Information Security Journals
The good, the bad, and the ugly
Below, I've listed a bunch of security-related academic journals.
Each journal appears in one of the following categories:
- The good — These are the journals that stand out in my mind
as having consistently high quality articles and, as far as I am aware,
a reasonably sensible review process.
- The OK — In my view, articles in these journals are
significantly more uneven in quality than those among The good
journals, but still generally not bad.
- The bad — These are pretty bad.
- The not sure — For these journals, I just can't tell.
- The ugly — These are "open access" journals that
require a fee for publication. Below, I discuss why I consider
such journals to be totally bogus.
The ratings here are my own personal opinion. I've published in a fair number
of these journal and I've reviewed articles for many more. Just because I've
published in (or reviewed for) a journal, doesn't necessarily mean it gets a high
rating. For example, I've published in one of the journals in the bad
category, and in one of the ugly journals too (I've got a good excuse for
that one). On the other hand, I've never published in several of the
good journals. So, I'd like to think that I'm being at least
moderately objective.
Of course, any rating system is going to depend somewhat on personal preferences,
so here's mine. I'm definitely biased against overly theoretical articles, at least
in the security domain. I'm a mathematician by training, so I can appreciate the value
of a good theorem. However, it seems to me that more often than not, theoretical results
in security serve primarily to obfuscate essentially simple ideas, rather than to enlighten.
Maybe someday I'll be smarter and realize that I'm wrong about this.
The main reason I put together this list is because I've recently seen a flood
of "open access" security journals that charge authors a fee for the privilege of
publishing an article. In some cases, such journals don't make it very clear that
the author has to pay a fee. If nothing else, this list should make it easier to avoid
pay-for-publication journals, if that's your desire (as it is mine).
The purpose of open access is to make publications freely available online. This sounds
like a noble idea, since everyone knows that free stuff is always better. However, charging
authors a fee to publish is, IMHO, utterly indefensible. I can think of at least three serious
problems with such an approach. First, to create any respectable article, an author has to do
a lot of work, usually for little or no financial reward. Charging an author money to publish
is roughly equivalent to charging a medical doctor a fee to treat a patient.
Second, charging a fee for publication creates a perverse incentive for a journal.
Traditional paper journals bear a cost for each article published and, to survive,
they need paid subscribers. Consequently, such journals have a financial incentive
to accept only the highest quality papers that they can attract. In contrast,
open access journals have a financial incentive to accept as many articles as they
can cram into their journal, regardless of quality. Many open access journals are
available only in electronic form, which makes this perverse incentive semi-infinitely
more perverse.
Third, to my mind, open access looks a whole lot like vanity publishing. It seems to me
that any time an author is required to pay to get an article published, that article should
be highly suspect.
Fourth (this is a bonus gripe), in my view,
even journals that offer open access as an
option—as opposed to requiring payment—have
a potential conflict of interest. It's not hard to
tell in advance which authors are likely to pay the fees (i.e., those from well-funded
research organizations) and which are not (e.g., researchers at poverty-stricken
state universities, such as mine). Editors have a lot
of leeway in deciding what gets published and what doesn't. It would
be quite easy for an editor to make sure that the well-funded are favored
over the under-funded (and non-funded), without leaving any obvious evidence of bias.
Anyways, without further adieu, here's my list of security journals, with a brief
comment on each. Note that within each category, the journals are listed in no particular
order. Also, I'm sure that this list is not anywhere near exhaustive, as I constantly
receive spam from flakey "open access" journals. If you know of missing
security-related journal that you believe should be included, or if you find errors,
please let me know.
- The good
- Computers & Security
- Abbreviation: COSE
- Imprint: Elsevier
- Comment: I've reviewed a lot of articles for this journal and even published in
it a few times. This one has a fairly annoying review process—both from the
perspective of reviewer and reviewee. I've seen many cases where their reviewers
obviously didn't bother to read the article they're supposedly reviewing. They also
seem to take their time in making a decision. And you're unlikely to get the same reviewers
for your revised article, which can result in another long iteration, just to
resolve some trivialities. But, the bottom line is that they do have a high standard
and generally only publish quality articles.
