Skip to main content
SpringerLink
Log in

Assessing the Understandability and Acceptance of Attack-Defense Trees for Modelling Security Requirements

  • Conference paper
  • First Online:
Requirements Engineering: Foundation for Software Quality (REFSQ 2024)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14588))

  • 220 Accesses

Abstract

Context and Motivation Attack-Defense Trees (ADTs) are a graphical notation used to model and assess security requirements. ADTs are widely popular, as they can facilitate communication between different stakeholders involved in system security evaluation, and they are formal enough to be verified, e.g., with model checkers.Question/Problem While the quality of this notation has been primarily assessed quantitatively, its understandability has never been evaluated despite being mentioned as a key factor for its success.Principal idea/Results In this paper, we conduct an experiment with 25 human subjects to assess the understandability and user acceptance of the ADT notation. The study focuses on performance-based variables and perception-based variables, with the aim of evaluating the relationship between these measures and how they might impact the practical use of the notation. The results confirm a good level of understandability of ADTs. Participants consider them useful, and they show intention to use them. Contribution This is the first study empirically supporting the understandability of ADTs, thereby contributing to the theory of security requirements engineering.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Institutional subscriptions

References

  1. Abrahão, S., Insfrán, E., Carsí, J.A., Genero, M.: Evaluating requirements modeling methods based on user perceptions: a family of experiments. Inf. Sci. 181(16), 3356–3378 (2011)

    Article  Google Scholar 

  2. Audinot, M., Pinchinat, S., Kordy, B.: Is my attack tree correct? In: Foley, S.N., Gollmann, D., Snekkenes, E. (eds.) ESORICS 2017. LNCS, vol. 10492, pp. 83–102. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66402-6_7

    Chapter  Google Scholar 

  3. ter Beek, M.H., Legay, A., Lluch Lafuente, A., Vandin, A.: Quantitative security risk modeling and analysis with RisQFLan. Comput. Secur. 109, 102381 (2021)

    Article  Google Scholar 

  4. Broccia, G., ter Beek, M.H., Lluch Lafuente, A., Spoletini, P., Ferrari, A.: Assessing the Understandability of Attack-Defense Trees for Modelling Security Requirements: an Experimental Investigation - Supplementary Material. https://doi.org/10.5281/zenodo.10136730

  5. Broccia, G., Ferrari, A., ter Beek, M., Cazzola, W., Favalli, L., Bertolotti, F.: Evaluating a language workbench: from working memory capacity to comprehension to acceptance. In: Proceedings 31st International Conference on Program Comprehension (ICPC), pp. 54–58. IEEE (2023)

    Google Scholar 

  6. Buyens, K., De Win, B., Joosen, W.: Empirical and statistical analysis of risk analysis-driven techniques for threat management. In: Proceedings 2nd International Conference on Availability, Reliability and Security (ARES), pp. 1034–1041. IEEE (2007)

    Google Scholar 

  7. Davis, F.D.: Perceived usefulness, perceived ease of use, and user acceptance of information technology. MIS Q. 13, 319–340 (1989)

    Article  Google Scholar 

  8. Eisentraut, J., Holzer, S., Klioba, K., Křetínský, J., Pin, L., Wagner, A.: Assessing security of cryptocurrencies with attack-defense trees: proof of concept and future directions. In: Cerone, A., Ölveczky, P.C. (eds.) ICTAC 2021. LNCS, vol. 12819, pp. 214–234. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-85315-0_13

    Chapter  Google Scholar 

  9. Ezenwoye, O., Liu, Y.: Risk-based security requirements model for web software. In: Proceedings 30th International Requirements Engineering Conference Workshops (REW), pp. 232–237. IEEE (2022)

    Google Scholar 

  10. Fabian, B., Gürses, S., Heisel, M., Santen, T., Schmidt, H.: A comparison of security requirements engineering methods. Requir. Eng. 15, 7–40 (2010)

    Article  Google Scholar 

  11. Gadyatskaya, O., Trujillo-Rasua, R.: New directions in attack tree research: catching up with industrial needs. In: Liu, P., Mauw, S., Stølen, K. (eds.) GraMSec 2017. LNCS, vol. 10744, pp. 115–126. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-74860-3_9

    Chapter  Google Scholar 

  12. Giorgini, P., Mouratidis, H., Zannone, N.: Modelling Security and Trust with Secure Tropos. In: Integrating Security and Software Engineering: Advances and Future Visions, chap. 8, pp. 160–189. IGI Global (2007)

