Saved in:
Bibliographic Details
Main Authors: Schiele, Nathan Daniel, Gadyatskaya, Olga
Format: Preprint
Published: 2025
Subjects:
Online Access:https://arxiv.org/abs/2502.11920
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866916665574293504
author Schiele, Nathan Daniel
Gadyatskaya, Olga
author_facet Schiele, Nathan Daniel
Gadyatskaya, Olga
contents Attack-defense trees (ADTs) are a prominent graphical threat modeling method that is highly recommended for analyzing and communicating security-related information. Despite this, existing empirical studies of attack trees have established their acceptability only for users with highly technical (computer science) backgrounds while raising questions about their suitability for threat modeling stakeholders with a limited technical background. Our research addresses this gap by investigating the impact of the users' technical background on ADT acceptability in an empirical study. Our Method Evaluation Model-based study consisted of n = 102 participants (53 with a strong computer science background and 49 with a limited computer science background) who were asked to complete a series of ADT-related tasks. By analyzing their responses and comparing the results, we reveal that a very limited technical background is sufficient for ADT acceptability. This finding underscores attack trees' viability as a threat modeling method.
format Preprint
id arxiv_https___arxiv_org_abs_2502_11920
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle A limited technical background is sufficient for attack-defense tree acceptability
Schiele, Nathan Daniel
Gadyatskaya, Olga
Cryptography and Security
Attack-defense trees (ADTs) are a prominent graphical threat modeling method that is highly recommended for analyzing and communicating security-related information. Despite this, existing empirical studies of attack trees have established their acceptability only for users with highly technical (computer science) backgrounds while raising questions about their suitability for threat modeling stakeholders with a limited technical background. Our research addresses this gap by investigating the impact of the users' technical background on ADT acceptability in an empirical study. Our Method Evaluation Model-based study consisted of n = 102 participants (53 with a strong computer science background and 49 with a limited computer science background) who were asked to complete a series of ADT-related tasks. By analyzing their responses and comparing the results, we reveal that a very limited technical background is sufficient for ADT acceptability. This finding underscores attack trees' viability as a threat modeling method.
title A limited technical background is sufficient for attack-defense tree acceptability
topic Cryptography and Security
url https://arxiv.org/abs/2502.11920