Threat model learnability

Abstract

This thesis examines the ways to evaluate the learnability of threat modelling methods. There currently exists no other research into this topic. Through a narrative review, we defined threat modelling learnability. We identified the aspects relevant to threat modelling and the metrics required to measure them. To test these aspects and metrics, we conducted an experiment. We compared the learnability of Attack-Defence Trees and CORAS. We identified five aspects of learnability relevant to threat modelling methods. These aspects are: efficiency, effectiveness, memorability, intuitiveness and satisfaction. We did not detect a statistically significant difference between ADT and CORAS on any of the learnability aspects. Although no statistically significant differences were detected, slight differences did exist in the data. More research is required to further examine these differences.