    Google Scholar 

  13. Iankoulova, I., Daneva, M.: Cloud computing security requirements: A systematic review. In: Proceedings 6th International Conference on Research Challenges in Information Science (RCIS), pp. 1–7. IEEE (2012)

    Google Scholar 

  14. Kordy, B., Kordy, P., Mauw, S., Schweitzer, P.: ADTool: security analysis with attack–defense trees. In: Joshi, K., Siegle, M., Stoelinga, M., D’Argenio, P.R. (eds.) QEST 2013. LNCS, vol. 8054, pp. 173–176. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40196-1_15

    Chapter  Google Scholar 

  15. Kordy, B., Mauw, S., Radomirović, S., Schweitzer, P.: Foundations of attack–defense trees. In: Degano, P., Etalle, S., Guttman, J. (eds.) FAST 2010. LNCS, vol. 6561, pp. 80–95. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19751-2_6

    Chapter  Google Scholar 

  16. Kordy, B., Wideł, W.: On quantitative analysis of attack–defense trees with repeated labels. In: Bauer, L., Küsters, R. (eds.) POST 2018. LNCS, vol. 10804, pp. 325–346. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-89722-6_14

    Chapter  Google Scholar 

  17. Labunets, K., Massacci, F., Paci, F.: On the equivalence between graphical and tabular representations for security risk assessment. In: Grünbacher, P., Perini, A. (eds.) REFSQ 2017. LNCS, vol. 10153, pp. 191–208. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-54045-0_15

    Chapter  Google Scholar 

  18. Labunets, K., Massacci, F., Paci, F., Tran, L.M.S.: An experimental comparison of two risk-based security methods. In: Proceedings 7th International Symposium on Empirical Software Engineering and Measurement (ESEM), pp. 163–172. IEEE (2013)

    Google Scholar 

  19. Lallie, H.S., Debattista, K., Bal, J.: An empirical evaluation of the effectiveness of attack graphs and fault trees in cyber-attack perception. IEEE Trans. Inf. Forensics Secur. 13(5), 1110–1122 (2018)

    Article  Google Scholar 

  20. Lallie, H.S., Debattista, K., Bal, J.: A review of attack graph and attack tree visual syntax in cyber security. Comput. Sci. Rev. 35, 100219 (2020)

    Article  MathSciNet  Google Scholar 

  21. Liu, L., Yu, E.S.K., Mylopoulos, J.: Secure-I*: engineering secure software systems through social analysis. Int. J. Softw. Inform. 3(1), 89–120 (2009)

    Google Scholar 

  22. Lodderstedt, T., Basin, D., Doser, J.: SecureUML: a UML-based modeling language for model-driven security. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 426–441. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45800-X_33

    Chapter  Google Scholar 

  23. Mai, P.X., Goknil, A., Shar, L.K., Pastore, F., Briand, L.C., Shaame, S.: Modeling security and privacy requirements: a use case-driven approach. Inf. Softw. Technol. 100, 165–182 (2018)

    Article  Google Scholar 

  24. Mauw, S., Oostdijk, M.: Foundations of attack trees. In: Won, D.H., Kim, S. (eds.) ICISC 2005. LNCS, vol. 3935, pp. 186–198. Springer, Heidelberg (2006). https://doi.org/10.1007/11734727_17

    Chapter  Google Scholar 

  25. Mayer, R.E.: Models for understanding. Rev. Educ. Res. 59(1), 43–64 (1989)

    Article  Google Scholar 

  26. Mellado, D., Blanco, C., Sanchez, L.E., Fernández-Medina, E.: A systematic review of security requirements engineering. Comput. Stand. Interfaces 32(4), 153–165 (2010)

    Article  Google Scholar 

  27. Moody, D.L.: Dealing with Complexity: A Practical Method for Representing Large Entity Relationship Models. Ph.D. thesis, University of Melbourne (2001)

    Google Scholar 

  28. Oliveira, D., Bruno, R., Madeiral, F., Castor, F.: Evaluating code readability and legibility: an examination of human-centric studies. In: Proceedings 36th International Conference on Software Maintenance and Evolution (ICSME), pp. 348–359. IEEE (2020)

    Google Scholar 

  29. Paja, E., Dalpiaz, F., Giorgini, P.: Modelling and reasoning about security requirements in socio-technical systems. Data Knowl. Eng. 98, 123–143 (2015)

