This study explores how security experts and novices make decisions during security analysis exercises. Using Situation Awareness (SA) theory, participants analyzed source code, data flow diagrams, and network diagrams to identify vulnerabilities and applied a requirements checklist to mitigate them. The research identified decision-making patterns, including how analysts perceive, comprehend, and project future threats against systems. It also developed hypotheses on how attack models enhance security analysis and how structured and unstructured approaches impact security requirements coverage. The findings contribute to understanding the cognitive processes behind security decision-making and improving security requirements engineering.
