Where is European computer security research?

12 October 2008

There is something very broken with computer security research in Europe. While EU funding is pouring in for many years through successive FPs, it seems that European research groups and institutions are systematically underrepresented in terms of Program Committee participation to the top-tier conferences. (Individual researchers of European origin, based abroad, are actually doing quite fine.)

The following graph illustrates the fraction of European researchers in some top-tier computer security conferences over the past decade. Core security conferences are chosen, namely IEEE S&P, ACM CCS, ISOC NDSS and USENIX SEC, as compared with more crypto conferences like CRYPTO, or EUROCRYPT (where European research seems to be quite competitive.) As we can see on average this fraction is less than 20%, with some venues like USENIX SEC and NDSS often figuring next to no European researcher on their PC.

Fraction of European PC members in security conferences

Fraction of European PC members in security conferences

Even this graph says only half the story. Within Europe there is a tremendous variability in PC membership of these conferences, with few individual researchers from specific groups being invited repeatedly. One example is illustrative: the IEEE S&P committee for 2009 is composed of 48 members; 8 of them from Europe; 4 of them from Cambridge; 3 of them from Microsoft Research, Cambridge (a US company, by the way.)

What is going on? Systematic bias in the chair’s selection (unlikely), or a structural problem in the European security research field (much more likely)?


3 Responses to “Where is European computer security research?”

  1. Matthijs said

    Some suggestions:
    – (my best guess) Pretty much *all* listed conferences were organized in the USA. Perhaps there are pragmatic reasons to have a conference chaired by locals? I wonder if a similar analysis for big European-based (!) scientific conferences (perhaps in another field) would indicate the US to be underrepresented there. (To be precise about the conferences you analyzed: NDSS has *always* been at San Diego, IEEE S&P has *always* been at Oakland and all *listed* occurrences of ACM CCS have been in the USA. Only USENIX SEC 2006 and 2009 have been -somewhat- outside the USA: Canada đŸ™‚ )
    – Perhaps there is too much dispersion of security research across Europe, resulting in too much groups with a lack of clear focus and momentum, not fostering interest to organize conferences?
    – Perhaps the US does a better job in facilitating and supporting big scientific conferences?
    – Perhaps Europeans lack incentive, experience, training, impetus and/or self-confidence to chair big conferences?
    – Perhaps Europeans prefer smaller conferences?
    – Perhaps Europeans are lazy? (search Google for “Why Do Americans Work So Much More Than Europeans” (article from US Federal Reserve) “We’re not going on a summer holiday” (The Guardian) – I’m European, btw);
    – Or perhaps still, a coincidental course of history?


  2. Lexi said

    Maybe this is just the US view of what a $top-tier conference is ;-P

    While I agree that there are $good and $bad conferences, my personal feeling is that often these listings of $top conferences are rather subjective. Hence, could it be that the definition of “top” for conferences used for this list was defined by some US guy?

  3. helger said

    Btw, there is another thing – how many of the cited conferences are organized in Europe? (You forgot to mention ESORICS, for example. But it’s probably not top-tier then?)

    But you are correct. In crypto it is much more even, even so that Eurocrypt is has currently higher quality (imho) than Crypto. As you know well, there’s a huge crypto community in France, and many a bit smaller communities in countries like Switzerland, Belgium, UK, Denmark, Netherlands, …, etc.

    A similar situation to what you describe is also in some other areas. For example, in TCS all top conferences are organized in the US and also most of the relevant research is done there (or in Israel).

    I think there’s a pretty big correlation between where the conferences are organized and how popular this area is in which region. I think FOCS/STOC-like TCS has never tried to outreach Europe, and thus will to the large part remain remain a US-made research. OTOH, European TCS is more about logic, semantics, etc, and there are plenty of such conferences in Europe. Guess the same is true about security.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: