Information Security Journals

The good, the bad, and the ugly



Below, I've listed a bunch of security-related academic journals. Each journal appears in one of the following categories:

The ratings here are my own personal opinion. I've published in a fair number of these journal and I've reviewed articles for many more. Just because I've published in (or reviewed for) a journal, doesn't necessarily mean it gets a high rating. For example, I've published in one of the journals in the bad category, and in one of the ugly journals too (I've got a good excuse for that one). On the other hand, I've never published in several of the good journals. So, I'd like to think that I'm being at least moderately objective.

Of course, any rating system is going to depend somewhat on personal preferences, so here's mine. I'm definitely biased against overly theoretical articles, at least in the security domain. I'm a mathematician by training, so I can appreciate the value of a good theorem. However, it seems to me that more often than not, theoretical results in security serve primarily to obfuscate essentially simple ideas, rather than to enlighten. Maybe someday I'll be smarter and realize that I'm wrong about this.

The main reason I put together this list is because I've recently seen a flood of "open access" security journals that charge authors a fee for the privilege of publishing an article. In some cases, such journals don't make it very clear that the author has to pay a fee. If nothing else, this list should make it easier to avoid pay-for-publication journals, if that's your desire (as it is mine).

The purpose of open access is to make publications freely available online. This sounds like a noble idea, since everyone knows that free stuff is always better. However, charging authors a fee to publish is, IMHO, utterly indefensible. I can think of at least three serious problems with such an approach. First, to create any respectable article, an author has to do a lot of work, usually for little or no financial reward. Charging an author money to publish is roughly equivalent to charging a medical doctor a fee to treat a patient.

Second, charging a fee for publication creates a perverse incentive for a journal. Traditional paper journals bear a cost for each article published and, to survive, they need paid subscribers. Consequently, such journals have a financial incentive to accept only the highest quality papers that they can attract. In contrast, open access journals have a financial incentive to accept as many articles as they can cram into their journal, regardless of quality. Many open access journals are available only in electronic form, which makes this perverse incentive semi-infinitely more perverse.

Third, to my mind, open access looks a whole lot like vanity publishing. It seems to me that any time an author is required to pay to get an article published, that article should be highly suspect.

Fourth (this is a bonus gripe), in my view, even journals that offer open access as an option—as opposed to requiring payment—have a potential conflict of interest. It's not hard to tell in advance which authors are likely to pay the fees (i.e., those from well-funded research organizations) and which are not (e.g., researchers at poverty-stricken state universities, such as mine). Editors have a lot of leeway in deciding what gets published and what doesn't. It would be quite easy for an editor to make sure that the well-funded are favored over the under-funded (and non-funded), without leaving any obvious evidence of bias.

Anyways, without further adieu, here's my list of security journals, with a brief comment on each. Note that within each category, the journals are listed in no particular order. Also, I'm sure that this list is not anywhere near exhaustive, as I constantly receive spam from flakey "open access" journals. If you know of missing security-related journal that you believe should be included, or if you find errors, please let me know.




Brought to you by Mark Stamp and the number 85
email: mark.stamp@sjsu.edu
Last Modified: December 26, 2019.