Primary and Secondary Data
Running a phishing simulation and recording who clicks is primary data. A CERT's published incident record is secondary data the moment someone else picks it up. The difference decides how much you can trust what you reuse.
Where the Numbers Actually Come From
Before a single number can be analysed, it has to come from somewhere, and where it comes from shapes everything that follows. A researcher studying ransomware behaviour could run live samples inside a sandbox and record fresh telemetry, or could instead work from a security vendor's published incident report. Both are legitimate, but they aren't the same kind of data, and a reviewer will ask which one was used and why.
Primary data is collected by the researcher for the specific purpose of the present study. Running a phishing simulation on a sample of employees and recording who clicks is primary data collection, because the data didn't exist before the researcher created the situation that produced it.
Secondary data is collected earlier, usually for a different purpose, and reused by the present study. A CERT's published record of incidents reported in a given year is secondary data the moment a researcher picks it up to answer a new question.
Where Security Research Data Usually Comes From
Data for a security or digital forensics study typically comes from one of two branches, and a single study often draws on both at once:
- Primary: surveys/questionnaires, interviews/focus groups, sandbox runs and telemetry
- Secondary: public datasets (CICIDS, NSL-KDD), published breach or CERT reports
The Cost of Convenience
Secondary data is cheaper and faster to obtain, but it was collected against someone else's definitions. A public intrusion-detection dataset was labelled "attack" or "benign" according to whoever built it, and that scheme may not match what the present study needs. Before reusing a secondary dataset, check how each field was defined and collected — not only what the field is called.
Check Your Understanding
A study reuses a public intrusion-detection dataset instead of capturing its own network traffic. List two questions the researcher should ask about how that dataset was originally labelled before trusting it for a new purpose.
Sign in to mark this article as read and track your progress.