Experiments on Self

Empirical studies have become fashionable in software engineering, and this makes sense. In software engineering discipline, most of the time, we do not develop an algorithm or a new solution for a problem. We are looking for ways to facilitate solution development, and those “ways” need to be somehow evaluated, that’s were empirical studies play a significant role.

In these kind of studies, to my knowledge, a researcher or group of researchers perform some experiments in a controlled environment to study phenomena. Sometimes, the researches go to the real world to observe the real software developers, interview them, and survey them to find out how they think, they develop a system, how they manage development progress, and blah blah.

But, as far as I have seen, no one has ever dared to study things on him or herself. Seems reasonable, if I am a researcher, I have developed a notation, and then I use it, and announce it was useful, who is going to believe it? And that’s reasonable, if I am a desperate PhD student, so greedy to publish positive results, I am so biased that I may feel the notation is working very well for me!

So based on many ethical issues and biases, self experiments are not used in software engineering empirical studies at all. But experiments on one self is not such a huge mistake in other discipline, and in history we see a lot of example, where biologists experienced a vaccine on themselves. A very interesting example is the story of discovering that a bacteria causes stomach ulcers, not stress or spicy food. Everyone disagreed with Dr. Warren and Dr. Marshall’s (Nobel Prize winners in 2005 for this discovery) theory because they didn’t believe bacteria could survive in acid. So, Dr. Marshall drank a Petri-dish filled with Helicobacter pylori and developed gastritis, which was soon resolved with antibiotics.

So I started wondering how we can have a self experiment in empirical studies in software engineering? How can I report studying a development method which I followed myself and I discovered its advantages and disadvantages, and how I can overcome the biases? Such study is valuable since by observing and interviewing a practitioner who employs a method, the researcher may not capture the exact insights into that “method” under study.

On the other hand, a self experiment, even if it is unbiased and more informative, is limited to one report. It is a (sad) true fact that the best person for describing a routine method is not the person who performs it. Finally, individual differences make a self study less applicable.

That’s why I continue observing instead of drinking a Petri-dish filled with Helicobacter pylori

To start

I wish to be a scientist, though due to the nature of things I am working on I will never be eligible to win a Nobel Prize, I still want to be a scientist. The ironic point is that my field of study, Software Engineering, seems to be useful to very limited group of people in the world: software companies, programmers, and software developers. I won’t cure any disease, I won’t discover a new planet in the corner of the universe, and I won’t even build a new machine or technology.

So, as my little tiny PhD studies move on, I am discovering that there is no revolution left. I sometimes feel I am sitting on a sofa, or at most behind a monitor, and I am making theories about how softwares, specially the secure ones, are being developed, and why they fail, and what we should do or not to do to prevent the failure.

I am not a security expert, but I am interested in developing secure software systems. Even more general, I am interested in general system security, and in particular case of Software Engineering, which is the area I am doing a PhD in, I am interested in security requirements, attack modeling, vulnerability analysis, countermeasure analysis, trade-offs among security and other goals such as privacy and usability.

I have crazy ideas to start a revolution in secure software engineering, and I have little tiny ideas to move the discipline an epsilon ahead. This Blog is where I am going to talk about them, since my PhD thesis does not have enough space for all that crap.