46.116(c,d)). Researchers should become familiar with this option and request it where appropriate.
• Researchers should be familiar with protocols that have been approved by other IRBs. The research community would also benefit from having an open repository of approved protocols.
• Security researchers should volunteer to serve on their organization's IRBs. Bringing security expertise to the IRBs in this manner will help educate other IRB members and ease the way for other security research involving human subjects. (We have heard stories of IRBs that have blocked membership of computer scientists on the grounds that they were not biomedical researchers and the position on the IRB reserved for a non-scientist was already taken. Such positions are a misreading of the Common Rule, which specifies minimums but not maximums of IRB membership(§46.107)).