Abstract
Security risk analysis (SRA) is a key activity in software engineering but requires heavy manual effort. Community knowledge in the form of security patterns or security catalogs can be used to support the identification of threats and security controls. However, no evidence-based theory exists about the effectiveness of security catalogs when used for security risk analysis. We adopt a grounded theory approach to propose a conceptual, revised and refined theory of SRA knowledge reuse. The theory refinement is backed by evidence gathered from conducting interviews with experts (20) and controlled experiments with both experts (15) and novice analysts (18). We conclude the paper by providing insights into the use of catalogs and managerial implications.
Original language | English |
---|---|
Article number | 90 |
Journal | Empirical Software Engineering |
Volume | 28 |
Issue number | 4 |
DOIs | |
Publication status | Published - Jul 2023 |
Bibliographical note
Funding Information:The authors would first like to express gratitude to the participants of this study who have generously contributed. We would also like to thank our past-co-authors Martina De Gramatica and Le Minh Sang Tran from UTrento, Bjorn Sohaug and Ketil Stoelen from SINTEF, Alessandra Tedeschi and Martina Ragosta from DeepBlue, John Hird and Rainer Koehele from Eurocontrol for helping us with the data collection and organizing the focus groups and the trainings. Without everybody’s time and expertise this paper would not have been possible. Part of the the work was done while K. Labunets and F.M. Paci were at the University of Trento. This research was partially supported by the SESAR project EMFASE and the European Union and the FP7 project 285223 (SECONOMICS). The datasets generated and analysed during the study are not publicly available due confidentiality constraints with industrial partners but example data can be made available from the corresponding author on reasonable request.
Funding Information:
Part of the the work was done while K. Labunets and F.M. Paci were at the University of Trento. This research was partially supported by the SESAR project EMFASE and the European Union and the FP7 project 285223 (SECONOMICS).
Publisher Copyright:
© 2023, The Author(s).
Funding
The authors would first like to express gratitude to the participants of this study who have generously contributed. We would also like to thank our past-co-authors Martina De Gramatica and Le Minh Sang Tran from UTrento, Bjorn Sohaug and Ketil Stoelen from SINTEF, Alessandra Tedeschi and Martina Ragosta from DeepBlue, John Hird and Rainer Koehele from Eurocontrol for helping us with the data collection and organizing the focus groups and the trainings. Without everybody’s time and expertise this paper would not have been possible. Part of the the work was done while K. Labunets and F.M. Paci were at the University of Trento. This research was partially supported by the SESAR project EMFASE and the European Union and the FP7 project 285223 (SECONOMICS). The datasets generated and analysed during the study are not publicly available due confidentiality constraints with industrial partners but example data can be made available from the corresponding author on reasonable request. Part of the the work was done while K. Labunets and F.M. Paci were at the University of Trento. This research was partially supported by the SESAR project EMFASE and the European Union and the FP7 project 285223 (SECONOMICS).
Keywords
- Empirical study
- Information security
- Knowledge reuse
- Risk assessment