Welcome to the companion web page for the research paper "Two threat analysis techniques compared: elements in isolation vs elements in context" submitted to ICSE 2017.
Abstract—According to some reports, as little as 33% of companies adopt architectural threat analysis as part of their secure development lifecycle. The authors are not entirely surprised, as there are many competing techniques and very little empirical evidence of their costs and benefits. In our personal experience, these factors are of hindrance to industrial adoption. In an initial attempt to systematize the research field of architectural threat analysis, this paper presents a comparative study of two threat analysis techniques. In particular, the experiment presented here compares two variants of Microsoft's STRIDE. The study analyzes their effectiveness in unearthing security threats (benefits) as well as the time that it takes to perform the analysis (cost). We also look into other human aspects which are important for industrial adoption, like, for instance, the perceived difficulty in learning and applying the techniques as well as the overall preference of our experimental participants.
On this page, you will find all the material referenced in the study:
1) Training material (slides of lectures),
2) Lab material, including an architectural description of the experimental object and the task
4) Entry and exit questionnaire