ERMSEI 2024 - Empirical Research Methods in Software Engineering and Informatics: Cybersecurity edition - May 13-17, 2024

Traditionally, Software Engineering and Informatics have been strongly influenced by Mathematics. Empirical Research has always been around, too, but has gained traction only in the past 20 years. Today, empirical research represents a major approach that is highly visible in most important conferences and journals in the field. Many reviewers will demand empirical evidence when reviewing papers making statements about the real world that are falsifiable, i.e., may be tested empirically. Yet, in education, empirical research methods are still underrepresented.

In an attempt to further knowledge of empirical research methods and encourage their use in academia and practice, ERMSEI was created back in 2013. Since then, the course has been run (almost) annually in different places to great acclaim. In this year’s instance of the ERMSEI, we focus on cybersecurity research and how it can be strengthened by including empirical research methods. This focused approach highlights the growing significance of empirical techniques in unravelling and tackling the intricate and dynamic issues that cybersecurity presents.

Content & Outcome

We will cover controlled experiments, selected qualitative methods, and overall study design as far as the practical exercises are concerned. We explicitly encourage participants to bring along their own empirical research projects to work in the setting of this course. Time permitting, we will discuss these projects also in plenary sessions.

Course Content

The course introduces you to empirical research methods in a very practical, hands-on way. There will be introductory lectures on techniques followed by group work on exercises, for instance:

  • analyze the study design in a given article with a view to finding shortcomings and threats to validity and how they impact the claims put forward;
  • design a study yourself for a given case study in a small group, and present the study design in a plenary discussion;
  • develop a viable research question and discuss alternative approaches to providing evidence to inform it.

Expected Outcome

This course is but a first step on a long journey. It aims to provide students with an overview and concrete starting point, possibly removing any inhibitions or hesitation that might be there. We aspire to equip participants with some skills and first practical exercises in conducting methodologically sound research. After attending this course, participants:

  • are capable of choosing an appropriate research paradigm for a given problem;
  • will be aware of the potential and limitations of empirical research methods; and
  • can assess the quality of the empirical research reported in an article, such as for a review.

Intended Audience

The course is intended for people that have little or no background in empirical research methods but are open to the concept and are about to embark on a research project where these methods may come in handy. So, the ideal participant would be someone who has just started or is about to start their PhD in Cybersecurity / Information Security / Computer Science / Software Engineering. More senior researchers are welcome, too, of course.

Tentative Program

This course will be hosted at the Software Ecosystem Security lab at Utrecht University (Minnaert Building, Leuvenlaan 4, 3584 CE Utrecht). The course will be from May 13, 2024, to May 17, 2024.







Morning 09:30-13:00

  • Introduction
  • Controlled Experiments
  • Observations and Measurements
  • Physiological Measurements

Field Work

  • Qualitative Methods:
  • Interviews


  • Secondary Research
  • Structured Literature Reviews
  • Mapping Studies
  • Research Design
  • Philosophical Perspective
  • Theory

Afternoon 14:00-18:30

  • Statistical Techniques
  • Threats to Validity
  • Surveys
  • Practical exercise
  • Observational Techniques
  • Grounded Theory
  • Ethnography
  • Tertiary Studies
  • Ethics
  • Practical exercise



Upon completing the Spring School, participants will receive a Certificate of Participation, which includes a workload equivalent of up to 2 ECTS. Students can request recognition of these ECTS from their research schools. Therefore, the final decision on awarding credits lies with their research schools.


This event is sponsored by the Dutch ACademic Cyber Security Society (ACCSS).

Deadlines and Fee

Participation Fee: 250 euros (incl. lunches, coffee, snacks, one social event, and materials for the whole week).

Equal access: To ensure our PhD school is accessible to all, we have a limited amount of scholarships to cover the fee available thanks to support from ACCSS ( If interested, please indicate this on your pre-registration form, and we provide you with the instructions on how to submit your fee waiver request with the required documentation.

The number of participants is limited to max. 25 persons. To apply, please fill in the information in pre-registration by March 31, 2024. You will be informed about the results and further steps in the registration process by the end of March 2024.


Please register for participation via this form. Upon completing the registration form, you will receive the payment link. 

Cancellation & Refunds

We will no longer be able to offer you a refund if you let us know about your cancellation within 14 days before the start of the course.

You are allowed to cancel your participation with a full refund up until 14 days after your payment has been registered by the Utrecht University Sales Services. This cancellation period is no longer applicable if your payment is processed within 14 days of the start of the course.


The school fee does not cover accommodation. The participants need to find accommodation themselves.

The campus is well-connected to the centre of Utrecht and the surrounding towns (e.g., Zeist, Houten, Nieuwegein, Ijsselstein, Bilthoven). The best websites to do this are,, and similar services.

To check the transport connections from the potential accommodation to the school location (Minnaert Building Leuvenlaan 4, 3584 CE Utrecht), we suggest using Google Maps ( It works very well for public transport in the Netherlands.


The Netherlands is a Schengen Area country. Depending on your nationality and the length of your stay you may need a visa to enter the Netherlands. Please check out the website of the Dutch Ministry of Foreign Affairs for more information: Netherlands

It is your own responsibility to apply for a visa. The ERMSEI school team and Utrecht University cannot offer any assistance in getting the visa.

About the Instructors

Harald Störrle

Harald Störrle received a Dipl.-Inform. and a Dr.rer.nat. from the Universities of Hamburg (1997) and Munich (2000), respectively. From 2001 to 2009, he worked as a software architect and methodology consultant in industry, sidelining as an adjunct lecturer at the University of Munich. Starting in 2006, he held lecturer positions at the Universities of Innsbruck and Munich, and as an Associate Professor of Software Engineering at the Technical University of Denmark (DTU) in Lyngby near Copenhagen. Since 2017, he has worked as a principal consultant with QAware in Munich, fulfilling the Product Owner role. His last project focused was the AI-powered digital speech assistant platform for Deutsche Telekom.

In his research activities, Harald applies empirical research methods to problems in modelling, requirements, and software processes. He advocates Evidence-Based Software Engineering, favouring methodological openness and diversity. He is a Senior Member of the ACM, elected member of the ACM Europe Council, former vice chairperson of the German Chapter of the ACM, and was appointed to several ACM boards and committees, including the ACM practitioner board and the Digital Library Board.

Kate Labunets

Dr. Kate (Katsiaryna) Labunets is an Assistant Professor within the Software Ecosystems Security group at Utrecht University in the Netherlands. Her prior academic endeavours include a postdoc focused on cybersecurity at TU Delft, contributing significantly to the VSNU Digital Society and the H2020 CYBECO projects. Dr. Labunets earned her PhD in Information and Communication Technology from the University of Trento in Italy, following a Master's degree in Mathematics from Belarusian State University in Minsk, Belarus.

As a researcher, she is passionate about using empirical methods to solve problems in the intersection of human behaviour, technological and organisational security, offering valuable insights into developing more effective cyber risk management strategies. During her PhD, Kate studied the effectiveness of existing security methods and whether current security methods are worthy of being adopted. The main goal behind these studies was to help practitioners save time and money in selecting the most appropriate security method among dozens of existing approaches.

Research interests: security behaviour, human aspects, cyber risk management, and empirical methods.