Do security patterns really help designers?

Author(s): Koen Yskout, Riccardo Scandariato, Wouter Joosen
Venue: International Conference on Software Engineering
Date: May 2015

Type of Experiement: Controlled Experiment
Sample Size: 32
Class/Experience Level: Graduate Student
Participant Selection: Graduate student classwork
Data Collection Method: Observation, Survey, Project Artifact(s)


Security patterns are used often by software engineers in order to solve security-specific problems. Often times they are claimed to be useful by designers without much security expertise. The paper discusses the outcome of an empirical study investigating whether the usage of security patterns can lead to a more secure design, or at least, an increase in productivity.

The study used pairs of 32 master students enrolled in a course on software architecture as test subjects (64 students total). Students were asked to design a realistically sized banking system. The students did not identified as security experts, although some did hold more knowledge in the area than others. In the application of the study, teams were given 6 tasks regarding the construction of the banking system. All but the first task (also known as the warm-up) contained a security requirement that the participants had to implement in the design of the banking system. In Phase 1 of the experiment, all teams worked without having access to (or knowledge of) the security patterns. In Phase 2, teams were given a brief summary on security patterns. At the end of each phases, the products were given a score based on how many "security flaws" came from their solution.

The end result of showed that regardless of whether the teams were using security patterns, there were no visible difference between the two treatment groups. However, the investigators noticed the teams preferred to work using security patterns.