Threat and risk analysis is often performed in organizations to identify and mitigate security risks early-on in the software development life-cycle. Despite efforts to automate parts of the analysis [1-2], teams of experts still manually analyze large architectural diagrams and discuss the threats in practice. Though generally perceived as beneficial by practitioners, the quality of analysis is difficult to improve. Due to its manual execution, the quality heavily depends on the human analyst in the room. Particularly, collective domain knowledge and skills are surely important factors. But, evidence of groupthink  in similar analysis sessions suggests that knowledge is not always contributed (equally) by all participants. Previous experiments [4-7] with students and experts have focused on measuring quantitative performance of teams in terms of analysis outcomes but have neglected the human factors that come into play.
|In general, no existing study has measured the effects of gender diversity (or diversity in general) on threat and risk analysis in IT systems. Yet these very IT systems rule our lives. Are risks perceived differently (or equally) by male or female analysis?|
RQ: What is the effect of gender diversity (and other diversity parameters) on threat and risk analysis?
|Although it is yet unclear how gender diversity affects threat and risk analysis discussions, some scholars argue we are facing a diversity crisis . Conversely, studies have demonstrated how gender diversity can be beneficial for decision making and progress, once effectively incorporated [9-12].|
We propose to scientifically explore the role of diversity in threat and risk analysis by: (i) leveraging an existing dataset  and piloting a study with master students, (ii) co-designing a diversity intervention tailored to the context of threat and risk analysis, and (iii) conducting experimental validations of the intervention in an academic setting.
Researchers: Katja Tuma, Romy van der Lee