Threat modeling (TM) is an important aspect of risk analysis and secure software engineering. Graphical threat models are a recommended tool to analyze and communicate threat information. However, the comparison of different graphical threat models, and the acceptability of these threat models for an audience with a limited technical background, is not well understood, despite these users making up a sizable portion of the cybersecurity industry. We seek to compare the acceptability of three general, graphical threat models, Attack-Defense Trees (ADTs), Attack Graphs (AGs), and CORAS, for users with a limited technical background. We conducted a laboratory study with 38 bachelor students who completed tasks with the three threat models across three different scenarios assigned using a Latin square design. Threat model submissions were qualitatively analyzed, and participants filled out a perception questionnaire based on the Method Evaluation Model (MEM). We find that both ADTs and CORAS are broadly acceptable for a wide range of scenarios, and both could be applied successfully by users with a limited technical background; further, we also find that the lack of a specific tool for AGs may have impacted the perceived usefulness of AGs. We can recommend that users with a limited technical background use ADTs or CORAS as a general graphical TM method. Further research on the acceptability of AGs to such an audience and the effect of a dedicated TM tool support is needed.

翻译：威胁建模（TM）是风险分析与安全软件工程的重要方面。图形化威胁模型是分析和传达威胁信息的推荐工具。然而，尽管技术背景有限的用户在网络安全行业中占据相当比例，但不同图形化威胁模型的比较以及这些威胁模型对此类用户的可接受性尚未得到充分理解。本研究旨在比较三种通用图形化威胁模型——攻击防御树（ADTs）、攻击图（AGs）和CORAS——对技术背景有限用户的可接受性。我们通过实验室研究，采用拉丁方设计，让38名本科生在三种不同场景中完成基于这三种威胁模型的任务。对提交的威胁模型进行定性分析，参与者根据方法评估模型（MEM）填写感知问卷。研究发现，ADTs和CORAS在多种场景中均具有广泛可接受性，且技术背景有限的用户能成功应用这两种模型；此外，AGs缺乏专用工具可能影响了其感知有用性。我们建议技术背景有限的用户采用ADTs或CORAS作为通用图形化TM方法。未来需进一步研究AGs对此类用户的可接受性以及专用TM工具支持的影响。