A limited technical background is sufficient for attack-defense tree acceptability: Dataset

Study description Attack-defense trees (ADTs) are a prominent graphical threat modeling method that is highly recommended for analyzing and communicating security-related information. Despite this, existing empirical studies of attack trees have established their acceptability only for users with highly technical (computer science) backgrounds while raising questions about their suitability for threat modeling stakeholders with a limited technical background. Our research addresses this gap by investigating the impact of the users' technical background on ADT acceptability in an empirical study. Our Method Evaluation Model-based study consisted of n=102 participants (53 with a strong computer science background and 49 with a limited computer science background) who were asked to complete a series of ADT-related tasks. By analyzing their responses and comparing the results, we reveal that a very limited technical background is sufficient for ADT acceptability. This finding underscores attack trees' viability as a threat modeling method. Artifact description This artifact includes the models (attack-defense trees) created by the participants in the study tasks, the study responses to perception questions (both Likert and short answer), the code used to statistically evaluate those survey responses, the study question text and images, the qualitative evaluation rubric for self-drawn ADTs, and the lecture plan and slides. With these artifacts, it should be possible to verify our results, organize training on attack-defense trees, and develop future studies of attack-defense tree acceptability.