Official project title: "Empirical Evaluation of a Threat Modeling Language as a Cybersecurity Assessment Tool"
(Former title: "Evaluating the Correctness of Domain-Specific Threat Modeling Languages")
- Active members:
- Sotirios Katsikeas
- Engla Rencelj Ling
- Pontus Johnson
- Mathias Ekstedt
- Status: completed 🟢
- Timeline: 2022-2023
- Parent project: coreLang
In this work, we aim to assess the trustworthiness and reliability of a domain-specific threat modeling language, specifically through applying an empirical method that we propose to coreLang—one of our previously developed DSLs. We base the evaluation in comparing the results of attack simulations generated by the threat modeling language against assessments made by human cybersecurity domain experts, penetration testing training data and random guessers.
The initial hypothesis we are working with, is that the simulation results will, on average, exhibit equal or greater correctness when compared to assessments made by human experts, especially if the complexity of the analyzed system is high. If our hypothesis is confirmed, we would be content, as it would indicate that coreLang's simulation results could be effectively employed for decision support and improve the effectiveness of real-life cybersecurity assessments.
- Create a solid plan on how this validation should be done
- Create the infrastructure to be used in the validation
- Perform the experiments with the human domain experts
- Analyse the results of the validation
- Author the article
- Submit the article for publication at Elsevier's Computers & Security
- Article is published and is available here
- MAL - Meta Attack Language
- coreLang
- The coreLang model used for this study can be made availabe on demand
This is a project run by the Software Systems Architecture and Security research group within the Division of Network and Systems Engineering at the Department of Computer Science at the School of Electrical Engineering and Computer Science @ KTH university.
For more of our projects, see the SSAS page at github.com.