Seven stages, four standing criteria, and why the WannaCry attribution to North Korea was not accepted the day the first report came out -- it took several independent labs reaching the same conclusion before anyone called it settled.
Sign in to mark this article as read and track your progress.
Research loops back on itself constantly in practice, but for a first project it helps to lay the stages out in order, since each one produces something the next depends on.
That last stage is why the list is really a loop rather than a straight line: closing one question routinely opens the next.
Throughout all seven stages, a piece of research is judged against four standards. It should be systematic — each stage following a documented plan. It should be objective — conclusions that follow the evidence rather than the researcher's hopes. It should be replicable — another researcher using the same method reaches the same result. And it should be cumulative — built on, and positioned against, what came before it.
In the days after the WannaCry outbreak, several security firms independently examined the malware's code for clues to its author. They found reused code fragments and infrastructure links to earlier tools associated with the Lazarus Group, a hacking operation tied to North Korea.
No single lab's finding was treated as conclusive on its own, because code-similarity evidence can be misread, or planted. It was only once multiple, separately conducted analyses converged on the same conclusion that the United States and United Kingdom formally attributed the attack to North Korea, in December 2017 — seven months after the outbreak.
That gap between "one lab found something" and "the attribution is accepted" is Stage 6 and Stage 7 of the research process playing out in public: a claim is trusted once independent replication supports it, not the moment the first report is published.
An assumption is a statement the researcher takes as given, without setting out to test it, because the study would be pointless otherwise. The WannaCry attribution above rests on at least two: that shared code fragments across separate pieces of malware indicate a common author or team — rather than one group copying another's leaked tools to mislead investigators — and that the infrastructure links uncovered weren't planted deliberately as a false flag.
Neither assumption is proven. Both are stated, and a careful report says so, rather than presenting the conclusion as if no such assumption were being made.
Don't confuse an assumption with a hypothesis. A hypothesis is the tentative answer the study is designed to test — the whole point of the study is finding out whether it holds. An assumption is a condition the researcher accepts as true throughout the study, precisely so that testing the hypothesis is possible at all.
Using the WannaCry attribution example, name one assumption the code-similarity method relies on, and explain why a report should state that assumption openly rather than presenting the attribution as unconditional fact.