On May 27, 2011, at 10:24 22AM, Michael Holstein wrote:
I am a student at UCLA Anderson School of Managment and my MBA field study team is working on a research that involves conducting a survey of CIOs, IT Managers/Administrators, IT Engineers to understand challenges in managing IT infrastructure.
Could you please help by filling out this really short survey?
A more cynical view would be as an MBA student, you're researching cheaper ways to recruit contact information and current projects. A kindle is $139 .. that's pretty cheap for a list of people/projects considering what that lead information is worth to vendors of the "solutions" to the challenges you ask about.
I know nothing of this student, the school, or the study. I will say -- as an academic who frequently does research involving human subjects, generally including surveys -- that this is a very normal way to proceed. Finding enough subjects is always hard; it's the single biggest obstacle we encounter. Paying people is the usual approach, but for a group like this, the usual nominal amount we pay undergrads ($10-25) isn't enough. Other common approaches -- flyers all over campus, offers on Mechanical Turk, ads on Facebook or Google Adwords, etc. -- won't work if you're trying to get people with specialized knowledge or skills. What's left? I might add that by federal law, all government-funded research involving human subjects has to be approved by an "IRB" -- an Institutional Review Board -- and many universities (including my own) impose that requirement on all research, even if no federal funds are involved. While it's certainly not rare to do studies that involve (initial) deceit of the subjects (you want them reacting normally, rather than giving the answers they think you want), the IRB has to see the full protocol and experiment design. You may be right, of course; I can't say. I haven't contacted the student's professor nor have I asked to see the IRB protocol. Given that any legitimate study of this type would be conducted along the lines explained in the original post, I'd say that the burden of proof is on you. (Of course, as a security guy I know full well that that notion of "normal behavior" is the best way to hide an attack.) References: http://www.usenix.org/events/upsec08/tech/full_papers/garfinkel/garfinkel.pd... https://www.cs.columbia.edu/~smb/papers/wecsr2011-irb.pdf --Steve Bellovin, https://www.cs.columbia.edu/~smb