STRIDE-Based Threat Analysis and AI-Driven Dataset Design for Securing Educational E-Payment Systems
DOI:
https://doi.org/10.35194/mji.v17i2.5918Keywords:
Threat Modeling, STRIDE, e-payment, Application Security, Threat DatasetAbstract
The increasing adoption of electronic payment (e-payment) systems in educational settings introduces significant cybersecurity challenges. This study conducts a systematic security analysis of a web-based school canteen e-payment system using the STRIDE threat modeling framework. The methodology involves three stages: system modeling with a Data Flow Diagram (DFD), threat mapping across system components, and qualitative risk assessment based on potential impact and likelihood. The analysis identified six STRIDE threat categories, with high-risk findings in Tampering (balance and price manipulation), Spoofing (account takeover), and Denial of Service (flooding attacks). Recommended mitigation strategies include multi-factor authentication, strict server-side input validation, immutable logging, and secure session management. Beyond manual threat analysis, this research contributes by designing a structured threat dataset as a foundation for artificial intelligence (AI) integration. This dataset enables the development of AI models for automated threat classification, risk prediction, and adaptive mitigation recommendations. The findings highlight the importance of proactive and forward-looking security approaches while opening pathways for future research on data-driven security automation in educational digital infrastructures.References
[1] C.-Y. Chen, C. Fu, Y.-C. Hsu, and C.-Y. Lu, “A study on enterprises based on information security education and training to improve continuous information security governance,” Education and Awareness of Sustainability. p. 59, Nov. 16, 2020. [Online]. Available: https://www.semanticscholar.org/paper/9c541d10932e7c9f152e84c29a316027f9c53955
[2] L. Lissa’idah, M. A. Rosid, and A. S. Fitrani, “Web-based canteen payment system with RFID technology,” Journal of Physics Conference Series, vol. 1232, no. 1, p. 12028, Sep. 2019, doi: 10.1088/1742-6596/1232/1/012028.
[3] C. Ritthitraiphop and W. Hamra, “Organization and Parental Perceptions of Electronic Payments by Selected Seventh-day Adventist (SDA) International Schools in Thailand,” in Abstract Proceedings International Scholars Conference, Dec. 2019, p. 1143. doi: 10.35974/isc.v7i1.1017.
[4] A. T. Oyewole, C. C. Okoye, O. C. Ofodile, and C. E. Ugochukwu, “Cybersecurity risks in online banking: A detailed review and preventive strategies applicatio,” World Journal of Advanced Research and Reviews, vol. 21, no. 3. GSC Online Press, p. 625, Mar. 11, 2024. doi: 10.30574/wjarr.2024.21.3.0707.
[5] K. Sathupadi, S. Achar, S. Bhaskaran, N. Faruqui, and J. Uddin, “BankNet: Real-Time Big Data Analytics for Secure Internet Banking,” Big Data and Cognitive Computing, vol. 9, no. 2, p. 24, Jan. 2025, doi: 10.3390/bdcc9020024.
[6] I. Goran, “Cyber Security Risks in Public High Schools,” Jan. 2017, Accessed: Aug. 2025. [Online]. Available: https://academicworks.cuny.edu/cgi/viewcontent.cgi?article=1002&context=jj_etds
[7] R. Baskerville, P. Spagnoletti, and J. Kim, “Incident-centered information security: Managing a strategic balance between prevention and response,” Information & Management, vol. 51, no. 1, p. 138, Nov. 2013, doi: 10.1016/j.im.2013.11.004.
[8] S. Al-Azzani, A. Al-Natour, and R. Bahsoon, “Architecture-Centric Testing for Security,” in Elsevier eBooks, Elsevier BV, 2013, p. 245. doi: 10.1016/b978-0-12-407772-0.00009-5.
[9] A. Jawad, J. Jaskolka, A. Matrawy, and M. Ibnkahla, “strideSEA: A STRIDE-centric Security Evaluation Approach,” 2025, doi: 10.48550/ARXIV.2503.19030.
[10] A. Aljaradat, G. Sarkar, and S. K. Shukla, “Modelling cybersecurity impacts on digital payment adoption: A game theoretic approach,” Journal of Economic Criminology, vol. 5, p. 100089, Aug. 2024, doi: 10.1016/j.jeconc.2024.100089.
[11] W. Hasselbring, M. Wojcieszak, and S. Dustdar, “Control Flow Versus Data Flow in Distributed Systems Integration: Revival of Flow-Based Programming for the Industrial Internet of Things,” IEEE Internet Computing, vol. 25, no. 4, p. 5, Jul. 2021, doi: 10.1109/mic.2021.3053712.
[12] M. N. Johnstone, “Threat Modelling with Stride and UML,” Jan. 2010, doi: 10.4225/75/57b670493477c.
