Today, facing security issues in organizations is a crucial task to achieve business success. There are different procedures, techniques, methodologies, and others; proposed by academia and industry that answer the “big” question: how to make my organization less vulnerable to security attacks?
Avoid completely the vulnerabilities is (almost) impossible, especially if the most security leaks come from stakeholders. For this reason, we propose TaSPeR, a card game-based technique and consensus-building technique (based on Planning Poker) that allows development team members to identify, argue for, and choose among architectural security tactics according to objectives and priorities. We presented this technique in ECSA (12th European Conference on Software Architecture) 2018.
This technique involves the participation of all stakeholders in order to provide ideas and feedback about what they think about security. Our research establishes that including stakeholders in the security design of crucial software systems may provide other points of views that experts in security did not consider (at first glance). We tested this technique using subjects with different profiles (students, practitioners, and security experts) getting interesting results in the security decision-making.
Finally, we provided a more “social” technique aiming to help to face one of the most important and critical challenges in the industry, cyber-security.