The Good, the Bad and the Ugly: A Study of Security Decisions in a Cyber-Physical Systems Game
Open Access
- 1 May 2019
- journal article
- research article
- Published by Institute of Electrical and Electronics Engineers (IEEE) in IEEE Transactions on Software Engineering
- Vol. 45 (5), 521-536
- https://doi.org/10.1109/TSE.2017.2782813
Abstract
Stakeholders' security decisions play a fundamental role in determining security requirements, yet, little is currently understood about how different stakeholder groups within an organisation approach security and the drivers and tacit biases underpinning their decisions. We studied and contrasted the security decisions of three demographics-security experts, computer scientists and managers-when playing a tabletop game that we designed and developed. The game tasks players with managing the security of a cyber-physical environment while facing various threats. Analysis of 12 groups of players (4 groups in each of our demographics) reveals strategies that repeat in particular demographics, e.g., managers and security experts generally favoring technological solutions over personnel training, which computer scientists preferred. Surprisingly, security experts were not ipso facto better players-in some cases, they made very questionable decisions-yet they showed a higher level of confidence in themselves. We classified players' decision-making processes, i.e., procedure-, experience-, scenario-or intuition-driven. We identified decision patterns, both good practices and typical errors and pitfalls. Our game provides a requirements sandbox in which players can experiment with security risks, learn about decision-making and its consequences, and reflect on their own perception of security.Keywords
Funding Information
- UK Engineering and Physical Science Research Council (EP/M002780/1)
This publication has 20 references indexed in Scilit:
- Tackling the requirements jigsaw puzzlePublished by Institute of Electrical and Electronics Engineers (IEEE) ,2014
- Control-Alt-HackPublished by Association for Computing Machinery (ACM) ,2013
- Information security and risk managementCommunications of the ACM, 2008
- Using Games in Software Engineering Education to Teach Risk Management20th Conference on Software Engineering Education & Training (CSEET'07), 2007
- On the role of the Facilitator in information security risk assessmentJournal of Computer Virology and Hacking Techniques, 2007
- CyberCIEGE: Gaming for Information AssuranceIEEE Security & Privacy, 2005
- A model for evaluating IT security investmentsCommunications of the ACM, 2004
- The economics of information security investmentACM Transactions on Information and System Security, 2002
- Video games as research tools: The Space Fortress gameBehavior Research Methods, Instruments & Computers, 1995
- On distinguishing epistemic from pragmatic actionCognitive Science, 1994