Towards Unveiling Effects Of Human Factors Within Security Risk Assessment

Abstract

[Background:] Security-by-design techniques (e.g., STRIDE) are used to elicit system threats before they are exploited. Since security threat assessment is performed on a conceptualised model of the system under analysis, human expertise is relied upon to exhaustively elicit all possible threats. To this end, the outcomes of threat analysis depend on the individual actors involved in the process. However, human expertise can be biased depending on certain or a combination of human factors. [Goal:] With this work, we aim to unveil the effect (if any) of human factors (e.g., gender, age, seniority, educational background, nationality) to security risk assessment. [Method:] To contribute to this body of knowledge, we are conducting a state-of-the-art literature review and several experiments with human participants (experts and non-experts) in the domain of security and risk assessment. First, the topic and technical domain are described in general. Second, preliminary results of the on-going literature review are presented. Finally, a research plan is described including research questions, treatment, and participant recruitment.