Home > Research > Publications & Outputs > The good, the bad and the ugly

Electronic data

Links

Text available via DOI:

View graph of relations

The good, the bad and the ugly: a study of security decisions in a cyber-physical systems game

Research output: Contribution to Journal/MagazineJournal articlepeer-review

E-pub ahead of print

Standard

The good, the bad and the ugly : a study of security decisions in a cyber-physical systems game. / Frey, Sylvain Andre Francis; Rashid, Awais; Anthonysamy, Pauline et al.

In: IEEE Transactions on Software Engineering, 13.12.2017.

Research output: Contribution to Journal/MagazineJournal articlepeer-review

Harvard

APA

Vancouver

Frey SAF, Rashid A, Anthonysamy P, Pinto-Albuquerque M, Naqvi SAA. The good, the bad and the ugly: a study of security decisions in a cyber-physical systems game. IEEE Transactions on Software Engineering. 2017 Dec 13. Epub 2017 Dec 13. doi: 10.1109/TSE.2017.2782813

Author

Bibtex

@article{ad96e3acde1c4bf2970ad4239c1fea2f,
title = "The good, the bad and the ugly: a study of security decisions in a cyber-physical systems game",
abstract = "Stakeholders' security decisions play a fundamental role in determining security requirements, yet, little is currently understood about how different stakeholder groups within an organisation approach security and the drivers and tacit biases underpinning their decisions. We studied and contrasted the security decisions of three demographics -- security experts, computer scientists and managers -- when playing a tabletop game that we designed and developed. The game tasks players with managing the security of a cyber-physical environment while facing various threats. Analysis of 12 groups of players (4 groups in each of our demographics) reveals strategies that repeat in particular demographics, e.g., managers and security experts generally favoring technological solutions over personnel training, which computer scientists preferred. Surprisingly, security experts were not ipso facto better players -- in some cases, they made very questionable decisions -- yet they showed a higher level of confidence in themselves. We classified players' decision-making processes, i.e., procedure-, experience-, scenario- or intuition-driven. We identified decision patterns, both good practices and typical errors and pitfalls. Our game provides a requirements sandbox in which players can experiment with security risks, learn about decision-making and its consequences, and reflect on their own perception of security.",
author = "Frey, {Sylvain Andre Francis} and Awais Rashid and Pauline Anthonysamy and Maria Pinto-Albuquerque and Naqvi, {Syed Asad Ali}",
note = "{\textcopyright} Copyright 2018 IEEE",
year = "2017",
month = dec,
day = "13",
doi = "10.1109/TSE.2017.2782813",
language = "English",
journal = "IEEE Transactions on Software Engineering",
issn = "0098-5589",
publisher = "Institute of Electrical and Electronics Engineers Inc.",

}

RIS

TY - JOUR

T1 - The good, the bad and the ugly

T2 - a study of security decisions in a cyber-physical systems game

AU - Frey, Sylvain Andre Francis

AU - Rashid, Awais

AU - Anthonysamy, Pauline

AU - Pinto-Albuquerque, Maria

AU - Naqvi, Syed Asad Ali

N1 - © Copyright 2018 IEEE

PY - 2017/12/13

Y1 - 2017/12/13

N2 - Stakeholders' security decisions play a fundamental role in determining security requirements, yet, little is currently understood about how different stakeholder groups within an organisation approach security and the drivers and tacit biases underpinning their decisions. We studied and contrasted the security decisions of three demographics -- security experts, computer scientists and managers -- when playing a tabletop game that we designed and developed. The game tasks players with managing the security of a cyber-physical environment while facing various threats. Analysis of 12 groups of players (4 groups in each of our demographics) reveals strategies that repeat in particular demographics, e.g., managers and security experts generally favoring technological solutions over personnel training, which computer scientists preferred. Surprisingly, security experts were not ipso facto better players -- in some cases, they made very questionable decisions -- yet they showed a higher level of confidence in themselves. We classified players' decision-making processes, i.e., procedure-, experience-, scenario- or intuition-driven. We identified decision patterns, both good practices and typical errors and pitfalls. Our game provides a requirements sandbox in which players can experiment with security risks, learn about decision-making and its consequences, and reflect on their own perception of security.

AB - Stakeholders' security decisions play a fundamental role in determining security requirements, yet, little is currently understood about how different stakeholder groups within an organisation approach security and the drivers and tacit biases underpinning their decisions. We studied and contrasted the security decisions of three demographics -- security experts, computer scientists and managers -- when playing a tabletop game that we designed and developed. The game tasks players with managing the security of a cyber-physical environment while facing various threats. Analysis of 12 groups of players (4 groups in each of our demographics) reveals strategies that repeat in particular demographics, e.g., managers and security experts generally favoring technological solutions over personnel training, which computer scientists preferred. Surprisingly, security experts were not ipso facto better players -- in some cases, they made very questionable decisions -- yet they showed a higher level of confidence in themselves. We classified players' decision-making processes, i.e., procedure-, experience-, scenario- or intuition-driven. We identified decision patterns, both good practices and typical errors and pitfalls. Our game provides a requirements sandbox in which players can experiment with security risks, learn about decision-making and its consequences, and reflect on their own perception of security.

U2 - 10.1109/TSE.2017.2782813

DO - 10.1109/TSE.2017.2782813

M3 - Journal article

JO - IEEE Transactions on Software Engineering

JF - IEEE Transactions on Software Engineering

SN - 0098-5589

ER -