Challenges and approaches of performing canonical action research in software security

When studying work practices, it is important to obtain accurate and reliable information about how work is actually done. Action research is an interactive inquiry process that balances problemsolving actions implemented in a collaborative context with datadriven collaborative analysis or research to understand underlying causes enabling future predictions about personal and organizational change. Our research team has been engaged in action research in software organizations in Norway for two years. In this paper we describe some of the challenges in performing canonical action research in software security. We have structured the discussion of the challenges based on the principles of canonical action research, and we draw some lessons learned and future work towards improving the adoption of action research in software security research.