An exploratory comparison of security patterns and tactics to harden systems. In pages 378-391, 2014.
abstract   bibtex   
The software architecture community considers non-functional requirements as key factors in designing a system architecture, and several approaches have been proposed to address them, including "architectural tactics". Specialized technical communities have developed approaches from their own perspective; in particular, security researchers have proposed "security patterns". This article describes a systematic attempt to compare both approaches, through an experimental study of the impact of chosen approach and participants' experience on the quality and effort of design decisions by non-security experts. We gathered practicing developers and graduate students, each group including novices and experts; trained subjects in both techniques; gave them a relatively simple problem (a tsunami warning system under current development); and measured the rate of effectively addressed threats (quality) and elapsed time to answer (effort). Based on previous experience, we had conjectured that security patterns would improve novices' quality but security tactics would improve experts' speed; however, preliminary results indicate that while experts were better than novices at identifying threats, they are no better at mitigating them. Further introspection suggests that more mature theories of tactics and patterns are still required for experimental comparison of architectural approaches.
@inproceedings{84906052490,
    abstract = {The software architecture community considers non-functional requirements as key factors in designing a system architecture, and several approaches have been proposed to address them, including "architectural tactics". Specialized technical communities have developed approaches from their own perspective; in particular, security researchers have proposed "security patterns". This article describes a systematic attempt to compare both approaches, through an experimental study of the impact of chosen approach and participants' experience on the quality and effort of design decisions by non-security experts. We gathered practicing developers and graduate students, each group including novices and experts; trained subjects in both techniques; gave them a relatively simple problem (a tsunami warning system under current development); and measured the rate of effectively addressed threats (quality) and elapsed time to answer (effort). Based on previous experience, we had conjectured that security patterns would improve novices' quality but security tactics would improve experts' speed; however, preliminary results indicate that while experts were better than novices at identifying threats, they are no better at mitigating them. Further introspection suggests that more mature theories of tactics and patterns are still required for experimental comparison of architectural approaches.},
    year = "2014",
    title = "An exploratory comparison of security patterns and tactics to harden systems",
    pages = "378-391",
    journal = "CIBSE 2014: Proceedings of the 17th Ibero-American Conference Software Engineering"
}

Downloads: 0