A descriptive study of assumptions in STRIDE security threat modeling

Landuyt, Dimitri Van; Joosen, Wouter

doi:10.1007/s10270-021-00941-7

Cited by 15 publications

(5 citation statements)

References 34 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…1: The four-step framework for threat modelling techniques issue of modelling with the STRIDE is that as the system's complexity grows, so does the number of threats. Another drawback of STRIDE is that it cannot guarantee to model the system's data privacy threats [31].…”

Section: Stride Is a Model-based Threat Modelling Technique Developed...mentioning

confidence: 99%

Data Privacy Threat Modelling for Autonomous Systems: A Survey From the GDPR's Perspective

Azam

Michala

Ansari

et al. 2023

IEEE Trans. Big Data

View full text Add to dashboard Cite

Intelligence-based applications have been increasingly deployed in every field of life including smart homes, smart cities, healthcare services, and autonomous systems where personal data is collected across heterogeneous sources and processed using "black-box" algorithms in opaque centralised servers. As a consequence, preserving the data privacy and security of these applications is of utmost importance. In this respect, a modelling technique for identifying potential data privacy threats and specifying countermeasures to mitigate the related vulnerabilities in such AI-based systems plays a significant role in preserving and securing personal data. Various threat modelling techniques have been proposed such as STRIDE, LINDDUN, and PASTA but none of them is sufficient to model the data privacy threats in autonomous systems. Furthermore, they are not designed to model compliance with data protection legislation like the EU/UK General Data Protection Regulation (GDPR), which is fundamental to protecting data owners' privacy as well as to preventing personal data from potential privacy-related attacks. In this article, we survey the existing threat modelling techniques for data privacy threats in autonomous systems and then analyse such techniques from the viewpoint of GDPR compliance. Following the analysis, We employ STRIDE and LINDDUN in autonomous cars, a specific use-case of autonomous systems, to scrutinise the challenges and gaps of the existing techniques when modelling data privacy threats. Prospective research directions for refining data privacy threats & GDPR-compliance modelling techniques for autonomous systems are also presented.

show abstract

Section: Stride Is a Model-based Threat Modelling Technique Developed...mentioning

confidence: 99%

Data Privacy Threat Modelling for Autonomous Systems: A Survey From the GDPR's Perspective

Azam

Michala

Ansari

et al. 2023

IEEE Trans. Big Data

View full text Add to dashboard Cite

show abstract

“…Assumptions are often implicit and dynamic in nature (i.e., they can be invalidated and modified as the project evolves). Van Landuyt and Joosen [40] find that the majority of assumptions (created by students during STRIDE) were used to either justify an existence of threats or are used to eliminate threats. In [40] a substantial subset (78%) of the assumptions was in direct reference to security-related concepts (i.e., security assumptions), however also domain assumptions (statements about component functionalities) were made.…”

Section: Independentmentioning

confidence: 99%

“…Van Landuyt and Joosen [40] find that the majority of assumptions (created by students during STRIDE) were used to either justify an existence of threats or are used to eliminate threats. In [40] a substantial subset (78%) of the assumptions was in direct reference to security-related concepts (i.e., security assumptions), however also domain assumptions (statements about component functionalities) were made. Thus, we are interested to investigate the effect of diversity dimensions on the type of assumptions.…”

Section: Independentmentioning

confidence: 99%

“…Empirical evidence of threat analysis performance indicators is a crucial piece of the puzzle to improve the situation. But, past empirical studies were either inconclusive about some performance indicators [38] or have focused on measuring performance indicators irrespective of the human factors [31,37,40]. Yet measuring such human factors is pivotal to understanding how to close the security workforce gap in the future.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Human Aspect of Threat Analysis: A Replication

Tuma¹,

Mbaka²

2022

Preprint

View full text Add to dashboard Cite

Background: Organizations are experiencing an increasing demand for security-by-design activities (e.g., STRIDE analyses) which require a high manual effort. This situation is worsened by the current lack of diverse (and sufficient) security workforce and inconclusive results from past studies. To date, the deciding human factors (e.g., diversity dimensions) that play a role in threat analysis have not been sufficiently explored.Objective: To address this issue, we plan to conduct a series of exploratory controlled experiments. The main objective is to empirically measure the human-aspects that play a role in threat analysis alongside the more well-known measures of analysis performance. Method: We design the experiments as a differentiated replication of past experiments with STRIDE. The replication design is aimed at capturing some similar measures (e.g., of outcome quality) and additional measures (e.g., diversity dimensions). We plan to conduct the experiments in an academic setting. Limitations: Obtaining a balanced population (e.g., wrt gender) in advanced computer science courses is not realistic. The experiments we plan to conduct with MSc level students will certainly suffer this limitation.

show abstract

“…They can be identified when the diagram is built and they can arise during the analysis. Landuyt [49] defines threat assumptions as information used to hypothesise certain system properties that are relevant to the attack identified. Threat assumptions are important in threat analysis as they can be used to justify threat existence and prioritise mitigation efforts.…”

Section: Appendix A: Stride-per-element Vs Per-interactionmentioning

confidence: 99%

A replication of a controlled experiment with two STRIDE variants

Mbaka¹,

Tuma²

2022

Preprint

View full text Add to dashboard Cite

To avoid costly security patching after software deployment, securityby-design techniques (e.g., STRIDE threat analysis) are adopted in organizations to root out security issues before the system is ever implemented. Despite the global gap in cybersecurity workforce and the high manual effort required for performing threat analysis, organizations are ramping up threat analysis activities. However, past experimental results were inconclusive regarding some performance indicators of threat analysis techniques thus practitioners have little evidence for choosing the technique to adopt. To address this issue, we replicated a controlled experiment with STRIDE. Our study was aimed at measuring and comparing the performance indicators (productivity and precision) of two STRIDE variants (element and interaction). We conclude the paper by comparing our results to the original study. CCS CONCEPTS• Software and its engineering; • General and reference → Empirical studies;

show abstract

A descriptive study of assumptions in STRIDE security threat modeling

Cited by 15 publications

References 34 publications

Data Privacy Threat Modelling for Autonomous Systems: A Survey From the GDPR's Perspective

Data Privacy Threat Modelling for Autonomous Systems: A Survey From the GDPR's Perspective

Human Aspect of Threat Analysis: A Replication

A replication of a controlled experiment with two STRIDE variants

Contact Info

Product

Resources

About