Speaker: hanno Applied IT security is largely a science-free field. The IT-Security industry is selling a range of products with often very questionable and sometimes outright ridiculous claims. Yet it's widely accepted practice among users and companies that protection with security appliances, antivirus products and firewalls is a necessity. There are no rigorous scientific studies that try to evaluate the effectiveness of most security products or strategies. Evidence-based IT security could provide a way out of the security nihilism that's often dominating the debate – however it doesn't exist yet. From Next-Generation APT-Defense to Machine Learning and Artificial Intelligence: The promises of IT security product vendors are often bold. Some marketing promises are simply impossible, because they violate a fundamental theorem of computer science, the halting problem. Many IT security professionals are skeptical of security appliances, antivirus software and other IT security products and call them snake oil. Furthermore security products often have security vulnerabilities themselves, which has lately been shown by the impressive work done by Tavis Ormandy from Google's Project Zero. When there's disagreement about the effectiveness of an approach then rational people should ask for scientific evidence. However, surprisingly this evidence largely doesn't exist. While there obviously is a lot of scientific research in IT security it rarely tries to answer practical questions most relevant to users. Decisions are made in an ad-hoc way and are usually based on opinions rather than rigorous scientific evidence. It is quite ironic that given the medical analogies this field likes to use (viruses, infections etc.), nobody is looking how medicine solves these problems. The gold standard of scientific evidence in medicine (and many other fields) is to do randomized controlled trials (RCTs) and meta-analyses of those trials. An RCT divides patients in groups and