A limited technical background is sufficient for attack-defense tree acceptability

TL;DR

This study demonstrates that attack-defense trees are acceptable for threat modeling even for users with limited technical backgrounds, broadening their usability beyond highly technical stakeholders.

Contribution

The paper provides empirical evidence that attack-defense trees are suitable for users with limited technical knowledge, expanding their applicability in threat modeling.

Findings

Limited technical background does not hinder ADT acceptability.

ADT can be effectively used by non-expert stakeholders.

Empirical validation with 102 participants supports broad usability.

Abstract

Attack-defense trees (ADTs) are a prominent graphical threat modeling method that is highly recommended for analyzing and communicating security-related information. Despite this, existing empirical studies of attack trees have established their acceptability only for users with highly technical (computer science) backgrounds while raising questions about their suitability for threat modeling stakeholders with a limited technical background. Our research addresses this gap by investigating the impact of the users' technical background on ADT acceptability in an empirical study. Our Method Evaluation Model-based study consisted of n = 102 participants (53 with a strong computer science background and 49 with a limited computer science background) who were asked to complete a series of ADT-related tasks. By analyzing their responses and comparing the results, we reveal that a very limited technical background is sufficient for ADT acceptability. This finding underscores attack trees' viability as a threat modeling method.