- Information
and Computer Security
- Abbreviation: ICS
- Imprint: Emerald
- Comment: This journal used to be known as
Information Management & Computer Security, and it still seems to have more
emphasis on the "management" aspects than most. Nevertheless, the articles
usually have some technical depth.
- Cryptologia
- Abbreviation: none
- Imprint: Taylor & Francis
- Comment: The emphasis is on historical ciphers. Generally, articles in this journal
are great fun to read and they almost always provide a nice introduction to a cryptographic
and/or historical topic.
- Journal of Cryptology
- Abbreviation: JOC
- Imprint: Springer
- Comment: The ultimate modern cryptography journal, but definitely not for the faint of heart.
- Journal of Cryptographic Engineering
- Abbreviation: JCEN
- Imprint: Springer
- Comment: A relatively new journal that looks to have some interesting articles.
- IEEE Transactions on Dependable and Secure Computing
- Abbreviation: TDSC
- Imprint: IEEE
- Comment: Contains a wide variety of articles, and most appear to be interesting and
relevant. I definitely need to read this one more often.
- IEEE Transactions on Information Forensics and Security
- Abbreviation: TIFS
- Imprint: IEEE
- Comment: In spite of the name, this journal has articles in many areas of security,
with only a slight emphasis on forensics. I'm not convinced the articles are consistently
that impressive, but hey, it's an IEEE transaction, so it's got to be prestigious, right?
- ACM Transactions on Information and System Security
- Abbreviation: TISSEC
- Imprint: ACM
- Comment: Covers a lot of different topics, usually from a rather theoretical point of view.
- Software: Practice and Experience
- Abbreviation: SPE
- Imprint: Wiley
- Comment: This is not a security journal, per se, but they do
publish a fair number of articles that are security-related.
I've reviewed a small number of articles for this one, and
those articles have all been first-rate. Perhaps the "strong law
of small numbers" is at work here, but I certainly have a good
impression of SPE.
- Journal of Computer Virology
and Hacking Techniques (formerly Journal in Computer Virology, thus "JICV")
- Abbreviation: JICV
- Imprint: Springer
- Comment: This is the only journal that I know of that is focused primarily on malware.
Articles here tend to generally be of a reasonable quality with a mix of theory and application.
I don't see much here that I'd consider "hacking techniques", but it's notoriously
difficult to present those kinds of topics as academic research. I find this journal to be
at the borderline between "good" and "OK", and I've had it on both sides of the fence at
various times. I find the review process to typically be fairly speedy, which is a big plus
and is enough to keep it on the "good" list for now.
- The OK
- Information Security Journal: A Global Perspective
- Abbreviation: ISJ
- Imprint: Taylor & Francis
- Comment: Articles here seem to be of reasonably consistent quality, and they cover a
wide range of interesting and relevant topics. The biggest down side is that their review
process seems to take forever.
- IET Information Security
- Abbreviation: IETIS
- Imprint: IET
- Comment: The editorial board is focused on cryptography. Not surprisingly,
recent articles tend to be heavy on cryptography, or similar.
- International Journal of Information Security
- Abbreviation: IJIS
- Imprint: Springer
- Comment: Top-heavy with theory.
- Journal of Information Assurance and Security
- Abbreviation: JIAS
- Imprint: Dynamic Publishers, Inc.
- Comment: Looks like an interesting mix of articles. However, in general,
I'd suggest a lot of skepticism when it comes to cryptography articles published
in general-interest security journals, and this journal has several recent
cryptography-related articles. So, reader beware.
- Journal of Computer Security
- Abbreviation: JCS
- Imprint: IOS Press
- Comment: From my perspective, this looks to be way too theoretical.
But that's the way some people like their security.
- International
Journal of Security and Networks
- Abbreviation: IJSN
- Imprint: Inderscience Publishers
- Comment: Seems to be a pretty solid journal, especially for one without a big-name
publisher behind it.
