Finding Security Threats That Matter: An Industrial Case Study

TL;DR

This study empirically compares risk-first and risk-last threat analysis techniques in an industrial automotive context, revealing trade-offs in threat detection depth and prioritization efficiency.

Contribution

It provides the first empirical evaluation of risk-first versus risk-last threat analysis methods in an industrial setting, highlighting their practical differences.

Findings

Risk-first technique detects more high-priority threats and detailed attack scenarios.

Risk-last technique finds more medium and low-priority threats and is faster.

No significant difference in overall productivity and timeliness.

Abstract

Recent trends in the software engineering (i.e., Agile, DevOps) have shortened the development life-cycle limiting resources spent on security analysis of software designs. In this context, architecture models are (often manually) analyzed for potential security threats. Risk-last threat analysis suggests identifying all security threats before prioritizing them. In contrast, risk-first threat analysis suggests identifying the risks before the threats, by-passing threat prioritization. This seems promising for organizations where developing speed is of great importance. Yet, little empirical evidence exists about the effect of sacrificing systematicity for high-priority threats on the performance and execution of threat analysis. To this aim, we conduct a case study with industrial experts from the automotive domain, where we empirically compare a risk-first technique to a risk-last technique. In this study, we consciously trade the amount of participants for a more realistic simulation of threat analysis sessions in practice. This allows us to closely observe industrial experts and gain deep insights into the industrial practice. This work contributes with: (i) a quantitative comparison of performance, (ii) a quantitative and qualitative comparison of execution, and (iii) a comparative discussion of the two techniques. We find no differences in the productivity and timeliness of discovering high-priority security threats. Yet, we find differences in analysis execution. In particular, participants using the risk-first technique found twice as many high-priority threats, developed detailed attack scenarios, and discussed threat feasibility in detail. On the other hand, participants using the risk-last technique found more medium and low-priority threats and finished early.