The Role of Diversity in Cybersecurity Risk Analysis: An Experimental Plan

TL;DR

This paper proposes an experimental plan to empirically study how diversity, especially gender diversity, influences cybersecurity risk analysis and decision-making processes.

Contribution

It introduces a novel experimental framework to investigate the impact of diversity factors on cybersecurity risk analysis, addressing a gap in existing research.

Findings

Identifies key diversity factors affecting risk analysis

Highlights potential biases in expert judgment due to lack of diversity

Proposes methods to improve fairness and accuracy in cybersecurity assessments

Abstract

Cybersecurity threat and risk analysis (RA) approaches are used to identify and mitigate security risks early-on in the software development life-cycle. Existing approaches automate only parts of the analysis procedure, leaving key decisions in identification, feasibility and risk analysis, and quality assessment to be determined by expert judgement. Therefore, in practice teams of experts manually analyze the system design by holding brainstorming workshops. Such decisions are made in face of uncertainties, leaving room for biased judgement (e.g., preferential treatment of category of experts). Biased decision making during the analysis may result in unequal contribution of expertise, particularly since some diversity dimensions (i.e., gender) are underrepresented in security teams. Beyond the work of risk perception of non-technical threats, no existing work has empirically studied the role of diversity in the risk analysis of technical artefacts. This paper proposes an experimental plan for identifying the key diversity factors in RA.