- International Journal of
Electronic Security and Digital Forensics
- Abbreviation: IJESDF
- Imprint: Inderscience Publishers
- Comment: Another respectable security journal from Inderscience.
- International
Journal of Information Privacy, Security and Integrity
- Abbreviation: IJIPSI
- Imprint: Inderscience Publishers
- Comment: Fairly new and looks to be OK.
- The bad
- International Journal of
Computer Network and Information Security
- Abbreviation: IJCNIS
- Imprint: MECS Publisher
- Comment: There's no publication charge, which is the only good thing
I can say about it. There is not much of a review process, and it shows
in many of the articles. Also, they require Microsoft Word documents
for submission—how Mickey Mouse is that?
- International Journal of Information Security and Privacy
- Abbreviation: IJISP
- Imprint: IGI Global
- Comment: This one seems to have an excess of fluff articles.
- Security and
Communication Networks
- Abbreviation: SCN
- Imprint: Wiley
- Comment: I really wanted to like this one, but there are several inexcusable problems.
Strike 1 — Reviews take absolutely forever. You'll be lucky to hear
anything from them within a year, and even that will require constantly pestering the
editor. This is particularly odd given that their
"editorial board" includes more people than the New York City
telephone directory.
Strike 2 — Recent issues contain a plethora of questionable crypto-related
articles. While I like cryptography, it's a field where you simply cannot fake it.
Strike 3 — Obvious grammatical errors abound.
That's three strikes, and you're out! And, as a bonus
strike, this journal is "now fully open access".
- The not sure
- Journal
of Information Security and Applications
- Abbreviation: JISA
- Imprint: Elsevier
- Comment: In my only experience with this journal, I submitted a paper
and it took almost 3 months before any reviewers were assigned, while all attempts
to communication with the responsible editorial board member went unanswered.
We decided to submit the paper elsewhere rather than wait on their interminable
review process. If you prefer your journals
to be slower than molasses in January, then this one may be for you.
- Journal of Network and Information Security
- Abbreviation: JNIS
- Imprint: Publishing India
- Comment: The first issue was published in late 2013 and to date,
the results are not impressive. This journal seems to be
stuck in a time warp (the 1980s, to be precise) since
it only accepts submissions
in "OpenOffice, Microsoft Word, RTF, or WordPerfect document file format".
Also, based on the website, English grammar is not a strong suit.
On the upside, at least they do not charge a publication fee.
- Journal of Information System Security
- Abbreviation: JISSec
- Imprint: None
- Comment: A quick look at recent articles reveals a lot of
policy-related and similar puff pieces.
- Information
Security Technical Report
- Abbreviation: ISTR
- Imprint: Elsevier
- Comment: Looks like it might be interesting, but every issue
appears to be a "special issue", i.e., focused on a single topic,
which could make it tricky to get published here.
- International Journal of
Multimedia Intelligence and Security
- Abbreviation: IJMIS
- Imprint: Inderscience Publishers
- Comment: Seems to have stopped publishing—the most
recent issue I can find appeared in 2011.
- International Journal of
Information and Computer Security
- Abbreviation: IJICS
- Imprint: Inderscience Publishers
- Comment: The last issue available seems to be
from mid-2012, so this one might be deceased too.
- Designs, Codes and Cryptography
- Abbreviation: DCC
- Imprint: Springer
- Comment: A strong journal, but, really, this is a math journal.
Often, the link (if any) to cryptography seems tenuous, at best.
- The ugly
- International
Journal on Network Security
- Abbreviation: IJNS
- Imprint: ACEEE
- Comment: Yes, there are at least two journals with IJNS
as their abbreviation. I have to admit that
I'm not familiar with this journal and, apparently, they
like it that way. Although it's said to be open access, I can't seem
to access any of their articles. Does this journal really exist?
In any case, ACEEE is on "Beall's List" of predatory
open access publishers (see below under "other relevant links")
and that's good enough for me.
- International Journal of
Information Sciences and Computer Engineering
- Abbreviation: IJISCE
- Imprint: None
- Comment: This "open access" journal charges authors a publication
fee of 285 euros. It also seems to publish lots of very dubious papers.
