The role of catalogues of threats and security controls in security risk assessment: an empirical study with ATM professionals
The role of catalogues of threats and security controls in security risk assessment: an empirical study with ATM professionals
[Context and motivation] To remedy the lack of security expertise, industrial security risk assessment methods come with catalogues of threats and security controls. [Question/problem] We investigate in both qualitative and quantitative terms whether the use of catalogues of threats and security controls has an effect on the actual and perceived effectiveness of a security risk assessment method. In particular, we assessed the effect of using domain-specific versus domain-general catalogues on the actual and perceived efficacy of a security risk assessment method conducted by non-experts and compare it with the effect of running the same method by security experts but without catalogues.
[Principal ideas/results] The quantitative analysis shows that non-security experts who applied the method with catalogues identified threats and controls of the same quality of security experts without catalogues. The perceived ease of use was higher when participants used method without catalogues albeit only at 10 % significance level. The qualitative analysis indicates that security experts have different expectations from a catalogue than non-experts. Non-experts are mostly worried about the difficulty of navigating through the catalogue (the larger and less specific the worse it was) while expert users found it mostly useful to get a common terminology and a checklist that nothing was forgotten.
[Contribution] This paper sheds light on the important features of the catalogues and discuss how they contribute into risk assessment process.
empirical study, security risk assessment methods, MEM
98-114
de Gramatica, Martina
28079f4a-fc4d-4ad7-9de6-97616a8ee655
Labunets, Katsiaryna
dae3b5d3-559e-49fb-ae8a-1ee219c6fdb3
Massacci, Fabio
ff2c9f40-8060-4fdc-b006-53b507897ac8
Paci, Federica
9fbf3e5b-ae03-40e8-a75a-3657cbc9216e
Tedeschi, Alessandra
476ff202-6261-4efe-86ec-e1c3c60a7449
Fricker, Samuel A.
ec8e5e3d-02ca-4990-8fe3-d5c7c6155335
Schneider, Kurt
a829a85a-9f77-46d1-a09a-af399d6091aa
14 March 2015
de Gramatica, Martina
28079f4a-fc4d-4ad7-9de6-97616a8ee655
Labunets, Katsiaryna
dae3b5d3-559e-49fb-ae8a-1ee219c6fdb3
Massacci, Fabio
ff2c9f40-8060-4fdc-b006-53b507897ac8
Paci, Federica
9fbf3e5b-ae03-40e8-a75a-3657cbc9216e
Tedeschi, Alessandra
476ff202-6261-4efe-86ec-e1c3c60a7449
Fricker, Samuel A.
ec8e5e3d-02ca-4990-8fe3-d5c7c6155335
Schneider, Kurt
a829a85a-9f77-46d1-a09a-af399d6091aa
de Gramatica, Martina, Labunets, Katsiaryna, Massacci, Fabio, Paci, Federica and Tedeschi, Alessandra
(2015)
The role of catalogues of threats and security controls in security risk assessment: an empirical study with ATM professionals.
Fricker, Samuel A. and Schneider, Kurt
(eds.)
Requirements Engineering: Foundation for Software Quality (REFSQ), Essen, Germany.
.
(doi:10.1007/978-3-319-16101-3_7).
Record type:
Conference or Workshop Item
(Paper)
Abstract
[Context and motivation] To remedy the lack of security expertise, industrial security risk assessment methods come with catalogues of threats and security controls. [Question/problem] We investigate in both qualitative and quantitative terms whether the use of catalogues of threats and security controls has an effect on the actual and perceived effectiveness of a security risk assessment method. In particular, we assessed the effect of using domain-specific versus domain-general catalogues on the actual and perceived efficacy of a security risk assessment method conducted by non-experts and compare it with the effect of running the same method by security experts but without catalogues.
[Principal ideas/results] The quantitative analysis shows that non-security experts who applied the method with catalogues identified threats and controls of the same quality of security experts without catalogues. The perceived ease of use was higher when participants used method without catalogues albeit only at 10 % significance level. The qualitative analysis indicates that security experts have different expectations from a catalogue than non-experts. Non-experts are mostly worried about the difficulty of navigating through the catalogue (the larger and less specific the worse it was) while expert users found it mostly useful to get a common terminology and a checklist that nothing was forgotten.
[Contribution] This paper sheds light on the important features of the catalogues and discuss how they contribute into risk assessment process.
This record has no associated files available for download.
More information
Published date: 14 March 2015
Venue - Dates:
Requirements Engineering: Foundation for Software Quality (REFSQ), Essen, Germany, 2015-03-14
Keywords:
empirical study, security risk assessment methods, MEM
Organisations:
Electronics & Computer Science
Identifiers
Local EPrints ID: 378316
URI: http://eprints.soton.ac.uk/id/eprint/378316
PURE UUID: f3875fd5-d10d-4fb4-b454-00cd289951f0
Catalogue record
Date deposited: 27 Apr 2016 10:29
Last modified: 14 Mar 2024 20:21
Export record
Altmetrics
Contributors
Author:
Martina de Gramatica
Author:
Katsiaryna Labunets
Author:
Fabio Massacci
Author:
Federica Paci
Author:
Alessandra Tedeschi
Editor:
Samuel A. Fricker
Editor:
Kurt Schneider
Download statistics
Downloads from ePrints over the past year. Other digital versions may also be available to download e.g. from the publisher's website.
View more statistics