정보보호학회논문지 (Journal of the Korea Institute of Information Security & Cryptology)

  • 제34권4호
  • /
  • Pages.763-780
  • /
  • 2024
  • /
  • 1598-3986(pISSN)
  • /
  • 2288-2715(eISSN)
한국정보보호학회 (Korea Institute of Information Security and Cryptology)
권호 표지
DOI QR코드

DOI QR Code

위협 모델링 도구의 사용성 평가기준 도출

Deriving Usability Evaluation Criteria for Threat Modeling Tools

  • 황인노 (고려대학교 정보보호대학원) ;
  • 신영섭 (LIG 넥스원) ;
  • 조현석 (LIG 넥스원) ;
  • 김승주 (고려대학교 정보보호대학원)
  • In-no Hwang (ICSP(Institute of Cyber Security & Privacy), School of Cybersecurity, Korea University) ;
  • Young-seop Shin (LIG NEX1) ;
  • Hyun-suk Cho (LIG NEX1) ;
  • Seung-joo Kim (ICSP(Institute of Cyber Security & Privacy), School of Cybersecurity, Korea University)
  • 투고 : 2024.03.25
  • 심사 : 2024.07.25
  • 발행 : 2024.08.31
PDF 다운로드
⟨ 이전 논문 다음 논문 ⟩

초록

대내외 환경이 급격하게 변화함에 따라, 기업이 직면하는 보안 위협에 대한 보호대책 구현의 중요성이 점차 증대되고 있다. 이러한 상황에서 설계 초기 단계부터 보안을 접목하는 SbD(Security by Design, 보안내재화) 접근법의 필요성이 부각되고 있으며, 위협 모델링은 SbD의 핵심적인 도구로 인식되고 있다. 특히, 비용과 시간을 절약하기 위해 보안 문제를 조기에 발견하고 해결하는 Shift Left 전략의 적용을 위해서는 소프트웨어 개발자와 같은 보안 전문성이 부족한 직원의 위협 모델링 수행이 요구된다. 다양한 자동화된 위협 모델링 도구들이 출시되고 있으나, 보안 전문성이 부족한 직원이 사용하기엔 사용성이 부족하여 위협 모델링 수행에 제약이 따른다. 이를 해소하기 위해 위협 모델링 도구 관련 연구들을 분석하여 GQM접근법 기반의 사용성 평가기준을 도출하였다. 도출한 기준에 대한 전문가 설문을 진행하여 타당성과 객관성을 확보하였다. 위협 모델링 도구 3종(MS TMT, SPARTA, PyTM)의 사용성 평가를 수행하였으며, 평가 결과 MS TMT의 사용성 수준이 타 도구 대비 우세함을 확인하였다. 본 연구는 사용성 평가기준을 제시하여 보안 전문성이 부족한 직원도 효과적으로 위협 모델링을 수행할 수 있는 환경을 조성하는데 기여하는 것을 목표로 한다.

As the domestic and international landscape undergoes rapid changes, the importance of implementing security measures in response to the growing threats that businesses face is increasing. In this context, the need for Security by Design (SbD), integrating security from the early design stages, is becoming more pronounced, with threat modeling recognized as a fundamental tool of SbD. Particularly, to save costs and time by detecting and resolving security issues early, the application of the Shift Left strategy requires the involvement of personnel with limited security expertise, such as software developers, in threat modeling. Although various automated threat modeling tools have been released, their lack of user-friendliness for personnel lacking security expertise poses challenges in conducting threat modeling effectively. To address this, we conducted an analysis of research related to threat modeling tools and derived usability evaluation criteria based on the GQM(Goal-Question-Metric) approach. An expert survey was conducted to validate both the validity and objectivity of the derived criteria. We performed usability evaluations of three threat modeling tools (MS TMT, SPARTA, PyTM), and the evaluation results led to the conclusion that MS TMT exhibited superior usability compared to other tools. This study aims to contribute to the creation of an environment where personnel with limited security expertise can effectively conduct threat modeling by proposing usability evaluation criteria.

키워드

과제정보

이 연구는 LIG NEX1 산학협력과제 지원으로 연구되었음.

