Abstract
Context and Motivation Attack-Defense Trees (ADTs) are a graphical notation used to model and assess security requirements. ADTs are widely popular, as they can facilitate communication between different stakeholders involved in system security evaluation, and they are formal enough to be verified, e.g., with model checkers.Question/Problem While the quality of this notation has been primarily assessed quantitatively, its understandability has never been evaluated despite being mentioned as a key factor for its success.Principal idea/Results In this paper, we conduct an experiment with 25 human subjects to assess the understandability and user acceptance of the ADT notation. The study focuses on performance-based variables and perception-based variables, with the aim of evaluating the relationship between these measures and how they might impact the practical use of the notation. The results confirm a good level of understandability of ADTs. Participants consider them useful, and they show intention to use them. Contribution This is the first study empirically supporting the understandability of ADTs, thereby contributing to the theory of security requirements engineering.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Abrahão, S., Insfrán, E., Carsí, J.A., Genero, M.: Evaluating requirements modeling methods based on user perceptions: a family of experiments. Inf. Sci. 181(16), 3356–3378 (2011)
Audinot, M., Pinchinat, S., Kordy, B.: Is my attack tree correct? In: Foley, S.N., Gollmann, D., Snekkenes, E. (eds.) ESORICS 2017. LNCS, vol. 10492, pp. 83–102. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66402-6_7
ter Beek, M.H., Legay, A., Lluch Lafuente, A., Vandin, A.: Quantitative security risk modeling and analysis with RisQFLan. Comput. Secur. 109, 102381 (2021)
Broccia, G., ter Beek, M.H., Lluch Lafuente, A., Spoletini, P., Ferrari, A.: Assessing the Understandability of Attack-Defense Trees for Modelling Security Requirements: an Experimental Investigation - Supplementary Material. https://doi.org/10.5281/zenodo.10136730
Broccia, G., Ferrari, A., ter Beek, M., Cazzola, W., Favalli, L., Bertolotti, F.: Evaluating a language workbench: from working memory capacity to comprehension to acceptance. In: Proceedings 31st International Conference on Program Comprehension (ICPC), pp. 54–58. IEEE (2023)
Buyens, K., De Win, B., Joosen, W.: Empirical and statistical analysis of risk analysis-driven techniques for threat management. In: Proceedings 2nd International Conference on Availability, Reliability and Security (ARES), pp. 1034–1041. IEEE (2007)
Davis, F.D.: Perceived usefulness, perceived ease of use, and user acceptance of information technology. MIS Q. 13, 319–340 (1989)
Eisentraut, J., Holzer, S., Klioba, K., Křetínský, J., Pin, L., Wagner, A.: Assessing security of cryptocurrencies with attack-defense trees: proof of concept and future directions. In: Cerone, A., Ölveczky, P.C. (eds.) ICTAC 2021. LNCS, vol. 12819, pp. 214–234. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-85315-0_13
Ezenwoye, O., Liu, Y.: Risk-based security requirements model for web software. In: Proceedings 30th International Requirements Engineering Conference Workshops (REW), pp. 232–237. IEEE (2022)
Fabian, B., Gürses, S., Heisel, M., Santen, T., Schmidt, H.: A comparison of security requirements engineering methods. Requir. Eng. 15, 7–40 (2010)
Gadyatskaya, O., Trujillo-Rasua, R.: New directions in attack tree research: catching up with industrial needs. In: Liu, P., Mauw, S., Stølen, K. (eds.) GraMSec 2017. LNCS, vol. 10744, pp. 115–126. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-74860-3_9
Giorgini, P., Mouratidis, H., Zannone, N.: Modelling Security and Trust with Secure Tropos. In: Integrating Security and Software Engineering: Advances and Future Visions, chap. 8, pp. 160–189. IGI Global (2007)
Iankoulova, I., Daneva, M.: Cloud computing security requirements: A systematic review. In: Proceedings 6th International Conference on Research Challenges in Information Science (RCIS), pp. 1–7. IEEE (2012)
Kordy, B., Kordy, P., Mauw, S., Schweitzer, P.: ADTool: security analysis with attack–defense trees. In: Joshi, K., Siegle, M., Stoelinga, M., D’Argenio, P.R. (eds.) QEST 2013. LNCS, vol. 8054, pp. 173–176. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40196-1_15
Kordy, B., Mauw, S., Radomirović, S., Schweitzer, P.: Foundations of attack–defense trees. In: Degano, P., Etalle, S., Guttman, J. (eds.) FAST 2010. LNCS, vol. 6561, pp. 80–95. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19751-2_6
Kordy, B., Wideł, W.: On quantitative analysis of attack–defense trees with repeated labels. In: Bauer, L., Küsters, R. (eds.) POST 2018. LNCS, vol. 10804, pp. 325–346. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-89722-6_14
Labunets, K., Massacci, F., Paci, F.: On the equivalence between graphical and tabular representations for security risk assessment. In: Grünbacher, P., Perini, A. (eds.) REFSQ 2017. LNCS, vol. 10153, pp. 191–208. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-54045-0_15
