EpochZero Learn
EpochZero LearnMulti-Domain Tech Learning Hub
Courses
LeaderboardAbout
Dashboard
EpochZero
EpochZero Learn
Multi-Domain Tech Learning Hub

Structured learning for Reverse Engineering, Cloud Security, Cryptography, and Web Development. Articles, videos, tests, and peer discussion.

Learn

  • Learning Path
  • All Articles
  • Video Lessons
  • Podcast
  • eBooks & PDFs
  • Question Banks
  • Cheatsheets
  • MCQ Banks

Tests & Forum

  • All Tests
  • REMA Tests
  • Cloud Tests
  • Forum
  • REMA Forum
  • Cloud Forum
  • Crypto Forum
  • Web Dev Forum

Campus

  • REMA Club
  • Full Stack Dev Club
  • Extension Activity
  • Events
  • CTF Competitions
  • Workshops
  • Industrial Visits

Platform

  • Dashboard
  • Leaderboard
  • About
  • Verify Certificate

© 2026 EpochZero Learn. Educational content for learning purposes.

Course Instructor: Ashish Revar

All articles
research-methodologyresearch-designhypothesisresearch-question

Framing Hypotheses and Research Questions

A topic is not a research question, and a research question is not a hypothesis. Getting the distinction right before you design a study saves months of confusion later — and it determines what kind of evidence will actually answer your question.

Ashish Revar7 July 202612 min read4 views

Sign in to mark this article as read and track your progress.

More articlesTest your knowledge

From Topic to Question to Hypothesis

Most research projects start too broadly. "I want to study cybersecurity" is a topic, not a research question. "I want to study phishing" is still a topic. "Does adding a second authentication factor reduce successful phishing attacks in enterprise environments?" is a research question — it is specific, it names the variables, and it has a direction an answer can go in.

The journey from topic to research question to hypothesis follows a fixed order. Each step narrows the problem:

StageExample
TopicPhishing and multi-factor authentication
Research questionDoes MFA reduce phishing success rates in enterprise environments?
HypothesisAccounts with MFA enabled will show significantly fewer successful phishing compromises than accounts without MFA over a 12-month period

What Makes a Research Question Good

A good research question passes four tests:

Specific — it names the variables and the population. "Does phishing succeed more often?" is not specific. "Does SMS-based MFA reduce successful phishing credential harvesting among employees in financial services organisations?" is.

Answerable — you can collect evidence that actually addresses it. "Is phishing morally wrong?" is not answerable by an empirical study. "Does MFA reduce phishing success rates?" is.

Feasible — the data, time, and access you have are sufficient to produce a defensible answer. A question requiring access to classified government incident logs is not feasible for a student dissertation.

Relevant — it fills a genuine gap in what is known. "Does phishing exist?" is not relevant; the literature settled that decades ago.

Some supervisors use the PICO framework, adapted from clinical research: Population (who or what is being studied), Intervention or exposure (what factor is being examined), Comparison (what it is being compared against), Outcome (what is being measured). In a security ML study: P = enterprise email accounts, I = MFA enabled, C = MFA disabled, O = successful credential-harvesting rate. PICO forces specificity at the question-framing stage.

Types of Research Questions

Research questions divide into three functional types, and the type determines the design:

Descriptive questions ask what is the case. "What percentage of phishing emails bypass enterprise spam filters?" These require surveys, measurements, or observation — they do not test a relationship between variables.

Comparative questions ask whether two groups differ. "Do organisations using MFA report fewer successful phishing incidents than those that do not?" These require a comparison group and some measure of effect size.

Explanatory (causal) questions ask why or how. "How does MFA reduce the success rate of real-time phishing proxies?" These require experimental or quasi-experimental designs because you are claiming a causal mechanism, not just a correlation.

The most common error students make is writing a comparative or causal question and then using a descriptive design to answer it. A survey asking respondents whether they feel more secure with MFA cannot answer whether MFA actually reduces compromise rates.

From Research Question to Hypothesis

A hypothesis is a formal, testable prediction derived from the research question. It states the expected relationship between variables before the data are collected, and it is falsifiable — the data can show it to be wrong.

A hypothesis always comes in a pair:

Null hypothesis (H₀): the no-effect position. "There is no significant difference in successful phishing rates between MFA-enabled and MFA-disabled accounts." This is what a statistical test is actually testing against.

Alternative hypothesis (H₁): the effect the study predicts. "MFA-enabled accounts show significantly fewer successful phishing compromises than MFA-disabled accounts."

The null hypothesis is never proved — it is either rejected or not rejected at a chosen significance level. If the data are inconsistent with H₀ at p < 0.05, the result is significant and H₀ is rejected in favour of H₁. If not, the study concludes there is insufficient evidence to reject H₀ — which is not the same as proving H₀ is true.

Directional vs. non-directional hypotheses. A directional hypothesis predicts the direction of the effect: "MFA-enabled accounts will show fewer compromises." A non-directional hypothesis predicts only that a difference exists: "There will be a significant difference in compromise rates between MFA-enabled and MFA-disabled accounts." Directional hypotheses are appropriate when prior literature gives strong reason to predict the direction; non-directional ones are appropriate when the direction is genuinely uncertain.

Hypotheses in ML Research

ML research often substitutes evaluation metrics for classical hypotheses, but the underlying logic is the same. "The proposed federated aggregation strategy will achieve a higher F1 score on non-IID data than FedAvg" is a hypothesis — it predicts a measurable difference, it is falsifiable, and it can be paired with a null: "There is no significant difference in F1 between the proposed strategy and FedAvg on non-IID data."

The difference is that ML papers frequently skip the formal H₀/H₁ notation and instead report confidence intervals, effect sizes, or statistical tests (Wilcoxon signed-rank, McNemar's test) directly. The hypothesis is there implicitly; good research makes it explicit so the evaluation section can directly answer the question the hypothesis raised.

Check Your Understanding

A student writes the following research question: "What is the impact of deep learning on cybersecurity?" Identify three specific problems with this question, and rewrite it so that it is specific, answerable, and feasible for a one-semester project. Then write the null and alternative hypothesis that correspond to your revised question.