The applicability of Attack Defense Trees (ADTs) to non-technical stakeholders remains empirically unverified, limiting their adoption beyond cybersecurity experts. Method: We conducted a model-based task experiment with 102 participants—51 technical and 51 non-technical—assessing performance in ADT modeling, comprehension, and reasoning tasks. Evaluation integrated quantitative task performance metrics, qualitative feedback, and standardized technology acceptance scales. Contribution/Results: No statistically significant differences were found between groups across all tasks, demonstrating that ADTs require minimal technical proficiency for effective understanding and use. This challenges the longstanding assumption that ADT comprehension necessitates computer science expertise and substantially broadens their practical utility among diverse stakeholders—including managers, legal professionals, and business analysts. The findings provide empirical validation and methodological support for low-barrier threat modeling in interdisciplinary security contexts.

Attack-defense trees (ADTs) are a prominent graphical threat modeling method that is highly recommended for analyzing and communicating security-related information. Despite this, existing empirical studies of attack trees have established their acceptability only for users with highly technical (computer science) backgrounds while raising questions about their suitability for threat modeling stakeholders with a limited technical background. Our research addresses this gap by investigating the impact of the users' technical background on ADT acceptability in an empirical study. Our Method Evaluation Model-based study consisted of n = 102 participants (53 with a strong computer science background and 49 with a limited computer science background) who were asked to complete a series of ADT-related tasks. By analyzing their responses and comparing the results, we reveal that a very limited technical background is sufficient for ADT acceptability. This finding underscores attack trees' viability as a threat modeling method.