[13] M. Girdhar, “Advanced Cybersecurity Strategies for Cyber-Physical Systems: Case Studies in EV Charging Stations, Connected & Automated Vehicles, and Digital Substations,” Deep Blue (University of Michigan), Jan. 2025, Accessed: Jul. 2025. [Online]. Available: https://hdl.handle.net/2027.42/196335
[14] H. Guan, W. R. Chen, L. Han, and J. Wang, “STRIDE – Based Risk Assessment for Web Application,” Applied Mechanics and Materials, p. 1323, Jun. 2011, doi: 10.4028/www.scientific.net/amm.58-60.1323.
[15] P. K. Yeng, D. Stephen, and B. Yang, “Comparative Analysis of Threat Modeling Methods for Cloud Computing towards Healthcare Security Practice,” International Journal of Advanced Computer Science and Applications, vol. 11, no. 11, Jan. 2020, doi: 10.14569/ijacsa.2020.0111194.
[16] Z. Bokolo and O. Daramola, “Elicitation of security threats and vulnerabilities in Insurance chatbots using STRIDE,” Scientific Reports, vol. 14, no. 1, Aug. 2024, doi: 10.1038/s41598-024-68791-z.
[17] F. T. Chimuco, J. B. F. Sequeiros, T. M. C. Simões, M. M. Freire, and P. R. M. Inácio, “Expediting the design and development of secure cloud-based mobile apps,” International Journal of Information Security, vol. 23, no. 4, p. 3043, Jul. 2024, doi: 10.1007/s10207-024-00880-6.
[18] M. Ramachandran, “Software security requirements management as an emerging cloud computing service,” International Journal of Information Management, vol. 36, no. 4, p. 580, Apr. 2016, doi: 10.1016/j.ijinfomgt.2016.03.008.
[19] M. Ouaissa and M. Ouaissa, “Analyzing and Mitigating Attacks in IoT Smart Home Using a Threat Modeling Approach-Based STRIDE,” International Journal of Interactive Mobile Technologies (iJIM), vol. 19, no. 2, p. 126, Jan. 2025, doi: 10.3991/ijim.v19i02.52377.
[20] I. T. Moon, M. Shamsuzzaman, M. M. R. Mridha, and A. S. Md. M. Rahaman, “Towards the Advancement of Cashless Transaction: A Security Analysis of Electronic Payment Systems,” Journal of Computer and Communications, vol. 10, no. 7, p. 103, Jan. 2022, doi: 10.4236/jcc.2022.107007.
[21] D. Angermeier, H. Wester, K. Beilke, G. Hansch, and J. Eichler, “Security Risk Assessments: Modeling and Risk Level Propagation,” ACM Transactions on Cyber-Physical Systems, vol. 7, no. 1, p. 1, Nov. 2022, doi: 10.1145/3569458.
[22] S. B. Tete, “Threat Modelling and Risk Analysis for Large Language Model (LLM)-Powered Applications,” arXiv (Cornell University), Jun. 2024, doi: 10.48550/arxiv.2406.11007.
[23] S. Hart, A. Margheri, F. Paci, and V. Sassone, “Riskio: A Serious Game for Cyber Security Awareness and Education,” Computers & Security, vol. 95, p. 101827, Apr. 2020, doi: 10.1016/j.cose.2020.101827.
[24] W. Ni, A. Asheralieva, J. Kang, Z. Xiong, C. Maple, and X. Wei, “An Enhanced Block Validation Framework With Efficient Consensus for Secure Consortium Blockchains,” IEEE Transactions on Services Computing, vol. 17, no. 2, p. 420, Dec. 2023, doi: 10.1109/tsc.2023.3343839.
[25] J. Wetzels, D. D. Santos, and M. Ghafari, “Insecure by Design in the Backbone of Critical Infrastructure,” p. 7, May 2023, doi: 10.1145/3576914.3587485.
[26] G. M. Makrakis, C. Kolias, G. Kambourakis, C. Rieger, and J. Benjamin, “Vulnerabilities and Attacks Against Industrial Control Systems and Critical Infrastructures,” arXiv (Cornell University), Jan. 2021, doi: 10.48550/arxiv.2109.03945.
[27] G. Sargsyan, N. Castellon, R. Binnendijk, and P. Cozijnsen, “Blockchain Security by Design Framework for Trust and Adoption in IoT Environment,” p. 15, Jul. 2019, doi: 10.1109/services.2019.00018.
[28] M. Tahmasebi, “Beyond Defense: Proactive Approaches to Disaster Recovery and Threat Intelligence in Modern Enterprises,” Journal of Information Security, vol. 15, no. 2, p. 106, Jan. 2024, doi: 10.4236/jis.2024.152008.
