EpochZero Learn
EpochZero LearnMulti-Domain Tech Learning Hub
Courses
LeaderboardAbout
Dashboard
EpochZero
EpochZero Learn
Multi-Domain Tech Learning Hub

Structured learning for Reverse Engineering, Cloud Security, Cryptography, and Web Development. Articles, videos, tests, and peer discussion.

Learn

  • Learning Path
  • All Articles
  • Video Lessons
  • Podcast
  • eBooks & PDFs
  • Question Banks
  • Cheatsheets
  • MCQ Banks

Tests & Forum

  • All Tests
  • REMA Tests
  • Cloud Tests
  • Forum
  • REMA Forum
  • Cloud Forum
  • Crypto Forum
  • Web Dev Forum

Campus

  • REMA Club
  • Full Stack Dev Club
  • Extension Activity
  • Events
  • CTF Competitions
  • Workshops
  • Industrial Visits

Platform

  • Dashboard
  • Leaderboard
  • About
  • Verify Certificate

© 2026 EpochZero Learn. Educational content for learning purposes.

Course Instructor: Ashish Revar

All articles
research-methodologystatistical-testshypothesis-testing

Common Statistical Tests and Choosing the Right One

Most tests a security research project will ever need fall into a small set. The choice turns on two questions: how many groups are being compared, and whether the outcome is continuous or categorical.

Ashish Revar6 July 202614 min read2 views

Sign in to mark this article as read and track your progress.

More articlesTest your knowledge

The Two Questions That Decide the Test

Most tests a security research project will ever need fall into a small set, and the choice between them turns on two questions: how many groups are being compared, and whether the outcome is continuous or categorical.

TestDataTypical use
Independent-samples t-testContinuous, 2 independent groupsCompare mean response time of two different SOC teams.
Paired t-testContinuous, 2 matched measurementsCompare the same malware samples' detection scores before and after a signature update.
One-way ANOVAContinuous, 3+ independent groupsCompare mean detection accuracy across three antivirus products.
Chi-square test of independenceCategorical, 2+ groupsTest whether phishing-click behaviour is associated with department.
Pearson correlationTwo continuous variablesMeasure the association between patch-cycle length and incident severity.
Simple linear regressionOne outcome, one or more predictorsPredict incident response time from team size and alert volume.

What Each Test Assumes

Every test assumes something about the data before it can be trusted. Checking an assumption takes a few minutes; reporting a result that quietly violates one doesn't survive peer review.

TestWhat it assumes about your data
t-test (either kind)The outcome is roughly normally distributed within each group; for the independent version, the two groups' variances should be roughly equal.
One-way ANOVAThe same normality and equal-variance assumptions, extended to three or more groups.
Chi-square testEach expected cell count should generally be 5 or more; with smaller samples the test becomes unreliable.
Pearson correlationBoth variables are continuous and their relationship is roughly linear, not curved.

Correlation and ANOVA in particular are easier to trust once you've actually looked at the data rather than only at a single summary statistic. Plotting patch-cycle length against incident severity for each organisation, before running a correlation test, is how you catch a curved relationship that Pearson correlation would badly misjudge. Plotting the spread of response times for each antivirus product side by side, before running an ANOVA, shows whether the group differences look larger than the normal run-to-run variation within each group.

Try It Yourself — Pick the Right Test

For each scenario below, name the test you'd use:

  1. Comparing the mean CPU overhead of one endpoint agent, measured on the same 20 machines, before and after a configuration change.
  2. Checking whether five different Linux distributions show different mean boot times.
  3. Checking whether the number of open ports on a server is associated with the number of vulnerabilities later found on it.
  4. Checking whether "uses MFA" (yes/no) is associated with "suffered an account-takeover incident" (yes/no) across 300 organisations.

Answers: (1) paired t-test, (2) one-way ANOVA, (3) Pearson correlation, (4) chi-square test of independence.

A quick first-pass guide: if the outcome is categorical, use chi-square. If the outcome is continuous and there are only two groups, use a t-test — paired if the same subjects were measured twice, independent if not. If the outcome is continuous and there are three or more independent groups, use one-way ANOVA. Paired data, correlation, and regression sit outside this simple flow, and are chosen when the question itself asks for an association or a prediction rather than a group comparison.

Chi-Square, Applied

A phishing simulation is sent to 200 employees, 50 from IT and 150 from the rest of the organisation. Far fewer of the IT staff click the simulated link than the company-wide rate would predict. A chi-square test of independence on the resulting two-by-two table — department against clicked-or-not — is the right tool to ask whether that gap is larger than chance would produce. If the test statistic exceeds the critical value for one degree of freedom at the 5% level, the researcher can report that department and click behaviour are associated in this dataset, with IT employees clicking noticeably less often.

Check Your Understanding

Which test would you use to check whether larger malware files tend to make more API calls during execution, and what result would count as support for that claim? Then: a department head argues that because only 10% of IT staff clicked the simulated phishing link, compared with 23% company-wide, no formal test is needed to prove the difference is real. Explain why a chi-square test is still the correct next step.