July 9, 2024

Purdue University researchers win ASEE Best Paper Award for research integrating Systems Thinking in Threat Modeling

ECE Prof. James Davis is part of the team of researchers who wrote the paper based on three semesters' worth of training in cybersecurity in ECE's software engineering course.
James Davis, Assistant Professor of Electrical and Computer Engineering

Researchers from Purdue University won the American Society for Engineering Education’s (ASEE) Best Paper award for the Software Engineering Division. This work was an interdisciplinary collaboration between James Davis, Assistant Professor in Purdue’s Elmore Family School of Electrical & Computer Engineering, Kirsten A. Davis, Assistant Professor in Purdue’s School of Engineering Education, and their students, Siddhant S. Joshi (lead author), a Ph.D. candidate in Engineering Education, and Preeti Mukherjee, a Ph.D. student in Computer Engineering. The support for this research came from an ECE Agile Reform of Curriculum grant as well as in-kind contributions from ThreatModeler Software, Inc.

The work, entitled “Introducing Systems Thinking as a Framework for Teaching and Assessing Threat Modeling Competency,” reported on three semesters’ worth of training in cybersecurity in ECE’s software engineering course, ECE 461.

Computing systems are vulnerable to many cybersecurity threats. To counter these, the US National Institute of Standards and Technology (NIST) has called for improved training of software engineers in threat modeling, which helps engineers understand their system and the external threats it faces. In the paper, the research team described their new approach to teaching threat modeling.

Current teaching methods, such as the STRIDE framework, often focus on individual parts of a system and neglect considering the interactions between components. These approaches also lack a standard way to measure student skills in threat modeling.

To fix this, the researchers suggest integrating a concept called Systems Thinking into existing methods such as STRIDE. Systems thinking helps students analyze and address threats more comprehensively. The research team described how they integrate these two approaches, and they created and tested two new assessment instruments: one for measuring STRIDE performance and another for assessing systems thinking during STRIDE.

These tools were tested on advanced software engineering students at Purdue University. The students who learned both systems thinking and STRIDE identified and addressed both component and system threats. Meanwhile, the students who only learned STRIDE focused mainly on component threats. In summary, the contributions from this research include: (1) a new way to assess threat modeling with systems thinking, (2) identifying patterns and gaps in students' threat modeling, and (3) showing the benefits of integrating systems thinking into threat modeling education.