Most research-integrity offices organise misconduct into three categories abbreviated FFP. What makes the security-domain versions worth studying separately is that the downstream consequences — defences that do not work, benchmarks that cannot be replicated — affect people who never read the paper that contained the misconduct.
Sign in to mark this article as read and track your progress.
Most research integrity offices, in India and internationally, organise misconduct into three categories:
Fabrication. Inventing data or results that were never actually observed. Example: reporting a detection accuracy figure from a test that was never run, or inventing entries in a malware-sample log.
Falsification. Manipulating real data, equipment, or a process so the record no longer honestly represents what happened. Example: running a classifier under controlled lab conditions, then reporting that result as if it were measured in production; or selectively rerunning a comparison after a configuration error is found and reporting both conditions as if they had been run correctly from the start.
Plagiarism. Presenting another person's words, data, or ideas as one's own — covering the full range of forms from verbatim copying to self-plagiarism.
In security research, an FFP violation does not only damage the researcher's career or the field's publication record. It damages the defences that depend on the research being correct:
| Type | In security research | Why it matters beyond misconduct rules |
|---|---|---|
| Fabrication | Reporting detection accuracy from a test never actually run | A detection system built on a fabricated benchmark gives no real protection |
| Falsification | Reporting a lab result as if measured in production | Defences calibrated to falsified benchmarks fail under real conditions, directly harming users |
| Plagiarism | Copying a threat-model section without citation | The field's knowledge base depends on attribution so each claim can be challenged, replicated, and built on |
Malware analysts study software written specifically to behave differently when it is being observed. Many well-documented malware families check for the presence of a sandbox, debugger, or virtual machine and either refuse to run or behave harmlessly if they detect one — so that automated analysis systems record a false, benign picture of what the sample does in the field.
This is falsification carried out by code rather than by a person typing false numbers, but the underlying offence is the same: the recorded result no longer honestly represents what happens under real conditions. A benchmark or reported result that only looks good under the exact conditions it was tested in, and fails outside them, is falsification's academic equivalent — whether or not anyone intended it that way.
This is precisely why the methodology section of a research paper exists: to describe the conditions so precisely that another researcher knows where the result does and does not apply.
India's University Grants Commission regulation "Promotion of Academic Integrity and Prevention of Plagiarism in Higher Educational Institutions" (2018) sets four consequence levels for theses and dissertations:
| Level | Similarity | Consequence |
|---|---|---|
| 0 | Up to 10% | Minor similarity, no penalty |
| 1 | Above 10% to 40% | Student must submit a revised manuscript within 6 months |
| 2 | Above 40% to 60% | Student is debarred from resubmitting for 1 year |
| 3 | Above 60% | Registration for the degree is cancelled |
Fabrication invents a result entirely. A researcher who claims to have run 10,000 malware samples through a new detector when they ran 200 has fabricated data. Falsification distorts a real result: a researcher who ran 10,000 but quietly removed the 3,000 that produced false negatives before reporting the accuracy figure has falsified — the test was real, but the record does not honestly represent it.
The Rossow et al. finding discussed in Chapter 2 — that a quarter of 36 published malware studies made questionable assumptions about their datasets — is evidence of how easily a methodology can drift into being misleading without any decision to lie. Which is exactly why a carefully written methodology section matters as much as good intentions.
A researcher compares two malware detectors on the same 10,000-sample set. She gets a good result for Detector A. She later discovers she misconfigured Detector B's threshold. She quietly reruns only Detector B with the correct threshold and reports both numbers as if both had been run correctly from the start. Which FFP category does this fall under? Does it matter that she did not manually enter false data?