Human Aspect of Threat Analysis: A Replication

TL;DR

This paper proposes a replication study to empirically investigate how human factors, including diversity, influence threat analysis performance, addressing gaps in understanding human aspects in security assessments.

Contribution

It introduces a differentiated replication of previous STRIDE-based threat analysis experiments to explore human factors like diversity dimensions.

Findings

Designs controlled experiments to measure human factors in threat analysis

Plans to analyze the impact of diversity on analysis outcomes

Addresses a gap in empirical understanding of human aspects in security

Abstract

Background: Organizations are experiencing an increasing demand for security-by-design activities (e.g., STRIDE analyses) which require a high manual effort. This situation is worsened by the current lack of diverse (and sufficient) security workforce and inconclusive results from past studies. To date, the deciding human factors (e.g., diversity dimensions) that play a role in threat analysis have not been sufficiently explored. Objective: To address this issue, we plan to conduct a series of exploratory controlled experiments. The main objective is to empirically measure the human-aspects that play a role in threat analysis alongside the more well-known measures of analysis performance. Method: We design the experiments as a differentiated replication of past experiments with STRIDE. The replication design is aimed at capturing some similar measures (e.g., of outcome quality) and additional measures (e.g., diversity dimensions). We plan to conduct the experiments in an academic setting. Limitations: Obtaining a balanced population (e.g., wrt gender) in advanced computer science courses is not realistic. The experiments we plan to conduct with MSc level students will certainly suffer this limitation.