{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,30]],"date-time":"2026-04-30T06:39:57Z","timestamp":1777531197307,"version":"3.51.4"},"reference-count":48,"publisher":"Institute of Electrical and Electronics Engineers (IEEE)","issue":"5","license":[{"start":{"date-parts":[[2022,5,1]],"date-time":"2022-05-01T00:00:00Z","timestamp":1651363200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/ieeexplore.ieee.org\/Xplorehelp\/downloads\/license-information\/IEEE.html"},{"start":{"date-parts":[[2022,5,1]],"date-time":"2022-05-01T00:00:00Z","timestamp":1651363200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2022,5,1]],"date-time":"2022-05-01T00:00:00Z","timestamp":1651363200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"}],"funder":[{"DOI":"10.13039\/501100000266","name":"Engineering and Physical Sciences Research Council","doi-asserted-by":"publisher","award":["EP\/M002780\/1"],"award-info":[{"award-number":["EP\/M002780\/1"]}],"id":[{"id":"10.13039\/501100000266","id-type":"DOI","asserted-by":"publisher"}]},{"name":"DYPOSIT","award":["EP\/N021657\/2"],"award-info":[{"award-number":["EP\/N021657\/2"]}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IIEEE Trans. Software Eng."],"published-print":{"date-parts":[[2022,5,1]]},"DOI":"10.1109\/tse.2020.3023735","type":"journal-article","created":{"date-parts":[[2020,9,14]],"date-time":"2020-09-14T21:20:51Z","timestamp":1600118451000},"page":"1515-1528","source":"Crossref","is-referenced-by-count":15,"title":["The Best Laid Plans or Lack Thereof: Security Decision-Making of Different Stakeholder Groups"],"prefix":"10.1109","volume":"48","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-9329-4866","authenticated-orcid":false,"given":"Benjamin","family":"Shreeve","sequence":"first","affiliation":[{"name":"Bristol Cyber Security Group, University of Bristol, Bristol, U.K."}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6146-9852","authenticated-orcid":false,"given":"Joseph","family":"Hallett","sequence":"additional","affiliation":[{"name":"Bristol Cyber Security Group, University of Bristol, Bristol, U.K."}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8099-0646","authenticated-orcid":false,"given":"Matthew","family":"Edwards","sequence":"additional","affiliation":[{"name":"Bristol Cyber Security Group, University of Bristol, Bristol, U.K."}]},{"given":"Kopo M.","family":"Ramokapane","sequence":"additional","affiliation":[{"name":"Bristol Cyber Security Group, University of Bristol, Bristol, U.K."}]},{"given":"Richard","family":"Atkins","sequence":"additional","affiliation":[{"name":"City of London Police, London, U.K."}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0109-1341","authenticated-orcid":false,"given":"Awais","family":"Rashid","sequence":"additional","affiliation":[{"name":"Bristol Cyber Security Group, University of Bristol, Bristol, U.K."}]}],"member":"263","reference":[{"key":"ref1","doi-asserted-by":"publisher","DOI":"10.1145\/3134600.3134618"},{"key":"ref2","doi-asserted-by":"publisher","DOI":"10.1109\/TII.2010.2099234"},{"key":"ref3","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2018.00016"},{"key":"ref4","first-page":"1","article-title":"SMART: Secure and minimal architecture for (establishing dynamic) root of trust","volume-title":"Proc. Netw. Distrib. Syst. Secur. Symp.","volume":"12","author":"Eldefrawy"},{"key":"ref5","article-title":"Information Security Management","volume":"27001","year":"2013"},{"key":"ref6","article-title":"Security and privacy controls for federal information systems and organizations","year":"2015"},{"key":"ref7","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2017.2782813"},{"key":"ref8","article-title":"Pains, gains and PLCs: Ten lessons from building an industrial control systems testbed for security research","volume-title":"Proc. 10th USENIX Workshop Cyber Secur. Experimentation Test","author":"Green"},{"key":"ref9","doi-asserted-by":"publisher","DOI":"10.1145\/2897035.2897036"},{"key":"ref10","article-title":"The shadow warriors: In the no mans land between industrial control systems and enterprise IT systems","volume-title":"Proc. 3rd Workshop Secur. Inf. Workers","author":"Zanutto"},{"key":"ref11","article-title":"Cyber essentials"},{"key":"ref12","doi-asserted-by":"publisher","DOI":"10.1109\/MC.2018.2888766"},{"key":"ref13","doi-asserted-by":"publisher","DOI":"10.6028\/NIST.IR.7621r1"},{"key":"ref14","article-title":"Review of cyber hygiene practices","year":"2016"},{"key":"ref15","article-title":"Information security incident management","year":"2016"},{"key":"ref16","article-title":"Computer security incident handling guide","year":"2012"},{"key":"ref17","doi-asserted-by":"publisher","DOI":"10.1177\/001316446002000104"},{"key":"ref18","first-page":"1","article-title":"Threat