The University of Southampton
University of Southampton Institutional Repository

The role of catalogues of threats and security controls in security risk assessment: an empirical study with ATM professionals

de Gramatica, Martina, Labunets, Katsiaryna, Massacci, Fabio, Paci, Federica and Tedeschi, Alessandra, (2015) The role of catalogues of threats and security controls in security risk assessment: an empirical study with ATM professionals Fricker, Samuel A. and Schneider, Kurt (eds.) At Requirements Engineering: Foundation for Software Quality (REFSQ), Germany. , pp. 98-114. (doi:10.1007/978-3-319-16101-3_7).

Record type: Conference or Workshop Item (Paper)

Abstract

[Context and motivation] To remedy the lack of security expertise, industrial security risk assessment methods come with catalogues of threats and security controls. [Question/problem] We investigate in both qualitative and quantitative terms whether the use of catalogues of threats and security controls has an effect on the actual and perceived effectiveness of a security risk assessment method. In particular, we assessed the effect of using domain-specific versus domain-general catalogues on the actual and perceived efficacy of a security risk assessment method conducted by non-experts and compare it with the effect of running the same method by security experts but without catalogues.

[Principal ideas/results] The quantitative analysis shows that non-security experts who applied the method with catalogues identified threats and controls of the same quality of security experts without catalogues. The perceived ease of use was higher when participants used method without catalogues albeit only at 10 % significance level. The qualitative analysis indicates that security experts have different expectations from a catalogue than non-experts. Non-experts are mostly worried about the difficulty of navigating through the catalogue (the larger and less specific the worse it was) while expert users found it mostly useful to get a common terminology and a checklist that nothing was forgotten.

[Contribution] This paper sheds light on the important features of the catalogues and discuss how they contribute into risk assessment process.

Full text not available from this repository.

More information

Published date: 14 March 2015
Venue - Dates: Requirements Engineering: Foundation for Software Quality (REFSQ), Germany, 2015-03-14
Keywords: empirical study, security risk assessment methods, MEM
Organisations: Electronics & Computer Science

Identifiers

Local EPrints ID: 378316
URI: http://eprints.soton.ac.uk/id/eprint/378316
PURE UUID: f3875fd5-d10d-4fb4-b454-00cd289951f0

Catalogue record

Date deposited: 27 Apr 2016 10:29
Last modified: 17 Jul 2017 20:53

Export record

Altmetrics

Contributors

Author: Martina de Gramatica
Author: Katsiaryna Labunets
Author: Fabio Massacci
Author: Federica Paci
Author: Alessandra Tedeschi
Editor: Samuel A. Fricker
Editor: Kurt Schneider

University divisions

Download statistics

Downloads from ePrints over the past year. Other digital versions may also be available to download e.g. from the publisher's website.

View more statistics

Atom RSS 1.0 RSS 2.0

Contact ePrints Soton: eprints@soton.ac.uk

ePrints Soton supports OAI 2.0 with a base URL of http://eprints.soton.ac.uk/cgi/oai2

This repository has been built using EPrints software, developed at the University of Southampton, but available to everyone to use.

We use cookies to ensure that we give you the best experience on our website. If you continue without changing your settings, we will assume that you are happy to receive cookies on the University of Southampton website.

×