Assessing the usefulness of Data Flow Diagrams for validating security threats

IF 4.8 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security Pub Date : 2025-04-30 DOI:10.1016/j.cose.2025.104498

Winnie Bahati Mbaka , Xinran Zhang , Yunduo Wang , Tong Li , Fabio Massacci , Katja Tuma

{"title":"Assessing the usefulness of Data Flow Diagrams for validating security threats","authors":"Winnie Bahati Mbaka , Xinran Zhang , Yunduo Wang , Tong Li , Fabio Massacci , Katja Tuma","doi":"10.1016/j.cose.2025.104498","DOIUrl":null,"url":null,"abstract":"<div><h3>Context:</h3><div>Threat analysis is a pillar of security-by-design which plays an important role in the elicitation and refinement of security threats. In preparation for the analysis, a model of the system under analysis e.g., the Data Flow Diagram (DFD for short) is often created.</div></div><div><h3>Problem:</h3><div>Empirical measures of success are important for practitioners that are struggling to meet the current demands for expertise. But no previous work has investigated the role of these diagrams during the validation of identified security threats.</div></div><div><h3>Methods:</h3><div>This paper presents an experiment conducted with 98 students in two countries. We measured the impact of the DFD on the perceived and actual effectiveness of validating a list of identified security threats including both fabricated and actual threats.</div></div><div><h3>Results:</h3><div>In presence of sequence diagrams, the participants perceived DFDs as more useful. However, when exposed to both a DFD and a sequence diagram, DFDs had no significant impact on the participants’ ability to validate security threats.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"156 ","pages":"Article 104498"},"PeriodicalIF":4.8000,"publicationDate":"2025-04-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404825001865","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Context:

Threat analysis is a pillar of security-by-design which plays an important role in the elicitation and refinement of security threats. In preparation for the analysis, a model of the system under analysis e.g., the Data Flow Diagram (DFD for short) is often created.

Problem:

Empirical measures of success are important for practitioners that are struggling to meet the current demands for expertise. But no previous work has investigated the role of these diagrams during the validation of identified security threats.

Methods:

This paper presents an experiment conducted with 98 students in two countries. We measured the impact of the DFD on the perceived and actual effectiveness of validating a list of identified security threats including both fabricated and actual threats.

Results:

In presence of sequence diagrams, the participants perceived DFDs as more useful. However, when exposed to both a DFD and a sequence diagram, DFDs had no significant impact on the participants’ ability to validate security threats.

查看原文本刊更多论文

评估数据流程图对验证安全威胁的有用性

背景：威胁分析是设计安全的支柱，在安全威胁的提取和细化中起着重要作用。在准备分析时，通常会创建一个被分析系统的模型，例如数据流程图（简称DFD）。问题：对于正在努力满足当前专业知识需求的从业者来说，成功的经验度量是重要的。但是以前没有研究过这些图在确认已识别的安全威胁期间的作用。方法：对两个国家的98名学生进行实验。我们测量了DFD对验证已识别的安全威胁列表（包括虚构的和实际的威胁）的感知和实际有效性的影响。结果：在序列图的存在下，参与者认为dfd更有用。然而，当同时暴露于DFD和序列图时，DFD对参与者验证安全威胁的能力没有显著影响。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computers & Security 工程技术-计算机：信息系统

CiteScore

12.40

自引率

7.10%

发文量

365

审稿时长

10.7 months

期刊介绍： Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.