modeling as a basis for security requirements","volume-title":"Proc. Symp. Requirements Eng. Inf. Secur.","volume":"2005","author":"Myagmar"},{"key":"ref19","volume-title":"Requirements Engineering: Processes and Techniques","author":"Kotonya","year":"1998"},{"key":"ref20","doi-asserted-by":"publisher","DOI":"10.1046\/j.1466-822X.2003.00015.x"},{"key":"ref21","doi-asserted-by":"publisher","DOI":"10.1191\/1478088706qp0630a"},{"key":"ref22","doi-asserted-by":"publisher","DOI":"10.1037\/13620-000"},{"key":"ref23","doi-asserted-by":"publisher","DOI":"10.2307\/256987"},{"key":"ref24","doi-asserted-by":"publisher","DOI":"10.1177\/0149206306298657"},{"key":"ref25","doi-asserted-by":"publisher","DOI":"10.1007\/s00779-004-0308-5"},{"key":"ref26","first-page":"309","article-title":"Too much knowledge? Security beliefs and protective behaviors among United States internet users","volume-title":"Proc. 11th USENIX Conf. Usable Privacy Secur.","author":"Wash"},{"key":"ref27","first-page":"327","article-title":"\u201c... No one can hack my mind","volume-title":"Proc. 11th USENIX Conf. Usable Privacy Secur.","author":"Ion"},{"key":"ref28","article-title":"Small business cybercriminal target survey data","year":"2019"},{"key":"ref29","first-page":"621","article-title":"The battle for New York: A case study of applied digital threat modeling at the enterprise level","volume-title":"Proc. 27th USENIX Conf. Secur. Symp.","author":"Stevens"},{"issue":"4","key":"ref30","first-page":"2","article-title":"Center of gravity analysis","volume":"84","author":"Eikmeier","year":"2004","journal-title":"Military Rev."},{"key":"ref31","doi-asserted-by":"publisher","DOI":"10.1145\/1005817.1005828"},{"issue":"5","key":"ref32","first-page":"26","article-title":"Return on information security investments: Myths vs. realities","volume":"84","author":"Gordon","year":"2002","journal-title":"Strategic Finance"},{"key":"ref33","article-title":"Return on security investment (ROSI)-a practical quantitative model","volume":"38","author":"Sonnenreich","year":"2006","journal-title":"J. Res. Pract. Inf. Technol."},{"key":"ref34","doi-asserted-by":"publisher","DOI":"10.1016\/j.dss.2016.02.012"},{"key":"ref35","doi-asserted-by":"publisher","DOI":"10.4236\/jis.2015.61003"},{"key":"ref36","doi-asserted-by":"publisher","DOI":"10.4236\/jis.2016.72004"},{"key":"ref37","article-title":"Folk risk analysis: Factors influencing security analysts\u2019 interpretation of risk","volume-title":"Proc. 13th Symp. Usable Privacy Secur.","author":"Mmanga"},{"key":"ref38","doi-asserted-by":"publisher","DOI":"10.1016\/j.jsis.2018.09.003"},{"key":"ref39","doi-asserted-by":"publisher","DOI":"10.1145\/2508859.2516753"},{"key":"ref40","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2013.69"},{"key":"ref41","article-title":"On the design of security games: From frustrating to engaging learning","volume-title":"Proc. Workshop Advances Secur. Educ.","author":"Vykopal"},{"key":"ref42","article-title":"King of the hill: A novel cybersecurity competition for teaching penetration testing","volume-title":"Proc. USENIX Workshop Advances Secur. Educ.","author":"Bock"},{"key":"ref43","article-title":"Authenticity, ethicality, and motivation: A formal evaluation of a 10-week computer security alternate reality game for CS undergraduates","volume-title":"Proc. USENIX Workshop Advances Secur. Educ.","author":"Morelock"},{"key":"ref44","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-39454-6_70"},{"key":"ref45","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2016.11.017"},{"key":"ref46","doi-asserted-by":"publisher","DOI":"10.1504\/IJCIS.2010.033341"},{"key":"ref47","doi-asserted-by":"publisher","DOI":"10.1177\/1524839908325063"},{"key":"ref48","article-title":"Q: Why do keynote speakers keep suggesting that improving security is possible? A: Because keynote speakers make bad life decisions and are poor role models","author":"Mickens","year":"2018"}],"container-title":["IEEE Transactions on Software Engineering"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx7\/32\/9775544\/09195777.pdf?arnumber=9195777","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,5,31]],"date-time":"2024-05-31T17:33:28Z","timestamp":1717176808000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/9195777\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,5,1]]},"references-count":48,"journal-issue":{"issue":"5"},"URL":"https:\/\/doi.org\/10.1109\/tse.2020.3023735","relation":{},"ISSN":["0098-5589","1939-3520","2326-3881"],"issn-type":[{"value":"0098-5589","type":"print"},{"value":"1939-3520","type":"electronic"},{"value":"2326-3881","type":"electronic"}],"subject":[],"published":{"date-parts":[[2022,5,1]]}}}