- International Journal of
Network Security & Its Applications
- Abbreviation: IJNSA
- Imprint: AIRCC
- Comment: Charges $120. I guess that might be considered a bargain
in this genre, but, come to think of it, you usually get what you pay for.
AIRCC is on "Beall's List" of predatory open access publishers
(see below under "other relevant links").
- International Journal of
Computer Science and Network Security
- Abbreviation: IJCSNS
- Imprint: None
- Comment: This journal has a $400 "publication fee". This one looks
to be even more totally bogus than the other totally bogus journals
listed here. That's an accomplishment, of sorts. To top it all off,
this one is on "Beall's List"
of predatory open access standalone journals
(see below under "other relevant links").
- International
Journal of Information and Network Security
- Abbreviation: IJINS
- Imprint: IAES
- Comment: Charges an $80 publication fee and, get this, a $40
"fast-track review" fee, which guarantees a review within two weeks.
What a joke.
- Journal of Information Security
- Abbreviation: JIS
- Imprint: SCIRP
- Comment: Charges $500 per article. Once upon a time, I actually
published an article in this one, but back then they were not charging
a fee. If I'd realized they were planning to charge authors for
publication, I would have avoided it like the plague.
The publisher, SCIRP, is on "Beall's List" of predatory
open access publishers (see below under "other relevant links").
- Security Informatics
- Abbreviation: none
- Imprint: Springer
- Comment: Open access (charges $1015 per article) with a heavy
emphasis on policy (that's 4 strikes). Do people actually pay this
outrageous fee? And what's up with Springer getting into this scam?
This one is deceased as of March 2019, which proves that there is
some justice in the world.
- EURASIP Journal on Information Security
- Abbreviation: unknown
- Imprint: Springer
- Comment: Another Springer open access journal—this one
charges $735 per article (up from $665 a year previous).
Apparently, this journal was recently
transferred from some minor league publisher to Springer,
and it shows (although less so than when I originally wrote about this journal).
- International Journal of
Innovative Research in Information Security
- Abbreviation: IJIRIS
- Imprint: AM Publications
- Comment: A new (as of 2014) open access journal, with
a publication charge of $65. Content-wise, this one seems to have
perfected the art of total vacuity.
- International Journal on
Cryptography and Information Security
- Abbreviation: IJCIS
- Imprint: AIRCC Publishing Corporation
- Comment: This open access journal charges $120 and requires
use of their MS Word template. Need I say more? No, but I will.
As the name implies, the focus is on cryptography, and a lot of
cryptography means a lot of math typesetting…
in MS Word. The results are not pretty with, for example,
blurry screen snapshots of formulas (originally typeset in TeX)
pasted into published documents. I wouldn't accept that in an
undergraduate student's report. AIRCC
is on "Beall's List" of predatory open access publishers
(see below under "other relevant links").
- International Journal of Network Security
- Abbreviation: IJNS
- Imprint: none
- Comment: This one charges authors $200. 'Nuff said.
- Other relevant links
- Microsoft Academic might
have some useful information, if you can figure out how to pry it out of
it's user-unfriendly interface.
- Jianying Zhou has compiled a useful statistical-based
ranking of top-tier
security
conferences
- Beall's List
consists of "potential, possible,
or probable predatory scholarly open-access publishers"
along with a list of unaffiliated journals that (in Beall's opinion)
fit the same description. This was a valuable resource, but Beall
quit maintaining it under threat from various publishers who were
unhappy with his opinions (so much for
freedom of speech). The link given includes Beall's last iteration
of his list, along with a few recent additions.
But, with the open access craze in overdrive,
there are undoubtedly many, many more predatory
publishers that belong on this list. My observation is
that (as of 2019) the number of predatory open-access
publishers is growing at a ridiculous pace.
This is not surprising, given the current open access mania.
A new list like Beall's is sorely needed, but would be difficult
to maintain due to this rapid increase, which shows no sign
of abating any time soon.
Brought to you by Mark Stamp
and the number 85
email: mark.stamp@sjsu.edu
Last Modified: December 26, 2019.