[29] S. Ghasemshirazi, G. Shirvani, and M. A. Alipour, “Zero Trust: Applications, Challenges, and Opportunities,” arXiv (Cornell University), Jan. 2023, doi: 10.48550/arxiv.2309.03582.
[30] C. C. Nwoye, “Next-Generation Protection Protocols and Procedures for Securing Critical Infrastructure,” International Journal of Research Publication and Reviews, vol. 5, no. 11, p. 4830, Nov. 2024, doi: 10.55248/gengpi.5.1124.3328.
[31] M. Zaqy, G. Galih, M. I. Hermanto, “SPP Payment Recording Information System and SMS Gateway Using the Waterfall Method,” Media Jurnal Informatika, Vol 17, No 1a, 2025, doi: 10.35194/mji.v17i1a.5771.
[2] L. Lissa’idah, M. A. Rosid, and A. S. Fitrani, “Web-based canteen payment system with RFID technology,” Journal of Physics Conference Series, vol. 1232, no. 1, p. 12028, Sep. 2019, doi: 10.1088/1742-6596/1232/1/012028.
[3] C. Ritthitraiphop and W. Hamra, “Organization and Parental Perceptions of Electronic Payments by Selected Seventh-day Adventist (SDA) International Schools in Thailand,” in Abstract Proceedings International Scholars Conference, Dec. 2019, p. 1143. doi: 10.35974/isc.v7i1.1017.
[4] A. T. Oyewole, C. C. Okoye, O. C. Ofodile, and C. E. Ugochukwu, “Cybersecurity risks in online banking: A detailed review and preventive strategies applicatio,” World Journal of Advanced Research and Reviews, vol. 21, no. 3. GSC Online Press, p. 625, Mar. 11, 2024. doi: 10.30574/wjarr.2024.21.3.0707.
[5] K. Sathupadi, S. Achar, S. Bhaskaran, N. Faruqui, and J. Uddin, “BankNet: Real-Time Big Data Analytics for Secure Internet Banking,” Big Data and Cognitive Computing, vol. 9, no. 2, p. 24, Jan. 2025, doi: 10.3390/bdcc9020024.
[6] I. Goran, “Cyber Security Risks in Public High Schools,” Jan. 2017, Accessed: Aug. 2025. [Online]. Available: https://academicworks.cuny.edu/cgi/viewcontent.cgi?article=1002&context=jj_etds
[7] R. Baskerville, P. Spagnoletti, and J. Kim, “Incident-centered information security: Managing a strategic balance between prevention and response,” Information & Management, vol. 51, no. 1, p. 138, Nov. 2013, doi: 10.1016/j.im.2013.11.004.
[8] S. Al-Azzani, A. Al-Natour, and R. Bahsoon, “Architecture-Centric Testing for Security,” in Elsevier eBooks, Elsevier BV, 2013, p. 245. doi: 10.1016/b978-0-12-407772-0.00009-5.
[9] A. Jawad, J. Jaskolka, A. Matrawy, and M. Ibnkahla, “strideSEA: A STRIDE-centric Security Evaluation Approach,” 2025, doi: 10.48550/ARXIV.2503.19030.
[10] A. Aljaradat, G. Sarkar, and S. K. Shukla, “Modelling cybersecurity impacts on digital payment adoption: A game theoretic approach,” Journal of Economic Criminology, vol. 5, p. 100089, Aug. 2024, doi: 10.1016/j.jeconc.2024.100089.
[11] W. Hasselbring, M. Wojcieszak, and S. Dustdar, “Control Flow Versus Data Flow in Distributed Systems Integration: Revival of Flow-Based Programming for the Industrial Internet of Things,” IEEE Internet Computing, vol. 25, no. 4, p. 5, Jul. 2021, doi: 10.1109/mic.2021.3053712.
[12] M. N. Johnstone, “Threat Modelling with Stride and UML,” Jan. 2010, doi: 10.4225/75/57b670493477c.
[13] M. Girdhar, “Advanced Cybersecurity Strategies for Cyber-Physical Systems: Case Studies in EV Charging Stations, Connected & Automated Vehicles, and Digital Substations,” Deep Blue (University of Michigan), Jan. 2025, Accessed: Jul. 2025. [Online]. Available: https://hdl.handle.net/2027.42/196335
[14] H. Guan, W. R. Chen, L. Han, and J. Wang, “STRIDE – Based Risk Assessment for Web Application,” Applied Mechanics and Materials, p. 1323, Jun. 2011, doi: 10.4028/www.scientific.net/amm.58-60.1323.
[15] P. K. Yeng, D. Stephen, and B. Yang, “Comparative Analysis of Threat Modeling Methods for Cloud Computing towards Healthcare Security Practice,” International Journal of Advanced Computer Science and Applications, vol. 11, no. 11, Jan. 2020, doi: 10.14569/ijacsa.2020.0111194.
