The good, the bad and the ugly: a study of security decisions in a cyber-physical systems game

Detalhes bibliográficos
Autor(a) principal: Frey, S.
Data de Publicação: 2018
Outros Autores: Rashid, A., Anthonysamy, P., Pinto-Albuquerque, M., Naqvi, S. A.
Tipo de documento: Artigo
Idioma: eng
Título da fonte: Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)
Texto Completo: http://hdl.handle.net/10071/16410
Resumo: Stakeholders' security decisions play a fundamental role in determining security requirements, yet, little is currently understood about how different stakeholder groups within an organisation approach security and the drivers and tacit biases underpinning their decisions. We studied and contrasted the security decisions of three demographics -- security experts, computer scientists and managers -- when playing a tabletop game that we designed and developed. The game tasks players with managing the security of a cyber-physical environment while facing various threats. Analysis of 12 groups of players (4 groups in each of our demographics) reveals strategies that repeat in particular demographics, e.g., managers and security experts generally favoring technological solutions over personnel training, which computer scientists preferred. Surprisingly, security experts were not ipso facto better players -- in some cases, they made very questionable decisions -- yet they showed a higher level of confidence in themselves. We classified players' decision-making processes, i.e., procedure-, experience-, scenario- or intuition-driven. We identified decision patterns, both good practices and typical errors and pitfalls. Our game provides a requirements sandbox in which players can experiment with security risks, learn about decision-making and its consequences, and reflect on their own perception of security.
id RCAP_77a680ff41dea48e17910cb848e0bae8
oai_identifier_str oai:repositorio.iscte-iul.pt:10071/16410
network_acronym_str RCAP
network_name_str Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)
repository_id_str 7160
spelling The good, the bad and the ugly: a study of security decisions in a cyber-physical systems gameSecurity decisionsSecurity requirementsGameDecision patternsStakeholders' security decisions play a fundamental role in determining security requirements, yet, little is currently understood about how different stakeholder groups within an organisation approach security and the drivers and tacit biases underpinning their decisions. We studied and contrasted the security decisions of three demographics -- security experts, computer scientists and managers -- when playing a tabletop game that we designed and developed. The game tasks players with managing the security of a cyber-physical environment while facing various threats. Analysis of 12 groups of players (4 groups in each of our demographics) reveals strategies that repeat in particular demographics, e.g., managers and security experts generally favoring technological solutions over personnel training, which computer scientists preferred. Surprisingly, security experts were not ipso facto better players -- in some cases, they made very questionable decisions -- yet they showed a higher level of confidence in themselves. We classified players' decision-making processes, i.e., procedure-, experience-, scenario- or intuition-driven. We identified decision patterns, both good practices and typical errors and pitfalls. Our game provides a requirements sandbox in which players can experiment with security risks, learn about decision-making and its consequences, and reflect on their own perception of security.IEEE2018-07-17T08:37:02Z2019-01-01T00:00:00Z20192019-05-25T12:20:45Zinfo:eu-repo/semantics/publishedVersioninfo:eu-repo/semantics/articleapplication/pdfhttp://hdl.handle.net/10071/16410eng0098-558910.1109/TSE.2017.2782813Frey, S.Rashid, A.Anthonysamy, P.Pinto-Albuquerque, M.Naqvi, S. A.info:eu-repo/semantics/openAccessreponame:Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)instname:Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informaçãoinstacron:RCAAP2023-11-09T17:28:41Zoai:repositorio.iscte-iul.pt:10071/16410Portal AgregadorONGhttps://www.rcaap.pt/oai/openaireopendoar:71602024-03-19T22:12:51.806396Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) - Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informaçãofalse
dc.title.none.fl_str_mv The good, the bad and the ugly: a study of security decisions in a cyber-physical systems game
title The good, the bad and the ugly: a study of security decisions in a cyber-physical systems game
spellingShingle The good, the bad and the ugly: a study of security decisions in a cyber-physical systems game
Frey, S.
Security decisions
Security requirements
Game
Decision patterns
title_short The good, the bad and the ugly: a study of security decisions in a cyber-physical systems game
title_full The good, the bad and the ugly: a study of security decisions in a cyber-physical systems game
title_fullStr The good, the bad and the ugly: a study of security decisions in a cyber-physical systems game
title_full_unstemmed The good, the bad and the ugly: a study of security decisions in a cyber-physical systems game
title_sort The good, the bad and the ugly: a study of security decisions in a cyber-physical systems game
author Frey, S.
author_facet Frey, S.
Rashid, A.
Anthonysamy, P.
Pinto-Albuquerque, M.
Naqvi, S. A.
author_role author
author2 Rashid, A.
Anthonysamy, P.
Pinto-Albuquerque, M.
Naqvi, S. A.
author2_role author
author
author
author
dc.contributor.author.fl_str_mv Frey, S.
Rashid, A.
Anthonysamy, P.
Pinto-Albuquerque, M.
Naqvi, S. A.
dc.subject.por.fl_str_mv Security decisions
Security requirements
Game
Decision patterns
topic Security decisions
Security requirements
Game
Decision patterns
description Stakeholders' security decisions play a fundamental role in determining security requirements, yet, little is currently understood about how different stakeholder groups within an organisation approach security and the drivers and tacit biases underpinning their decisions. We studied and contrasted the security decisions of three demographics -- security experts, computer scientists and managers -- when playing a tabletop game that we designed and developed. The game tasks players with managing the security of a cyber-physical environment while facing various threats. Analysis of 12 groups of players (4 groups in each of our demographics) reveals strategies that repeat in particular demographics, e.g., managers and security experts generally favoring technological solutions over personnel training, which computer scientists preferred. Surprisingly, security experts were not ipso facto better players -- in some cases, they made very questionable decisions -- yet they showed a higher level of confidence in themselves. We classified players' decision-making processes, i.e., procedure-, experience-, scenario- or intuition-driven. We identified decision patterns, both good practices and typical errors and pitfalls. Our game provides a requirements sandbox in which players can experiment with security risks, learn about decision-making and its consequences, and reflect on their own perception of security.
publishDate 2018
dc.date.none.fl_str_mv 2018-07-17T08:37:02Z
2019-01-01T00:00:00Z
2019
2019-05-25T12:20:45Z
dc.type.status.fl_str_mv info:eu-repo/semantics/publishedVersion
dc.type.driver.fl_str_mv info:eu-repo/semantics/article
format article
status_str publishedVersion
dc.identifier.uri.fl_str_mv http://hdl.handle.net/10071/16410
url http://hdl.handle.net/10071/16410
dc.language.iso.fl_str_mv eng
language eng
dc.relation.none.fl_str_mv 0098-5589
10.1109/TSE.2017.2782813
dc.rights.driver.fl_str_mv info:eu-repo/semantics/openAccess
eu_rights_str_mv openAccess
dc.format.none.fl_str_mv application/pdf
dc.publisher.none.fl_str_mv IEEE
publisher.none.fl_str_mv IEEE
dc.source.none.fl_str_mv reponame:Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)
instname:Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação
instacron:RCAAP
instname_str Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação
instacron_str RCAAP
institution RCAAP
reponame_str Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)
collection Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)
repository.name.fl_str_mv Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) - Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação
repository.mail.fl_str_mv
_version_ 1799134684221800448

Registros relacionados