Ben Shreeve scite author profile

2014

There is a broad consensus that understanding system desiderata (requirements) and design creativity are both important for software engineering success. However, little research has addressed the relationship between design creativity and the way requirements are framed or presented. This paper therefore aims to investigate the possibility that the way desiderata are framed or presented can affect design creativity. Forty two participants took part in a randomized control trial where one group received desiderata framed as "requirements" while the other received desiderata framed as "ideas". Participants produced design concepts which were judged for originality. Participants who received requirements framing produced significantly less original designs than participants who received ideas framing (MannWhitney U=116.5, p=0.004). We conclude that framing desiderata as "requirements" may cause requirements fixation where designers' preoccupation with satisfying explicit requirements inhibits their creativity.

“Do this! Do that!, and Nothing will Happen” Do Specifications Lead to Securely Stored Passwords?

Hallett

Patnaik

et al. 2021

“So if Mr Blue Head here clicks the link...” Risk Thinking in Cyber Security Decision Making

ACM Trans. Priv. Secur.

Hallett

Edwards

et al. 2020

Cyber security decision making is inherently complicated, with nearly every decision having knock-on consequences for an organisation’s vulnerability and exposure. This is further compounded by the fact that decision-making actors are rarely security experts and may have an incomplete understanding of the security that the organisation currently has in place. They must contend with a multitude of possible security options that they may only partially understand. This challenge is met by decision makers’ risk thinking —their strategies for identifying risks, assessing their severity, and prioritising responses. We study the risk thinking strategies employed by teams of participants in an existing dataset derived from a tabletop cyber-physical systems security game. Our analysis identifies four structural patterns of risk thinking and two reasoning strategies: risk-first and opportunity-first . Our work highlights that risk-first approaches (as prescribed by the likes of NIST-800-53 and ISO 27001) are followed neither substantially nor exclusively when it comes to decision making. Instead, our analysis finds that decision making is affected by the plasticity of teams—that is, the ability to readily switch between ideas and practising both risk-first and opportunity-first reasoning.

The Best Laid Plans or Lack Thereof: Security Decision-Making of Different Stakeholder Groups

IIEEE Trans. Software Eng.

Hallett

Edwards

et al. 2022

Cyber security requirements are influenced by the priorities and decisions of a range of stakeholders. Board members and CISOs determine strategic priorities. Managers have responsibility for resource allocation and project management. Legal professionals concern themselves with regulatory compliance. Little is understood about how the security decision-making approaches of these different stakeholders contrast, and if particular groups of stakeholders have a better appreciation of security requirements during decision-making. Are risk analysts better decision makers than CISOs? Do security experts exhibit more effective strategies than board members? This paper explores the effect that different experience and diversity of expertise has on the quality of a team's cyber security decision-making and whether teams with members from more varied backgrounds perform better than those with more focused, homogeneous skill sets. Using data from 208 sessions and 948 players of a tabletop game run in the wild by a major national organization over 16 months, we explore how choices are affected by player background (e.g., cyber security experts versus risk analysts, board-level decision makers versus technical experts) and different team make-ups (homogeneous teams of security experts versus various mixes). We find that no group of experts makes significantly better game decisions than anyone else, and that their biases lead them to not fully comprehend what they are defending or how the defenses work. ! 1. www.decisions-disruptions.org 2. 13 additional recordings were untranscribable due to noise.

Making Sense of the Unknown: How Managers Make Cyber Security Decisions

ACM Trans. Softw. Eng. Methodol.

Gralha

Rashid

et al. 2023

Managers rarely have deep knowledge of cyber security, and yet are expected to make decisions with cyber security implications for software-based systems. We investigate the decision-making conversations of 7 teams of senior managers from the same organisation, as they complete the Decisions&Disruptions (D-D) cyber security exercise. We use Grounded Theory to situate our analysis of their decision-making and help us explore how these complex socio-cognitive interactions occur. We have developed a goal-model (using iStar 2.0) of the teams’ dialogue which illustrates what cyber security goals teams identify and how they operationalise their decisions to reach these goals. We complement this with our model of cyber security reasoning which describes how these teams make their decisions, showing how each team members’ experience, intuition and understanding affects the team’s overall shared reasoning and decision-making. Our findings show how managers with little cyber security expertise are able to use logic and traditional risk management thinking to make cyber security decisions. Despite their lack of cyber security specific training they demonstrate reasoning which closely resembles the decision-making approaches espoused in cyber security specific standards (e.g., NIST/ISO). Our work demonstrates how organisations and practitioners can enrich goal modelling to capture not only what security goals an organisation has (and how they can operationalise them) but also how and why these goals have been identified. Ultimately, non-cyber security experts can develop their cyber security model based on their current context (and update it when new requirements appear or new incidents happen), whilst capturing their reasoning at every stage.