    Article  Google Scholar 

  30. Salehie, M., Pasquale, L., Omoronyia, I., Ali, R., Nuseibeh, B.: Requirements-driven adaptive security: protecting variable assets at runtime. In: Proceedings 20th International Requirements Engineering Conference (RE), pp. 111–120. IEEE (2012)

    Google Scholar 

  31. Schneier, B.: Attack Trees. Dr. Dobb’s J. (1999)

    Google Scholar 

  32. Sharafi, Z., Marchetto, A., Susi, A., Antoniol, G., Guéhéneuc, Y.G.: An empirical study on the efficiency of graphical vs. textual representations in requirements comprehension. In: Proceedings 21st International Conference on Program Comprehension (ICPC), pp. 33–42. IEEE (2013)

    Google Scholar 

  33. Sindre, G., Opdahl, A.L.: Eliciting security requirements with misuse cases. Requir. Eng. 10, 34–44 (2005)

    Article  Google Scholar 

  34. Souag, A., Mazo, R., Salinesi, C., Comyn-Wattiau, I.: Reusable knowledge in security requirements engineering: a systematic mapping study. Requir. Eng. 21, 251–283 (2016)

    Article  Google Scholar 

  35. Stein, D., Hanenberg, S., Unland, R.: A graphical notation to specify model queries for MDA transformations on UML models. In: Aßmann, U., Aksit, M., Rensink, A. (eds.) MDAFA 2003-2004. LNCS, vol. 3599, pp. 77–92. Springer, Heidelberg (2005). https://doi.org/10.1007/11538097_6

    Chapter  Google Scholar 

  36. Vesely, W.E., Goldberg, F.F., Roberts, N.H., Haasl, D.F.: Fault Tree Handbook. Technical Report NUREG-0492, Nuclear Regulatory Commission, USA (1981)

    Google Scholar 

  37. Villamizar, H., Kalinowski, M., Viana, M., Fernández, D.M.: A systematic mapping study on security in agile requirements engineering. In: Proceedings 44th Euromicro Conference on Software Engineering and Advanced Applications (SEAA), pp. 454–461. IEEE (2018)

    Google Scholar 

  38. Wideł, W., Audinot, M., Fila, B., Pinchinat, S.: Beyond 2014: formal methods for attack tree-based security modeling. ACM Comput. Surv. 52(4), 75:1-75:36 (2019)

    Google Scholar 

  39. Zareen, S., Akram, A., Khan, S.A.: Security requirements engineering framework with BPMN 2.0.2 extension model for development of information systems. Appl. Sci. 10(14), 4981 (2020)

    Article  Google Scholar 

Download references

Acknowledgements

Research supported by the Italian MUR–PRIN 2020TL3X8X project T-LADIES (Typeful Language Adaptation for Dynamic, Interacting and Evolving Systems); by Innovation Fund Denmark and the Digital Research Centre Denmark, through the bridge project “SIOT - Secure Internet of Things - Risk analysis in design and operation”; by Industriens Fond through the project “Sb3D: Security-by-Design in Digital Denmark”; and by the EU Project CODECS GA 101060179. The authors would like to thank all the participants of the study.

Author information

Authors and Affiliations

  1. ISTI-CNR, Pisa, Italy

    Giovanna Broccia, Maurice H. ter Beek & Alessio Ferrari

  2. DTU, Lyngby, Denmark

    Alberto Lluch Lafuente

  3. Kennesaw State University, GA, USA

    Paola Spoletini

Authors
  1. Giovanna Broccia
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Maurice H. ter Beek
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Alberto Lluch Lafuente
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Paola Spoletini
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Alessio Ferrari
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Giovanna Broccia .

Editor information

Editors and Affiliations

  1. Blekinge Institute of Technology, Karlskrona, Sweden

    Daniel Mendez

  2. NOVA University Lisbon, Lisbon, Portugal

    Ana Moreira

Rights and permissions

Reprints and permissions

Copyright information

© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Broccia, G., ter Beek, M.H., Lluch Lafuente, A., Spoletini, P., Ferrari, A. (2024). Assessing the Understandability and Acceptance of Attack-Defense Trees for Modelling Security Requirements. In: Mendez, D., Moreira, A. (eds) Requirements Engineering: Foundation for Software Quality. REFSQ 2024. Lecture Notes in Computer Science, vol 14588. Springer, Cham. https://doi.org/10.1007/978-3-031-57327-9_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-57327-9_3

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-57326-2

  • Online ISBN: 978-3-031-57327-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation