The good, the bad and the ugly: a study of security decisions in a cyber-physical systems game
Autor(a) principal: | |
---|---|
Data de Publicação: | 2018 |
Outros Autores: | , , , |
Tipo de documento: | Artigo |
Idioma: | eng |
Título da fonte: | Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) |
Texto Completo: | http://hdl.handle.net/10071/16410 |
Resumo: | Stakeholders' security decisions play a fundamental role in determining security requirements, yet, little is currently understood about how different stakeholder groups within an organisation approach security and the drivers and tacit biases underpinning their decisions. We studied and contrasted the security decisions of three demographics -- security experts, computer scientists and managers -- when playing a tabletop game that we designed and developed. The game tasks players with managing the security of a cyber-physical environment while facing various threats. Analysis of 12 groups of players (4 groups in each of our demographics) reveals strategies that repeat in particular demographics, e.g., managers and security experts generally favoring technological solutions over personnel training, which computer scientists preferred. Surprisingly, security experts were not ipso facto better players -- in some cases, they made very questionable decisions -- yet they showed a higher level of confidence in themselves. We classified players' decision-making processes, i.e., procedure-, experience-, scenario- or intuition-driven. We identified decision patterns, both good practices and typical errors and pitfalls. Our game provides a requirements sandbox in which players can experiment with security risks, learn about decision-making and its consequences, and reflect on their own perception of security. |
id |
RCAP_77a680ff41dea48e17910cb848e0bae8 |
---|---|
oai_identifier_str |
oai:repositorio.iscte-iul.pt:10071/16410 |
network_acronym_str |
RCAP |
network_name_str |
Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) |
repository_id_str |
7160 |
spelling |
The good, the bad and the ugly: a study of security decisions in a cyber-physical systems gameSecurity decisionsSecurity requirementsGameDecision patternsStakeholders' security decisions play a fundamental role in determining security requirements, yet, little is currently understood about how different stakeholder groups within an organisation approach security and the drivers and tacit biases underpinning their decisions. We studied and contrasted the security decisions of three demographics -- security experts, computer scientists and managers -- when playing a tabletop game that we designed and developed. The game tasks players with managing the security of a cyber-physical environment while facing various threats. Analysis of 12 groups of players (4 groups in each of our demographics) reveals strategies that repeat in particular demographics, e.g., managers and security experts generally favoring technological solutions over personnel training, which computer scientists preferred. Surprisingly, security experts were not ipso facto better players -- in some cases, they made very questionable decisions -- yet they showed a higher level of confidence in themselves. We classified players' decision-making processes, i.e., procedure-, experience-, scenario- or intuition-driven. We identified decision patterns, both good practices and typical errors and pitfalls. Our game provides a requirements sandbox in which players can experiment with security risks, learn about decision-making and its consequences, and reflect on their own perception of security.IEEE2018-07-17T08:37:02Z2019-01-01T00:00:00Z20192019-05-25T12:20:45Zinfo:eu-repo/semantics/publishedVersioninfo:eu-repo/semantics/articleapplication/pdfhttp://hdl.handle.net/10071/16410eng0098-558910.1109/TSE.2017.2782813Frey, S.Rashid, A.Anthonysamy, P.Pinto-Albuquerque, M.Naqvi, S. A.info:eu-repo/semantics/openAccessreponame:Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)instname:Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informaçãoinstacron:RCAAP2023-11-09T17:28:41Zoai:repositorio.iscte-iul.pt:10071/16410Portal AgregadorONGhttps://www.rcaap.pt/oai/openaireopendoar:71602024-03-19T22:12:51.806396Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) - Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informaçãofalse |
dc.title.none.fl_str_mv |
The good, the bad and the ugly: a study of security decisions in a cyber-physical systems game |
title |
The good, the bad and the ugly: a study of security decisions in a cyber-physical systems game |
spellingShingle |
The good, the bad and the ugly: a study of security decisions in a cyber-physical systems game Frey, S. Security decisions Security requirements Game Decision patterns |
title_short |
The good, the bad and the ugly: a study of security decisions in a cyber-physical systems game |
title_full |
The good, the bad and the ugly: a study of security decisions in a cyber-physical systems game |
title_fullStr |
The good, the bad and the ugly: a study of security decisions in a cyber-physical systems game |
title_full_unstemmed |
The good, the bad and the ugly: a study of security decisions in a cyber-physical systems game |
title_sort |
The good, the bad and the ugly: a study of security decisions in a cyber-physical systems game |
author |
Frey, S. |
author_facet |
Frey, S. Rashid, A. Anthonysamy, P. Pinto-Albuquerque, M. Naqvi, S. A. |
author_role |
author |
author2 |
Rashid, A. Anthonysamy, P. Pinto-Albuquerque, M. Naqvi, S. A. |
author2_role |
author author author author |
dc.contributor.author.fl_str_mv |
Frey, S. Rashid, A. Anthonysamy, P. Pinto-Albuquerque, M. Naqvi, S. A. |
dc.subject.por.fl_str_mv |
Security decisions Security requirements Game Decision patterns |
topic |
Security decisions Security requirements Game Decision patterns |
description |
Stakeholders' security decisions play a fundamental role in determining security requirements, yet, little is currently understood about how different stakeholder groups within an organisation approach security and the drivers and tacit biases underpinning their decisions. We studied and contrasted the security decisions of three demographics -- security experts, computer scientists and managers -- when playing a tabletop game that we designed and developed. The game tasks players with managing the security of a cyber-physical environment while facing various threats. Analysis of 12 groups of players (4 groups in each of our demographics) reveals strategies that repeat in particular demographics, e.g., managers and security experts generally favoring technological solutions over personnel training, which computer scientists preferred. Surprisingly, security experts were not ipso facto better players -- in some cases, they made very questionable decisions -- yet they showed a higher level of confidence in themselves. We classified players' decision-making processes, i.e., procedure-, experience-, scenario- or intuition-driven. We identified decision patterns, both good practices and typical errors and pitfalls. Our game provides a requirements sandbox in which players can experiment with security risks, learn about decision-making and its consequences, and reflect on their own perception of security. |
publishDate |
2018 |
dc.date.none.fl_str_mv |
2018-07-17T08:37:02Z 2019-01-01T00:00:00Z 2019 2019-05-25T12:20:45Z |
dc.type.status.fl_str_mv |
info:eu-repo/semantics/publishedVersion |
dc.type.driver.fl_str_mv |
info:eu-repo/semantics/article |
format |
article |
status_str |
publishedVersion |
dc.identifier.uri.fl_str_mv |
http://hdl.handle.net/10071/16410 |
url |
http://hdl.handle.net/10071/16410 |
dc.language.iso.fl_str_mv |
eng |
language |
eng |
dc.relation.none.fl_str_mv |
0098-5589 10.1109/TSE.2017.2782813 |
dc.rights.driver.fl_str_mv |
info:eu-repo/semantics/openAccess |
eu_rights_str_mv |
openAccess |
dc.format.none.fl_str_mv |
application/pdf |
dc.publisher.none.fl_str_mv |
IEEE |
publisher.none.fl_str_mv |
IEEE |
dc.source.none.fl_str_mv |
reponame:Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) instname:Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação instacron:RCAAP |
instname_str |
Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação |
instacron_str |
RCAAP |
institution |
RCAAP |
reponame_str |
Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) |
collection |
Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) |
repository.name.fl_str_mv |
Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) - Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação |
repository.mail.fl_str_mv |
|
_version_ |
1799134684221800448 |