The University of Southampton
University of Southampton Institutional Repository

The Good, the Bad and the Ugly: A Study of Security Decisions in a Cyber-Physical Systems Game

The Good, the Bad and the Ugly: A Study of Security Decisions in a Cyber-Physical Systems Game
The Good, the Bad and the Ugly: A Study of Security Decisions in a Cyber-Physical Systems Game

Stakeholders' security decisions play a fundamental role in determining security requirements, yet, little is currently understood about how different stakeholder groups within an organisation approach security and the drivers and tacit biases underpinning their decisions. We studied and contrasted the security decisions of three demographics -- security experts, computer scientists and managers -- when playing a tabletop game that we designed and developed. The game tasks players with managing the security of a cyber-physical environment while facing various threats. Analysis of 12 groups of players (4 groups in each of our demographics) reveals strategies that repeat in particular demographics, e.g., managers and security experts generally favoring technological solutions over personnel training, which computer scientists preferred. Surprisingly, security experts were not ipso facto better players -- in some cases, they made very questionable decisions -- yet they showed a higher level of confidence in themselves. We classified players' decision-making processes, i.e., procedure-, experience-, scenario- or intuition-driven. We identified decision patterns, both good practices and typical errors and pitfalls. Our game provides a requirements sandbox in which players can experiment with security risks, learn about decision-making and its consequences, and reflect on their own perception of security.

Companies, Computer security, decision patterns, Electronic mail, game, Games, Security decisions, security requirements
0098-5589
Frey, Sylvain
70fd2573-43df-4513-ab64-35b421ff4729
Rashid, Awais
95c3c838-4938-4e37-a7be-e9881d593e88
Anthonysamy, Pauline
921d5f34-5e37-4fd8-bf9e-4d22719bf84f
Pinto-Albuquerque, Maria
ab3b0a25-5c28-49e9-9da8-7d5c0cdbb0db
Naqvi, Syed Asad
8931c1a6-ea61-4bbf-a3bd-e48e936c0520
Frey, Sylvain
70fd2573-43df-4513-ab64-35b421ff4729
Rashid, Awais
95c3c838-4938-4e37-a7be-e9881d593e88
Anthonysamy, Pauline
921d5f34-5e37-4fd8-bf9e-4d22719bf84f
Pinto-Albuquerque, Maria
ab3b0a25-5c28-49e9-9da8-7d5c0cdbb0db
Naqvi, Syed Asad
8931c1a6-ea61-4bbf-a3bd-e48e936c0520

Frey, Sylvain, Rashid, Awais, Anthonysamy, Pauline, Pinto-Albuquerque, Maria and Naqvi, Syed Asad (2017) The Good, the Bad and the Ugly: A Study of Security Decisions in a Cyber-Physical Systems Game. IEEE Transactions on Software Engineering. (doi:10.1109/TSE.2017.2782813). (In Press)

Record type: Article

Abstract

Stakeholders' security decisions play a fundamental role in determining security requirements, yet, little is currently understood about how different stakeholder groups within an organisation approach security and the drivers and tacit biases underpinning their decisions. We studied and contrasted the security decisions of three demographics -- security experts, computer scientists and managers -- when playing a tabletop game that we designed and developed. The game tasks players with managing the security of a cyber-physical environment while facing various threats. Analysis of 12 groups of players (4 groups in each of our demographics) reveals strategies that repeat in particular demographics, e.g., managers and security experts generally favoring technological solutions over personnel training, which computer scientists preferred. Surprisingly, security experts were not ipso facto better players -- in some cases, they made very questionable decisions -- yet they showed a higher level of confidence in themselves. We classified players' decision-making processes, i.e., procedure-, experience-, scenario- or intuition-driven. We identified decision patterns, both good practices and typical errors and pitfalls. Our game provides a requirements sandbox in which players can experiment with security risks, learn about decision-making and its consequences, and reflect on their own perception of security.

Full text not available from this repository.

More information

Accepted/In Press date: 12 December 2017
Keywords: Companies, Computer security, decision patterns, Electronic mail, game, Games, Security decisions, security requirements

Identifiers

Local EPrints ID: 417694
URI: https://eprints.soton.ac.uk/id/eprint/417694
ISSN: 0098-5589
PURE UUID: d301e57b-2688-44dc-a455-5e818c82a6d9
ORCID for Sylvain Frey: ORCID iD orcid.org/0000-0003-2551-7455

Catalogue record

Date deposited: 12 Feb 2018 17:30
Last modified: 12 Feb 2018 17:30

Export record

Altmetrics

Contributors

Author: Sylvain Frey ORCID iD
Author: Awais Rashid
Author: Pauline Anthonysamy
Author: Maria Pinto-Albuquerque
Author: Syed Asad Naqvi

University divisions

Download statistics

Downloads from ePrints over the past year. Other digital versions may also be available to download e.g. from the publisher's website.

View more statistics

Atom RSS 1.0 RSS 2.0

Contact ePrints Soton: eprints@soton.ac.uk

ePrints Soton supports OAI 2.0 with a base URL of https://eprints.soton.ac.uk/cgi/oai2

This repository has been built using EPrints software, developed at the University of Southampton, but available to everyone to use.

We use cookies to ensure that we give you the best experience on our website. If you continue without changing your settings, we will assume that you are happy to receive cookies on the University of Southampton website.

×