참고문헌

  1. R. Stevens, D. Votipka, E. M. Redmiles, C. Ahern, P. Sweeney, and M. L. Mazurek, "The battle for new york: a case study of applied digital threat modeling at the enterprise level," in 27th USENIX Security Symposium (USENIX Security18),pp. 621-637, Aug. 2018.
  2. D. Granata and M. Rak, "Systematic analysis of automated threat modelling techniques: Comparison of open-source tools," Software Quality Journal, vol. 32, pp. 125-161, May. 2023.
  3. Microsoft, "Microsoft Threat Modeling Tool, "https://learn.microsoft.com/en-us/azure/security/develop/threat-modeling-tool, Jan. 2024.
  4. OWASP, "PyTM," https://owasp.org/www-project-pytm, Jan. 2024.
  5. E. Bygdas, L. A. Jaatun, S. B. Antonsen, A. Ringen and E. Eiring, "Evaluating Threat Modeling Tools: Microsoft TMT versus OWASP Threat Dragon," 2021 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA), Dublin, Ireland, pp. 1-7, 2021.
  6. Z. Shi, K. Graffi, D. Starobinski and N. Matyunin, "Threat Modeling Tools: A Taxonomy," in IEEE Security & Privacy, vol. 20, no. 4, pp. 29-39, July-Aug. 2022.
  7. L. Sion, S. Verreydt, K. Yskoutt, "Threat modeling in Dutch organizations," Twentieth Symposium on Usable Privacy and Security (SOUPS 2024), pp. 473-486, Aug. 2024.
  8. Bernsmed, Karin & Cruzes, Daniela & Jaatun, Martin & lovan, Monica, "Adopting threat modelling in agile software development projects," Journal of Systems and Software, vol. 183, no. 111090, Jan. 2022.
  9. A. Hussain and M. Kutar, "Usability Metric Framework for Mobile Phone Application," The 10th Annual Post Graduate Symposium on The Convergence of Telecommunications, Networking and Broadcasting, pp. 22-23, Jun. 2009.
  10. International Organization for Standardization, "Ergonomics of human-system interaction Part 11: Usability: Definitions and concepts," ISO 9241-11:2018, Mar. 2018.
  11. L. Sion, D. Van Landuyt, K. Yskout and W. Joosen, "SPARTA: Security & Privacy Architecture Through Risk-Driven Threat Assessment," 2018 IEEE International Conference on Software Architecture Companion (ICSA-C), pp. 89-92, Apr. 2018.
  12. Ashwini Siddhi, Mathew Coles, Dell Technologies. "Threat Modeling at Scale," SAFECode, Jun. 2023.
  13. J. Von Der Assen, M. F. Franco, C. Killer, E. J. Scheid and B. Stiller, "CoReTM: An Approach Enabling Cross-Functional Collaborative Threat Modeling," 2022 IEEE International Conference on Cyber Security and Resilience (CSR), pp. 189-196, Jul. 2022.
  14. Madan, Ankita, and Sanjay Kumar Dubey, "Usability evaluation methods: a literature review," International Journal of Engineering Science and Technology, vol. 4, no. 2, pp. 590-599, Feb. 2012.
  15. Basili, V., Caldeira, G., and Rombach, H.D., "The Goal Question Metric Approach," Encyclopedia of Software Engineering, vol. 1, Jan. 1994.
  16. Hussain, Azham &Kutar, Maria. "Usability Evaluation of SatNav Application on Mobile Phone Using mGQM," International Journal of Computer Information Systems and Industrial Management Applications. vol. 4, pp. 9-9, Jan. 2012.
  17. Paul B. Bokingkito, Lomesindo T. Caparida, "Usability evaluation of areal-time water quality monitoring mobile application," Procedia Computer Science, Vol. 197, pp. 642-649, Jan. 2022.
  18. A. Ashraf, X. Zhu, J. Liu, Q. Rauf and R. Firdaus, "Usability Evaluation Framework of Smart Home Applications for Senior Citizens," 2022 12th International Conference on Software Technology and Engineering(ICSTE), pp. 29-39, Oct. 2022.