A grounded analysis of experts' decision-making during security assessments

Security analysis requires specialized knowledge to align threats and vulnerabilities in information technology. To identify mitigations, analysts need to understand how threats, vulnerabilities, and mitigations are composed together to yield security requirements. Despite abundant guidance in the form of checklists and controls about how to secure systems, evidence suggests that security experts do not apply these checklists. Instead, they rely on their prior knowledge and experience to identify security vulnerabilities. To better understand the different effects of checklists, design analysis, and expertise, we conducted a series of interviews to capture and encode the decision-making process of security experts and novices during three security analysis exercises. Participants were asked to analyze three kinds of artifacts: source code, data flow diagrams, and network diagrams, for vulnerabilities, and then to apply a requirements checklist to demonstrate their ability to mitigate vulnerabilities. We framed our study using Situation Awareness, which is a theory about human perception that was used to elicit interviewee responses. The responses were then analyzed using coding theory and grounded analysis. Our results include decision-making patterns that characterize how analysts perceive, comprehend, and project future threats against a system, and how these patterns relate to selecting security mitigations. Based on this analysis, we discovered new theory to measure how security experts and novices apply attack models and how structured and unstructured analysis enables increasing security requirements coverage. We highlight the role of expertise level and requirements composition in affecting security decision-making and we discuss how our method produced new hypotheses about security analysis and decision-making.

[1]  Jacob Cohen,et al.  Weighted kappa: Nominal scale agreement provision for scaled disagreement or partial credit. , 1968 .

[2]  Andreas L. Opdahl,et al.  Capturing Security Requirements through Misuse Cases , 2001 .

[3]  Mica R. Endsley,et al.  Designing for Situation Awareness : An Approach to User-Centered Design , 2003 .

[4]  Bashar Nuseibeh,et al.  The effect of trust assumptions on the elaboration of security requirements , 2004, Proceedings. 12th IEEE International Requirements Engineering Conference, 2004..

[5]  Mica R. Endsley,et al.  Design and Evaluation for Situation Awareness Enhancement , 1988 .

[6]  Travis D. Breaux,et al.  Legally "reasonable" security requirements: A 10-year FTC retrospective , 2011, Comput. Secur..

[7]  Mica R. Endsley,et al.  Toward a Theory of Situation Awareness in Dynamic Systems , 1995, Hum. Factors.

[8]  Johannes De Smedt,et al.  Improving Understandability of Declarative Process Models by Revealing Hidden Dependencies , 2016, CAiSE.

[9]  R. Nisbett,et al.  Causal attribution across cultures: Variation and universality. , 1999 .

[10]  Axel van Lamsweerde,et al.  From Object Orientation to Goal Orientation: A Paradigm Shift for Requirements Engineering , 2002, RISSEF.

[11]  N. Hoffart Basics of Qualitative Research: Techniques and Procedures for Developing Grounded Theory , 2000 .

[12]  S. Panzieri,et al.  INFUSION: A system for situation and threat assessment in current and foreseen scenarios , 2012, 2012 IEEE International Multi-Disciplinary Conference on Cognitive Methods in Situation Awareness and Decision Support.

[13]  Mario Piattini,et al.  A common criteria based security requirements engineering process for the development of secure information systems , 2007, Comput. Stand. Interfaces.

[14]  Axel van Lamsweerde,et al.  From system goals to intruder anti-goals: attack generation and resolution for security requirements engineering , 2003 .

[15]  Gary McGraw,et al.  Software Security Testing , 2004, IEEE Secur. Priv..

[16]  Nahid Golafshani,et al.  Understanding Reliability and Validity in Qualitative Research , 2003 .

[17]  Robin C. Laney,et al.  Validating Security Requirements Using Structured Toulmin-Style Argumentation , 2005 .

[18]  Lawrence Chung,et al.  Dealing with Security Requirements During the Development of Information Systems , 1993, CAiSE.

[19]  Douglas L. Hintzman,et al.  "Schema Abstraction" in a Multiple-Trace Memory Model , 1986 .

[21]  James A. Anderson Cognitive Styles and Multicultural Populations , 1988 .

[22]  Tadayoshi Kohno,et al.  Trust (and mistrust) in secure applications , 2001, CACM.

[23]  John R. Anderson Learning and memory: An integrated approach, 2nd ed. , 2000 .

[24]  Bashar Nuseibeh,et al.  Using trust assumptions with security requirements , 2005, Requirements Engineering.

[25]  M. Patton,et al.  Qualitative evaluation and research methods , 1992 .

[26]  L. Crocker,et al.  Introduction to Classical and Modern Test Theory , 1986 .

[27]  P. Andersen,et al.  [Learning and memory]. , 1995, Tidsskrift for den Norske laegeforening : tidsskrift for praktisk medicin, ny raekke.

[28]  Johnny Saldaña,et al.  The Coding Manual for Qualitative Researchers , 2009 .

[29]  Travis D. Breaux,et al.  Assessment of risk perception in security requirements composition , 2015, 2015 IEEE 23rd International Requirements Engineering Conference (RE).

[30]  P. A. Hancock,et al.  Robots vs. machines: Identifying user perceptions and classifications , 2012, 2012 IEEE International Multi-Disciplinary Conference on Cognitive Methods in Situation Awareness and Decision Support.

[31]  F. Bartlett,et al.  Remembering: A Study in Experimental and Social Psychology , 1932 .

[32]  J. Farley,et al.  WICKED PROBLEMS , 2007 .

[33]  Jianwei Niu,et al.  Less is more?: investigating the role of examples in security studies using analogical transfer , 2014, HotSoS '14.

[34]  R. Nisbett,et al.  Culture, dialectics, and reasoning about contradiction. , 1999 .

[35]  Simon Shiu,et al.  Decision support for systems security investment , 2010, 2010 IEEE/IFIP Network Operations and Management Symposium Workshops.

[36]  John P. McDermott,et al.  Using abuse case models for security requirements analysis , 1999, Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99).

[37]  Paul J. Feltovich,et al.  The Cambridge handbook of expertise and expert performance , 2006 .

[38]  Anselm L. Strauss,et al.  Basics of qualitative research : techniques and procedures for developing grounded theory , 1998 .

[39]  Raymond McCall,et al.  Rationale Management in Software Engineering , 2006 .

[40]  Peng Liu,et al.  Experience-based cyber situation recognition using relaxable logic patterns , 2012, 2012 IEEE International Multi-Disciplinary Conference on Cognitive Methods in Situation Awareness and Decision Support.

[41]  R. Yin Case Study Research: Design and Methods , 1984 .

[42]  G. Jakobson,et al.  Using federated adaptable multi-agent systems in achieving cyber attack tolerant missions , 2012, 2012 IEEE International Multi-Disciplinary Conference on Cognitive Methods in Situation Awareness and Decision Support.

[43]  Corrine Glesne,et al.  Becoming Qualitative Researchers: An Introduction , 1991 .

[44]  D. Medin,et al.  The cultural mind: environmental decision making and cultural modeling within and across populations. , 2005, Psychological review.

[45]  Ah-Hwee Tan,et al.  Modelling situation awareness for Context-aware Decision Support , 2009, Expert Syst. Appl..

[46]  Simonetta Balsamo,et al.  Radical Innovations of Software and Systems Engineering in the Future , 2004, Lecture Notes in Computer Science.

[47]  Surajit Chaudhuri,et al.  Incorporating string transformations in record matching , 2008, SIGMOD Conference.

[48]  Raymond McCall,et al.  Rationale Management in Software Engineering: Concepts and Techniques , 2006 .