Keep it Simple, or Teach Them Logics: Attack-Defense Tree Perception by Laypeople
摘要
Threat modelling is crucial for analysing how attacks may affect security-critical systems, detecting present vulnerabilities, and managing risk. System designers use attack trees and their extensions during an application’s design and implementation phase for these tasks. However, it is equally essential that end-users know how to use the final system securely. The competence profiles of end-users highly differ from the profiles of system designers. Therefore, we aim to reflect these different levels of competences in our proposition to enhance the models. Our research examines the perception of attack trees and their extensions among laypeople. We conducted a task-oriented survey (n=133), where non-experts in cyber-security had to interpret three attack-defense tree representations of two different attack scenarios. Additionally, we use the technology acceptance model (TAM) to investigate how participants perceived these representations. Our survey demonstrates that standard attack-defense tree visualisations are on average as effective as running text for risk communication to laypeople. However, they may currently not evolve their full potential as laypeople usually lack logical skills. Basic logic is a crucial element for teaching laypeople about security. Motivated by the results, we suggest ways the models could be simplified for the users, to ease the access through simpler perspectives on the logical relationships described by the models.