My research focuses in Human Computer Interaction. Theoretical security evaluation includes analyzing password space. While empirical security evaluation includes doing experiment on shoulder-surfing, observation, intersection, guessing attacks etc. Can I only include theoretical evaluation?