Threat modelling is crucial for analysing how attacks may affect security-critical systems, detecting present vulnerabilities, and managing risk. System designers use attack trees and their extensions during an application’s design and implementation phase for these tasks. However, it is equally essential that end-users know how to use the final system securely. The competence profiles of end-users highly differ from the profiles of system designers. Therefore, we aim to reflect these different levels of competences in our proposition to enhance the models. Our research examines the perception of attack trees and their extensions among laypeople. We conducted a task-oriented survey (n=133), where non-experts in cyber-security had to interpret three attack-defense tree representations of two different attack scenarios. Additionally, we use the technology acceptance model (TAM) to investigate how participants perceived these representations. Our survey demonstrates that standard attack-defense tree visualisations are on average as effective as running text for risk communication to laypeople. However, they may currently not evolve their full potential as laypeople usually lack logical skills. Basic logic is a crucial element for teaching laypeople about security. Motivated by the results, we suggest ways the models could be simplified for the users, to ease the access through simpler perspectives on the logical relationships described by the models.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Keep it Simple, or Teach Them Logics: Attack-Defense Tree Perception by Laypeople

  • Florian Dorfhuber,
  • Marisol Barrientos,
  • Julia Eisentraut,
  • Jan Křetínský

摘要

Threat modelling is crucial for analysing how attacks may affect security-critical systems, detecting present vulnerabilities, and managing risk. System designers use attack trees and their extensions during an application’s design and implementation phase for these tasks. However, it is equally essential that end-users know how to use the final system securely. The competence profiles of end-users highly differ from the profiles of system designers. Therefore, we aim to reflect these different levels of competences in our proposition to enhance the models. Our research examines the perception of attack trees and their extensions among laypeople. We conducted a task-oriented survey (n=133), where non-experts in cyber-security had to interpret three attack-defense tree representations of two different attack scenarios. Additionally, we use the technology acceptance model (TAM) to investigate how participants perceived these representations. Our survey demonstrates that standard attack-defense tree visualisations are on average as effective as running text for risk communication to laypeople. However, they may currently not evolve their full potential as laypeople usually lack logical skills. Basic logic is a crucial element for teaching laypeople about security. Motivated by the results, we suggest ways the models could be simplified for the users, to ease the access through simpler perspectives on the logical relationships described by the models.