Publicatie

A descriptive study of Microsoft's threat modeling technique

Tijdschriftbijdrage - Tijdschriftartikel

Microsoft's STRIDE is a popular threat modeling technique commonly used to discover the security weaknesses of a software system. Despite its successful adoption, to date no empirical study has been carried out to quantify its cost and effectiveness. The contribution of this paper is the evaluation of STRIDE via a descriptive study that involved 57 students in their last master year in computer science. The study addresses three research questions. First, it assesses how many valid threats per hour are produced on average. Second, it evaluates the correctness of the analysis results by looking at the average number of false positives, i.e., the incorrect threats. Finally, it determines the completeness of the analysis results by looking at the average number of false negatives, i.e., the overlooked threats.

Tijdschrift: Requirements Engineering Journal

ISSN: 0947-3602

Issue: 2

Volume: 20

Pagina's: 163 - 180

Jaar van publicatie:2013

Institutional Repository URL: https://lirias.kuleuven.be/349543
DOI: https://doi.org/10.1007/s00766-013-0195-2
WoS Id: 000357593500003

BOF-keylabel:ja

IOF-keylabel:ja

BOF-publication weight:1

CSS-citation score:2

Authors from:Higher Education

Toegankelijkheid:Open

Publicatie

A descriptive study of Microsoft's threat modeling technique

Tijdschriftbijdrage - Tijdschriftartikel

Auteurs/uitgever

Onderzoekseenheden