Information Security Journals

The good, the bad, and the ugly



Below, I've listed a bunch of security-related academic journals. Each journal appears in one of the following categories:

The ratings here are my own personal opinion. I've published in a fair number of these journal and I've reviewed articles for many more. Just because I've published in (or reviewed for) a journal, doesn't necessarily mean it gets a high rating. For example, I've published in one of the journals in the bad category, and in one of the ugly journals too (I've got an excuse for that one). On the other hand, I've never published in several of the good journals. So, I'd like to think that I'm being at least moderately objective.

Of course, any rating system is going to depend somewhat on personal preferences, so here's mine. I'm definitely biased against overly theoretical articles, at least in the security domain. I'm a mathematician by training, so I can appreciate the value of a good theorem. However, it seems to me that more often than not, theoretical results in security serve primarily to obfuscate essentially simple ideas, rather than to enlighten. Maybe someday I'll get smarter and realize that I'm wrong about this.

The main reason I put together this list is because I've recently seen a lot of "open access" security journals that charge authors a fee for the privilege of publishing an article. In some cases, such journals don't make it very clear that the author has to pay a fee. If nothing else, this list should make it easier to avoid pay-for-publication journals, if that's your desire (as it is mine).

The purpose of open access is to make publications freely available online. This sounds like a noble idea, since everyone knows that free stuff is always better. However, charging authors a fee to publish is, IMHO, utterly indefensible. I can think of at least three serious problems with such an approach. First, to create any respectable article, an author has to do a lot of work, usually for little or no financial reward. Charging an author money to publish is like charging a medical doctor a fee for the right to treat a patient (I hope I didn't just give Obama any ideas…).

Second, charging a fee for publication creates a perverse incentive for a journal. Traditional paper journals bear a cost for each article published and, to survive, they need paid subscribers. Consequently, such journals have a financial incentive to accept only the highest quality papers that they can attract. In contrast, open access journals have a financial incentive to accept as many articles as they can cram into their journal, regardless of quality. Many open access journals are available only in electronic form, which makes this perverse incentive far more perverse.

Third, to my mind, open access looks a whole lot like vanity publishing. It seems to me that any time an author has to pay to get an article published, that article should be highly suspect.

Fourth (this is a bonus gripe), in my view, even journals that offer open access as an option—as opposed to requiring payment for such—have a potential conflict of interest. It's not hard to figure who is going to pay the fees (i.e., well-funded research organizations) and who is not (e.g., researchers at poverty-stricken state universities). Editors have a lot of leeway in deciding what gets published and what doesn't. It would be quite easy for an editor to make sure that the well-funded are favored over the under-funded, without leaving any obvious evidence of bias.

Anyways, without further adieu, here's my list of security journals, with a brief comment on each. Note that within each category, the journals are listed in no particular order. Also, I don't claim that this list is anywhere near exhaustive. If you know of missing security journal that could be included, or if you find errors, please let me know.




Brought to you by Mark Stamp and the number 85
email: stamp@cs.sjsu.edu
Last Modified: February 21, 2017.