Article Review #1

Ade Swinger

CYSE 201S

Article Review | Should Simulation Be Used in Cybersecurity Decision-Making?

February 17, 2025

Introduction

The article, The Use of Simulations in Economic Cybersecurity Decision-Making, written by Mazaher Kianpour and Ulrik Franke, examines how the usage of simulations in cybersecurity decision-making can impact businesses/organizations in both positive and negative ways. Cybersecurity is, of course, a pressing issue for most businesses today because of the rapid digitization of all kinds of operations. In relation to the social sciences, the use of simulation can clash with objectivity, ethical neutrality, and empiricism.

Relation to Social Science Principles

First, the article relates to objectivity because it speaks on the importance of unbiased simulation when it comes to decision-making. It is also widely discussed in the tech field how errors in data collection for different algorithms can create bias, which is a danger to objectivity. This ties in with the principle of ethical neutrality. If the systems are gaining information from biased sources, this can generate ethical issues that can misguide simulation. Lastly, it connects to empiricism because a simulation isn’t real at the end of it all. This means that the simulation could potentially be inaccurate when predicting risks to a business

Research Questions and Hypotheses

The main questions in the article are if simulations can provide reliable insight when it comes to economic cybersecurity decision-making and what the limitations are of using said simulations. With these questions, the authors came up with the hypotheses: simulations can enhance the decision-making process for cybersecurity because they provide an idea to approach risk but that depends on the quality of the simulation, and the effectiveness of the simulation is limited by system error and the algorithmic bias discussed in the previous section.

Research Methods Used

This article didn’t do any kind of experimentation, so most of the research done was simply literature review. They used existing research on cybersecurity decision-making models and looked over the benefits and limitations this way. With this being said, they emphasize the fact that ongoing testing and updates will ensure that these simulations can give good decision-making suggestions.

Data and Analysis

As mentioned in the previous section, the study doesn’t create new data through experimentation; it only reviewed research that has existed within the field. Within the article, they did take a look at different simulation methods like bookkeeping and abstraction, which are tracking and simplification when put simply. Also, they came up with a sort of framework that can be followed to measure the efficiency of the simulation being used, with criteria like data reliability and validation with empirical data comparison.

Implications for Marginalized Groups

There could be a few implications for marginalized groups when it comes to decision-making through computer simulations. As mentioned before, there is talk of algorithmic bias within technological systems based on where the learning source is. With these biases, systems could face issues staying ethically sound in the decisions made. This could lead to more issues for marginalized groups moving forward if a system is put in place that perpetuates prejudice and bias through its learning.

Contributions to Society

The study highlighted how critical simulations could be in the improvement of cybersecurity decision-making. They can help businesses understand where to allocate their resources and focus their policies. Also, the importance of validated and adaptable simulation models is made clear because of the risk of misleading conclusions. These both can help contribute to a safer cyberspace.

Conclusion

In conclusion, this article review examines the significance of simulations in cybersecurity decision-making and their role in improving risk assessment. The study explained how simulations can help structure decision-making through basic framework ideas while acknowledging the potential downsides. A key negative to the usage of simulation would be the reliance on outdated models that could introduce bias. In the future, research should focus on the honing of the frameworks for these simulations and regulating the data sources for system learning to ensure maximum efficiency.

References

Kianpour, M., & Franke, U. (2025). The use of simulations in economic cybersecurity decision-making. Oxford Academic Journal of Cybersecurity, 11(1). https://academic.oup.com/cybersecurity/article/11/1/tyaf003/8011238?searchresult=1

Article Review #2

Ade Swinger

CYSE 201S

Article Review #2 | Analyzing “Software Security in Practice: Knowledge and Motivation”

April 10, 2025

BLUF: This is an article review on an article exploring how knowledge and motivation influence software developers’ use of secure coding practices.

Research Questions and Hypotheses

In the article “Software Security in Practice: Knowledge and Motivation”, the authors Hala Assal, Srivathsan G Morkonda, Muhammad Zaid Arif, and Sonia Chiasson asked the question of what impacts software developers’ knowledge and motivation have on their adoption of secure coding practices. They hypothesized that personal motivation, and external motivation influences the use of secure practices when coding.

Research Methods Used

They primarily used qualitative research methods, interviewing software developers from multiple organizations. Using this qualitative approach, the researchers were able to gain insight on personal experiences, workplace experiences, dynamics, and developers’ security practices(p. 2).

Data and Analysis

 The authors analyzed interview transcripts to find patterns and themes present across the participants responses. Key themes included time pressures, team influences, a lack of real-world training, and personal/organizational values being motivations or amotivation when it comes to security.

Relation to Social Science Principles and Class Concepts

Multiple class topics like human factors, cybersecurity culture, awareness training, and perception of safety relate to the article while also showing the presence of social science principles in the field.

• Human Factors: Developers will often spend less time on security because it’s easier for them to focus on what they are ‘actually’ responsible for (p. 11). This relates to the conversation of ease of use in a way because they have time restraints on the work they do so it is easier to neglect the security of the code. This also reflects the principle of determinism because external conditions like deadlines will influence their behavior.
• Cybersecurity Culture: A strong culture will influence the behaviors of the employees, so a lack of emphasis on the importance of security can lead to the neglect of it. Ethical neutrality then falls into place because researchers understand that it is human nature to follow a culture, so the blame isn’t necessarily on the developers themselves.
• Awareness Training: Many developers in the study lacked the real-world training in secure coding. Because the researchers found firsthand information from developers in the field, empiricism is in play with the real information on why code can have security issues.
• Perception of Safety: People have an innate sense of safety on the internet when nothing has happened to them yet. This same concept can be applied to developers because they may have never had any issues with security with software they’ve coded, but skepticism will challenge developers to ask why that is a good enough reason to not implement security.

Also, the researchers demonstrated objectivity by giving evidence for each conclusion made.

Marginalized Groups

The article indirectly relates to marginalized groups in the field of technology. The lack of inclusivity and accessibility for training can affect the developers who may be underrepresented, who didn’t acquire a traditional education or smaller organizations. The creation of access to security knowledge for all groups can assist in inclusivity in the software field.

Contributions to Society

This article gives insight into how to help fix the disconnect between knowledge and behavior in cybersecurity. It also ultimately encourages organizations and businesses to build cultures that give developers the motivation to share the responsibility of security, as well as the technical training that’s needed. This could potentially reduce vulnerabilities in all kinds of software in the future.

Conclusion

This article emphasizes the importance of motivation compounded with knowledge for developers to apply secure coding in their practices. These findings may prove to be crucial when organizations look at building their cultures and also the implementation of inclusive approaches to training in the software industry.

References:

Assal, H., Morkonda, S. G., Arif, M., & Chiasson, S. (2025, March 12). Software security in practice: knowledge and motivation. Journal of Cybersecurity. https://academic.oup.com/cybersecurity/article/11/1/tyaf005/8071721

(Citation Machine Used)