The effect of security education and expertise on security assessments: the case of software vulnerabilities

L. Allodi, M. Cremonini, Fabio Massacci, W. Shim

Research output: Contribution to conferencePaperAcademic

Abstract

In spite of the growing importance of software security and the industry demand for more cyber security expertise in the workforce, the effect of security education and experience on the ability to assess complex software security problems has only been recently investigated. As proxy for the full range of software security skills, we considered the problem of assessing the severity of software vulnerabilities by means of a structured analysis methodology widely used in industry (i.e. the Common Vulnerability Scoring System (\CVSS) v3), and designed a study to compare how accurately individuals with background in information technology but different professional experience and education in cyber security are able to assess the severity of software vulnerabilities. Our results provide some structural insights into the complex relationship between education or experience of assessors and the quality of their assessments. In particular we find that individual characteristics matter more than professional experience or formal education; apparently it is the \emph{combination} of skills that one owns (including the actual knowledge of the system under study), rather than the specialization or the years of experience, to influence more the assessment quality. Similarly, we find that the overall advantage given by professional expertise significantly depends on the composition of the individual security skills as well as on the available information.

Conference

Conference17th Annual Workshop on the Economics of Information Security (WEIS 2018)
Abbreviated titleWEIS 2018
CountryAustria
CityInnsbruck
Period18/06/1819/06/18
Internet address

Fingerprint

Education
Information technology
Industry
Chemical analysis

Cite this

Allodi, L., Cremonini, M., Massacci, F., & Shim, W. (2018). The effect of security education and expertise on security assessments: the case of software vulnerabilities. Paper presented at 17th Annual Workshop on the Economics of Information Security (WEIS 2018), Innsbruck, Austria.
Allodi, L. ; Cremonini, M. ; Massacci, Fabio ; Shim, W./ The effect of security education and expertise on security assessments: the case of software vulnerabilities. Paper presented at 17th Annual Workshop on the Economics of Information Security (WEIS 2018), Innsbruck, Austria.
@conference{28a1d254e4b64537a68a65d367feea18,
title = "The effect of security education and expertise on security assessments: the case of software vulnerabilities",
abstract = "In spite of the growing importance of software security and the industry demand for more cyber security expertise in the workforce, the effect of security education and experience on the ability to assess complex software security problems has only been recently investigated. As proxy for the full range of software security skills, we considered the problem of assessing the severity of software vulnerabilities by means of a structured analysis methodology widely used in industry (i.e. the Common Vulnerability Scoring System (\CVSS) v3), and designed a study to compare how accurately individuals with background in information technology but different professional experience and education in cyber security are able to assess the severity of software vulnerabilities. Our results provide some structural insights into the complex relationship between education or experience of assessors and the quality of their assessments. In particular we find that individual characteristics matter more than professional experience or formal education; apparently it is the \emph{combination} of skills that one owns (including the actual knowledge of the system under study), rather than the specialization or the years of experience, to influence more the assessment quality. Similarly, we find that the overall advantage given by professional expertise significantly depends on the composition of the individual security skills as well as on the available information.",
author = "L. Allodi and M. Cremonini and Fabio Massacci and W. Shim",
year = "2018",
month = "8",
day = "1",
language = "English",
note = "17th Annual Workshop on the Economics of Information Security (WEIS 2018), WEIS 2018 ; Conference date: 18-06-2018 Through 19-06-2018",
url = "http://weis2018.econinfosec.org/",

}

Allodi, L, Cremonini, M, Massacci, F & Shim, W 2018, 'The effect of security education and expertise on security assessments: the case of software vulnerabilities' Paper presented at 17th Annual Workshop on the Economics of Information Security (WEIS 2018), Innsbruck, Austria, 18/06/18 - 19/06/18, .

The effect of security education and expertise on security assessments: the case of software vulnerabilities. / Allodi, L.; Cremonini, M.; Massacci, Fabio; Shim, W.

2018. Paper presented at 17th Annual Workshop on the Economics of Information Security (WEIS 2018), Innsbruck, Austria.

Research output: Contribution to conferencePaperAcademic

TY - CONF

T1 - The effect of security education and expertise on security assessments: the case of software vulnerabilities

AU - Allodi,L.

AU - Cremonini,M.

AU - Massacci,Fabio

AU - Shim,W.

PY - 2018/8/1

Y1 - 2018/8/1

N2 - In spite of the growing importance of software security and the industry demand for more cyber security expertise in the workforce, the effect of security education and experience on the ability to assess complex software security problems has only been recently investigated. As proxy for the full range of software security skills, we considered the problem of assessing the severity of software vulnerabilities by means of a structured analysis methodology widely used in industry (i.e. the Common Vulnerability Scoring System (\CVSS) v3), and designed a study to compare how accurately individuals with background in information technology but different professional experience and education in cyber security are able to assess the severity of software vulnerabilities. Our results provide some structural insights into the complex relationship between education or experience of assessors and the quality of their assessments. In particular we find that individual characteristics matter more than professional experience or formal education; apparently it is the \emph{combination} of skills that one owns (including the actual knowledge of the system under study), rather than the specialization or the years of experience, to influence more the assessment quality. Similarly, we find that the overall advantage given by professional expertise significantly depends on the composition of the individual security skills as well as on the available information.

AB - In spite of the growing importance of software security and the industry demand for more cyber security expertise in the workforce, the effect of security education and experience on the ability to assess complex software security problems has only been recently investigated. As proxy for the full range of software security skills, we considered the problem of assessing the severity of software vulnerabilities by means of a structured analysis methodology widely used in industry (i.e. the Common Vulnerability Scoring System (\CVSS) v3), and designed a study to compare how accurately individuals with background in information technology but different professional experience and education in cyber security are able to assess the severity of software vulnerabilities. Our results provide some structural insights into the complex relationship between education or experience of assessors and the quality of their assessments. In particular we find that individual characteristics matter more than professional experience or formal education; apparently it is the \emph{combination} of skills that one owns (including the actual knowledge of the system under study), rather than the specialization or the years of experience, to influence more the assessment quality. Similarly, we find that the overall advantage given by professional expertise significantly depends on the composition of the individual security skills as well as on the available information.

M3 - Paper

ER -

Allodi L, Cremonini M, Massacci F, Shim W. The effect of security education and expertise on security assessments: the case of software vulnerabilities. 2018. Paper presented at 17th Annual Workshop on the Economics of Information Security (WEIS 2018), Innsbruck, Austria.