[Background:] Security-by-design techniques (e.g., STRIDE) are used to elicit system threats before they are exploited. Since security threat assessment is performed on a conceptualised model of the system under analysis, human expertise is relied upon to exhaustively elicit all possible threats. To this end, the outcomes of threat analysis depend on the individual actors involved in the process. However, human expertise can be biased depending on certain or a combination of human factors. [Goal:] With this work, we aim to unveil the effect (if any) of human factors (e.g., gender, age, seniority, educational background, nationality) to security risk assessment. [Method:] To contribute to this body of knowledge, we are conducting a state-of-the-art literature review and several experiments with human participants (experts and non-experts) in the domain of security and risk assessment. First, the topic and technical domain are described in general. Second, preliminary results of the on-going literature review are presented. Finally, a research plan is described including research questions, treatment, and participant recruitment.
Background: Organizations are experiencing an increasing demand for security-by-design activities (e.g., STRIDE analyses) which require a high manual effort. This situation is worsened by the current lack of diverse (and sufficient) security workforce and inconclusive results from past studies. To date, the deciding human factors (e.g., diversity dimensions) that play a role in threat analysis have not been sufficiently explored.Objective: To address this issue, we plan to conduct a series of exploratory controlled experiments. The main objective is to empirically measure the human-aspects that play a role in threat analysis alongside the more well-known measures of analysis performance. Method: We design the experiments as a differentiated replication of past experiments with STRIDE. The replication design is aimed at capturing some similar measures (e.g., of outcome quality) and additional measures (e.g., diversity dimensions). We plan to conduct the experiments in an academic setting. Limitations: Obtaining a balanced population (e.g., wrt gender) in advanced computer science courses is not realistic. The experiments we plan to conduct with MSc level students will certainly suffer this limitation.
To avoid costly security patching after software deployment, securityby-design techniques (e.g., STRIDE threat analysis) are adopted in organizations to root out security issues before the system is ever implemented. Despite the global gap in cybersecurity workforce and the high manual effort required for performing threat analysis, organizations are ramping up threat analysis activities. However, past experimental results were inconclusive regarding some performance indicators of threat analysis techniques thus practitioners have little evidence for choosing the technique to adopt. To address this issue, we replicated a controlled experiment with STRIDE. Our study was aimed at measuring and comparing the performance indicators (productivity and precision) of two STRIDE variants (element and interaction). We conclude the paper by comparing our results to the original study. CCS CONCEPTS• Software and its engineering; • General and reference → Empirical studies;
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
hi@scite.ai
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.