[16] Z. Bokolo and O. Daramola, “Elicitation of security threats and vulnerabilities in Insurance chatbots using STRIDE,” Scientific Reports, vol. 14, no. 1, Aug. 2024, doi: 10.1038/s41598-024-68791-z.
[17] F. T. Chimuco, J. B. F. Sequeiros, T. M. C. Simões, M. M. Freire, and P. R. M. Inácio, “Expediting the design and development of secure cloud-based mobile apps,” International Journal of Information Security, vol. 23, no. 4, p. 3043, Jul. 2024, doi: 10.1007/s10207-024-00880-6.
[18] M. Ramachandran, “Software security requirements management as an emerging cloud computing service,” International Journal of Information Management, vol. 36, no. 4, p. 580, Apr. 2016, doi: 10.1016/j.ijinfomgt.2016.03.008.
[19] M. Ouaissa and M. Ouaissa, “Analyzing and Mitigating Attacks in IoT Smart Home Using a Threat Modeling Approach-Based STRIDE,” International Journal of Interactive Mobile Technologies (iJIM), vol. 19, no. 2, p. 126, Jan. 2025, doi: 10.3991/ijim.v19i02.52377.
[20] I. T. Moon, M. Shamsuzzaman, M. M. R. Mridha, and A. S. Md. M. Rahaman, “Towards the Advancement of Cashless Transaction: A Security Analysis of Electronic Payment Systems,” Journal of Computer and Communications, vol. 10, no. 7, p. 103, Jan. 2022, doi: 10.4236/jcc.2022.107007.
[21] D. Angermeier, H. Wester, K. Beilke, G. Hansch, and J. Eichler, “Security Risk Assessments: Modeling and Risk Level Propagation,” ACM Transactions on Cyber-Physical Systems, vol. 7, no. 1, p. 1, Nov. 2022, doi: 10.1145/3569458.
[22] S. B. Tete, “Threat Modelling and Risk Analysis for Large Language Model (LLM)-Powered Applications,” arXiv (Cornell University), Jun. 2024, doi: 10.48550/arxiv.2406.11007.
[23] S. Hart, A. Margheri, F. Paci, and V. Sassone, “Riskio: A Serious Game for Cyber Security Awareness and Education,” Computers & Security, vol. 95, p. 101827, Apr. 2020, doi: 10.1016/j.cose.2020.101827.
[24] W. Ni, A. Asheralieva, J. Kang, Z. Xiong, C. Maple, and X. Wei, “An Enhanced Block Validation Framework With Efficient Consensus for Secure Consortium Blockchains,” IEEE Transactions on Services Computing, vol. 17, no. 2, p. 420, Dec. 2023, doi: 10.1109/tsc.2023.3343839.
[25] J. Wetzels, D. D. Santos, and M. Ghafari, “Insecure by Design in the Backbone of Critical Infrastructure,” p. 7, May 2023, doi: 10.1145/3576914.3587485.
[26] G. M. Makrakis, C. Kolias, G. Kambourakis, C. Rieger, and J. Benjamin, “Vulnerabilities and Attacks Against Industrial Control Systems and Critical Infrastructures,” arXiv (Cornell University), Jan. 2021, doi: 10.48550/arxiv.2109.03945.
[27] G. Sargsyan, N. Castellon, R. Binnendijk, and P. Cozijnsen, “Blockchain Security by Design Framework for Trust and Adoption in IoT Environment,” p. 15, Jul. 2019, doi: 10.1109/services.2019.00018.
[28] M. Tahmasebi, “Beyond Defense: Proactive Approaches to Disaster Recovery and Threat Intelligence in Modern Enterprises,” Journal of Information Security, vol. 15, no. 2, p. 106, Jan. 2024, doi: 10.4236/jis.2024.152008.
[29] S. Ghasemshirazi, G. Shirvani, and M. A. Alipour, “Zero Trust: Applications, Challenges, and Opportunities,” arXiv (Cornell University), Jan. 2023, doi: 10.48550/arxiv.2309.03582.
[30] C. C. Nwoye, “Next-Generation Protection Protocols and Procedures for Securing Critical Infrastructure,” International Journal of Research Publication and Reviews, vol. 5, no. 11, p. 4830, Nov. 2024, doi: 10.55248/gengpi.5.1124.3328.
[31] M. Zaqy, G. Galih, M. I. Hermanto, “SPP Payment Recording Information System and SMS Gateway Using the Waterfall Method,” Media Jurnal Informatika, Vol 17, No 1a, 2025, doi: 10.35194/mji.v17i1a.5771.
Downloads
Published
2026-01-03
Issue
Section
Articles