Labunets, K., Massacci, F., Paci, F., Tran, L.M.S.: An experimental comparison of two risk-based security methods. In: Proceedings 7th International Symposium on Empirical Software Engineering and Measurement (ESEM), pp. 163–172. IEEE (2013)
Lallie, H.S., Debattista, K., Bal, J.: An empirical evaluation of the effectiveness of attack graphs and fault trees in cyber-attack perception. IEEE Trans. Inf. Forensics Secur. 13(5), 1110–1122 (2018)
Lallie, H.S., Debattista, K., Bal, J.: A review of attack graph and attack tree visual syntax in cyber security. Comput. Sci. Rev. 35, 100219 (2020)
Liu, L., Yu, E.S.K., Mylopoulos, J.: Secure-I*: engineering secure software systems through social analysis. Int. J. Softw. Inform. 3(1), 89–120 (2009)
Lodderstedt, T., Basin, D., Doser, J.: SecureUML: a UML-based modeling language for model-driven security. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 426–441. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45800-X_33
Mai, P.X., Goknil, A., Shar, L.K., Pastore, F., Briand, L.C., Shaame, S.: Modeling security and privacy requirements: a use case-driven approach. Inf. Softw. Technol. 100, 165–182 (2018)
Mauw, S., Oostdijk, M.: Foundations of attack trees. In: Won, D.H., Kim, S. (eds.) ICISC 2005. LNCS, vol. 3935, pp. 186–198. Springer, Heidelberg (2006). https://doi.org/10.1007/11734727_17
Mayer, R.E.: Models for understanding. Rev. Educ. Res. 59(1), 43–64 (1989)
Mellado, D., Blanco, C., Sanchez, L.E., Fernández-Medina, E.: A systematic review of security requirements engineering. Comput. Stand. Interfaces 32(4), 153–165 (2010)
Moody, D.L.: Dealing with Complexity: A Practical Method for Representing Large Entity Relationship Models. Ph.D. thesis, University of Melbourne (2001)
Oliveira, D., Bruno, R., Madeiral, F., Castor, F.: Evaluating code readability and legibility: an examination of human-centric studies. In: Proceedings 36th International Conference on Software Maintenance and Evolution (ICSME), pp. 348–359. IEEE (2020)
Paja, E., Dalpiaz, F., Giorgini, P.: Modelling and reasoning about security requirements in socio-technical systems. Data Knowl. Eng. 98, 123–143 (2015)
Salehie, M., Pasquale, L., Omoronyia, I., Ali, R., Nuseibeh, B.: Requirements-driven adaptive security: protecting variable assets at runtime. In: Proceedings 20th International Requirements Engineering Conference (RE), pp. 111–120. IEEE (2012)
Schneier, B.: Attack Trees. Dr. Dobb’s J. (1999)
Sharafi, Z., Marchetto, A., Susi, A., Antoniol, G., Guéhéneuc, Y.G.: An empirical study on the efficiency of graphical vs. textual representations in requirements comprehension. In: Proceedings 21st International Conference on Program Comprehension (ICPC), pp. 33–42. IEEE (2013)
Sindre, G., Opdahl, A.L.: Eliciting security requirements with misuse cases. Requir. Eng. 10, 34–44 (2005)
Souag, A., Mazo, R., Salinesi, C., Comyn-Wattiau, I.: Reusable knowledge in security requirements engineering: a systematic mapping study. Requir. Eng. 21, 251–283 (2016)
Stein, D., Hanenberg, S., Unland, R.: A graphical notation to specify model queries for MDA transformations on UML models. In: Aßmann, U., Aksit, M., Rensink, A. (eds.) MDAFA 2003-2004. LNCS, vol. 3599, pp. 77–92. Springer, Heidelberg (2005). https://doi.org/10.1007/11538097_6
Vesely, W.E., Goldberg, F.F., Roberts, N.H., Haasl, D.F.: Fault Tree Handbook. Technical Report NUREG-0492, Nuclear Regulatory Commission, USA (1981)
Villamizar, H., Kalinowski, M., Viana, M., Fernández, D.M.: A systematic mapping study on security in agile requirements engineering. In: Proceedings 44th Euromicro Conference on Software Engineering and Advanced Applications (SEAA), pp. 454–461. IEEE (2018)
Wideł, W., Audinot, M., Fila, B., Pinchinat, S.: Beyond 2014: formal methods for attack tree-based security modeling. ACM Comput. Surv. 52(4), 75:1-75:36 (2019)
Zareen, S., Akram, A., Khan, S.A.: Security requirements engineering framework with BPMN 2.0.2 extension model for development of information systems. Appl. Sci. 10(14), 4981 (2020)
Acknowledgements
Research supported by the Italian MUR–PRIN 2020TL3X8X project T-LADIES (Typeful Language Adaptation for Dynamic, Interacting and Evolving Systems); by Innovation Fund Denmark and the Digital Research Centre Denmark, through the bridge project “SIOT - Secure Internet of Things - Risk analysis in design and operation”; by Industriens Fond through the project “Sb3D: Security-by-Design in Digital Denmark”; and by the EU Project CODECS GA 101060179. The authors would like to thank all the participants of the study.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Broccia, G., ter Beek, M.H., Lluch Lafuente, A., Spoletini, P., Ferrari, A. (2024). Assessing the Understandability and Acceptance of Attack-Defense Trees for Modelling Security Requirements. In: Mendez, D., Moreira, A. (eds) Requirements Engineering: Foundation for Software Quality. REFSQ 2024. Lecture Notes in Computer Science, vol 14588. Springer, Cham. https://doi.org/10.1007/978-3-031-57327-9_3
Download citation
DOI: https://doi.org/10.1007/978-3-031-57327-9_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-57326-2
Online ISBN: 978-3-031-57327-9
eBook Packages: Computer ScienceComputer Science (R0)