A replication of a controlled experiment with two STRIDE variants

TL;DR

This paper replicates a controlled experiment comparing two STRIDE variants to evaluate their productivity and precision, providing clearer evidence for practitioners in security-by-design threat analysis.

Contribution

It offers a replication study that compares two STRIDE variants, addressing gaps in empirical evidence for their performance in threat analysis.

Findings

Interaction variant shows higher productivity

Element variant has higher precision

Results align with previous study trends

Abstract

To avoid costly security patching after software deployment, security-by-design techniques (e.g., STRIDE threat analysis) are adopted in organizations to root out security issues before the system is ever implemented. Despite the global gap in cybersecurity workforce and the high manual effort required for performing threat analysis, organizations are ramping up threat analysis activities. However, past experimental results were inconclusive regarding some performance indicators of threat analysis techniques thus practitioners have little evidence for choosing the technique to adopt. To address this issue, we replicated a controlled experiment with STRIDE. Our study was aimed at measuring and comparing the performance indicators (productivity and precision) of two STRIDE variants (element and interaction). We conclude the paper by comparing our results to the original study.