Skip to content

The Good, the Bad and the Ugly: A Study of Security Decisions in a Cyber-Physical Systems Game

Research output: Contribution to journalArticle

Original languageEnglish
Article number8194898
Pages (from-to)521-536
Number of pages16
JournalIEEE Transactions on Software Engineering
Issue number5
Early online date13 Dec 2017
DateAccepted/In press - 27 Oct 2017
DateE-pub ahead of print - 13 Dec 2017
DatePublished (current) - 1 May 2019


Stakeholders' security decisions play a fundamental role in determining security requirements, yet, little is currently understood about how different stakeholder groups within an organisation approach security and the drivers and tacit biases underpinning their decisions. We studied and contrasted the security decisions of three demographics-security experts, computer scientists and managers-when playing a tabletop game that we designed and developed. The game tasks players with managing the security of a cyber-physical environment while facing various threats. Analysis of 12 groups of players (4 groups in each of our demographics) reveals strategies that repeat in particular demographics, e.g., managers and security experts generally favoring technological solutions over personnel training, which computer scientists preferred. Surprisingly, security experts were not ipso facto better players-in some cases, they made very questionable decisions-yet they showed a higher level of confidence in themselves. We classified players' decision-making processes, i.e., procedure-, experience-, scenario- or intuition-driven. We identified decision patterns, both good practices and typical errors and pitfalls. Our game provides a requirements sandbox in which players can experiment with security risks, learn about decision-making and its consequences, and reflect on their own perception of security.

    Structured keywords

  • Cyber Security

    Research areas

  • Security decisions, Security Requirements, decision patterns, games

Download statistics

No data available



  • Full-text PDF (final published version)

    Rights statement: This is the final published version of the article (version of record). It first appeared online via IEEE at . Please refer to any applicable terms of use of the publisher.

    Final published version, 917 KB, PDF document

    Licence: CC BY


View research connections

Related faculties, schools or groups