Computing systems face diverse and substantial cybersecurity threats. To mitigate these cybersecurity threats, software engineers need to be competent in the skill of threat modeling. In industry and academia, there are many frameworks for teaching threat modeling, but our analysis of these frameworks suggests that (1) these approaches tend to be focused on component-level analysis rather than educating students to reason holistically about a system's cybersecurity, and (2) there is no rubric for assessing a student's threat modeling competency. To address these concerns, we propose using systems thinking in conjunction with popular and industry-standard threat modeling frameworks like STRIDE for teaching and assessing threat modeling competency. Prior studies suggest a holistic approach, like systems thinking, can help understand and mitigate cybersecurity threats. Thus, we developed and piloted two novel rubrics - one for assessing STRIDE threat modeling performance and the other for assessing systems thinking performance while conducting STRIDE. To conduct this study, we piloted the two rubrics mentioned above to assess threat model artifacts of students enrolled in an upper-level software engineering course at Purdue University in Fall 2021, Spring 2023, and Fall 2023. Students who had both systems thinking and STRIDE instruction identified and attempted to mitigate component-level as well as systems-level threats. Students with only STRIDE instruction tended to focus on identifying and mitigating component-level threats and discounted system-level threats. We contribute to engineering education by: (1) describing a new rubric for assessing threat modeling based on systems thinking; (2) identifying trends and blindspots in students' threat modeling approach; and (3) envisioning the benefits of integrating systems thinking in threat modeling teaching and assessment.

翻译：计算系统面临多样且重大的网络安全威胁。为缓解这些网络安全威胁，软件工程师需要具备威胁建模这一技能。在工业界和学术界，存在许多教学威胁建模的框架，但我们对这些框架的分析表明：(1) 这些方法往往侧重于组件级分析，而非培养学生对系统网络安全进行整体推理的能力；(2) 缺乏评估学生威胁建模能力的评分标准。为解决这些问题，我们提出将系统思维与行业标准威胁建模框架（如STRIDE）结合使用，以教学和评估威胁建模能力。先前研究表明，系统思维等整体性方法有助于理解和缓解网络安全威胁。因此，我们开发并试行了两套新型评分标准——一套用于评估STRIDE威胁建模表现，另一套用于评估执行STRIDE时的系统思维表现。我们于2021年秋季、2023年春季和2023年秋季在普渡大学高年级软件工程课程中，使用上述两套评分标准评估学生的威胁建模成果。同时接受系统思维与STRIDE教学的学生识别并尝试缓解了组件级和系统级威胁。仅接受STRIDE教学的学生则倾向于聚焦于识别和缓解组件级威胁，而忽视系统级威胁。我们对工程教育的贡献包括：(1) 描述了一种基于系统思维的威胁建模评估新评分标准；(2) 识别了学生威胁建模方法中的趋势与盲点；(3) 展望了将系统思维融入威胁建模教学与评估的益处。