Do Security Patterns Really Help Designers?

Author(s): K. Yskout, R. Scandariato, W. Joosen
Venue: 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering
Date: 2015

Type of Experiement: Controlled Experiment
Sample Size: 64
Class/Experience Level: Graduate Student
Participant Selection: Graduate student classwork
Data Collection Method: Survey, Code Metric, Project Artifact(s)


This empirical study investigates the effect of using security patterns, seeing whether or not its usage leads to a more secure design or to increased productivity of the designers.

The study involved 32 teams of two master students each enrolled in a software architecture course, working on designing a banking system. The participants of this study were not considered to be security experts, but did have security-oriented background. This was ideal as security patterns are often claimed to provide value to those with limited security expertise. The participants were given six tasks to complete. Half of these tasks were done before a lecture on security patterns and half of them were done after. Surveys were given to participants throughout the course of the study and the results of these surveys were significant in making the conclusions.

Contrary to the authors’ expectations, the results of the study showed that regardless of whether or not the teams used security patterns, there wasn’t really any significant differences between their productivity and the security of their solutions. The threats to the validity of this study were considered, with one of them being the fact that the participants were just graduate students and not experienced software designers who tend to value design patterns more. While this doesn’t prove the advantages of using security patterns, it also doesn’t prove that there aren’t any advantages of using security patterns and can be an incentive to do more research in the area.