The role of catalogues of threats and security controls in security risk assessment: An empirical study with atm professionals

Martina De Gramatica; Katsiaryna Labunets; Fabio Massacci; Federica Paci; Alessandra Tedeschi

doi:10.1007/978-3-319-16101-3_7

The role of catalogues of threats and security controls in security risk assessment: An empirical study with atm professionals

Martina De Gramatica, Katsiaryna Labunets^*, Fabio Massacci, Federica Paci, Alessandra Tedeschi

^*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

Abstract

[Context and motivation] To remedy the lack of security expertise, industrial security risk assessment methods come with catalogues of threats and security controls. [Question/problem] We investigate in both qualitative and quantitative terms whether the use of catalogues of threats and security controls has an effect on the actual and perceived effectiveness of a security risk assessment method. In particular, we assessed the effect of using domain-specific versus domain-general catalogues on the actual and perceived efficacy of a security risk assessment method conducted by non-experts and compare it with the effect of running the same method by security experts but without catalogues. [Principal ideas/results] The quantitative analysis shows that nonsecurity experts who applied the method with catalogues identified threats and controls of the same quality of security experts without catalogues. The perceived ease of use was higher when participants used method without catalogues albeit only at 10% significance level. The qualitative analysis indicates that security experts have different expectations from a catalogue than non-experts. Non-experts are mostly worried about the difficulty of navigating through the catalogue (the larger and less specific the worse it was) while expert users found it mostly useful to get a common terminology and a checklist that nothing was forgotten. [Contribution] This paper sheds light on the important features of the catalogues and discuss how they contribute into risk assessment process.

Original language	English
Title of host publication	Requirements Engineering
Subtitle of host publication	Foundation for Software Quality - 21st International Working Conference, REFSQ 2015, Proceedings
Editors	Samuel A. Fricker, Kurt Schneider
Publisher	Springer
Pages	98-114
Number of pages	17
ISBN (Electronic)	9783319161006
DOIs	https://doi.org/10.1007/978-3-319-16101-3_7
Publication status	Published - 2015
Event	21st International Working Conference on Requirements Engineering: Foundation for Software Quality, REFSQ 2015 - Essen, Germany Duration: 23 Mar 2015 → 26 Mar 2015

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	9013
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	21st International Working Conference on Requirements Engineering: Foundation for Software Quality, REFSQ 2015
Country/Territory	Germany
City	Essen
Period	23/03/15 → 26/03/15

Bibliographical note

Publisher Copyright:
© Springer International Publishing Switzerland 2015.

Keywords

Empirical study
MEM
Security risk assessment methods

Access to Document

10.1007/978-3-319-16101-3_7

Cite this

De Gramatica, M., Labunets, K., Massacci, F., Paci, F., & Tedeschi, A. (2015). The role of catalogues of threats and security controls in security risk assessment: An empirical study with atm professionals. In S. A. Fricker, & K. Schneider (Eds.), Requirements Engineering: Foundation for Software Quality - 21st International Working Conference, REFSQ 2015, Proceedings (pp. 98-114). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 9013). Springer. https://doi.org/10.1007/978-3-319-16101-3_7

De Gramatica, Martina ; Labunets, Katsiaryna ; Massacci, Fabio et al. / The role of catalogues of threats and security controls in security risk assessment : An empirical study with atm professionals. Requirements Engineering: Foundation for Software Quality - 21st International Working Conference, REFSQ 2015, Proceedings. editor / Samuel A. Fricker ; Kurt Schneider. Springer, 2015. pp. 98-114 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{c493bd9709dd4ae980d6ad8c856dd68a,

title = "The role of catalogues of threats and security controls in security risk assessment: An empirical study with atm professionals",

abstract = "[Context and motivation] To remedy the lack of security expertise, industrial security risk assessment methods come with catalogues of threats and security controls. [Question/problem] We investigate in both qualitative and quantitative terms whether the use of catalogues of threats and security controls has an effect on the actual and perceived effectiveness of a security risk assessment method. In particular, we assessed the effect of using domain-specific versus domain-general catalogues on the actual and perceived efficacy of a security risk assessment method conducted by non-experts and compare it with the effect of running the same method by security experts but without catalogues. [Principal ideas/results] The quantitative analysis shows that nonsecurity experts who applied the method with catalogues identified threats and controls of the same quality of security experts without catalogues. The perceived ease of use was higher when participants used method without catalogues albeit only at 10% significance level. The qualitative analysis indicates that security experts have different expectations from a catalogue than non-experts. Non-experts are mostly worried about the difficulty of navigating through the catalogue (the larger and less specific the worse it was) while expert users found it mostly useful to get a common terminology and a checklist that nothing was forgotten. [Contribution] This paper sheds light on the important features of the catalogues and discuss how they contribute into risk assessment process.",

keywords = "Empirical study, MEM, Security risk assessment methods",

author = "{De Gramatica}, Martina and Katsiaryna Labunets and Fabio Massacci and Federica Paci and Alessandra Tedeschi",

note = "Publisher Copyright: {\textcopyright} Springer International Publishing Switzerland 2015.; 21st International Working Conference on Requirements Engineering: Foundation for Software Quality, REFSQ 2015 ; Conference date: 23-03-2015 Through 26-03-2015",

year = "2015",

doi = "10.1007/978-3-319-16101-3_7",

language = "English",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer",

pages = "98--114",

editor = "Fricker, {Samuel A.} and Kurt Schneider",

booktitle = "Requirements Engineering",

}

De Gramatica, M, Labunets, K, Massacci, F, Paci, F & Tedeschi, A 2015, The role of catalogues of threats and security controls in security risk assessment: An empirical study with atm professionals. in SA Fricker & K Schneider (eds), Requirements Engineering: Foundation for Software Quality - 21st International Working Conference, REFSQ 2015, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 9013, Springer, pp. 98-114, 21st International Working Conference on Requirements Engineering: Foundation for Software Quality, REFSQ 2015, Essen, Germany, 23/03/15. https://doi.org/10.1007/978-3-319-16101-3_7

The role of catalogues of threats and security controls in security risk assessment: An empirical study with atm professionals. / De Gramatica, Martina; Labunets, Katsiaryna; Massacci, Fabio et al.
Requirements Engineering: Foundation for Software Quality - 21st International Working Conference, REFSQ 2015, Proceedings. ed. / Samuel A. Fricker; Kurt Schneider. Springer, 2015. p. 98-114 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 9013).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

TY - GEN

T1 - The role of catalogues of threats and security controls in security risk assessment

T2 - 21st International Working Conference on Requirements Engineering: Foundation for Software Quality, REFSQ 2015

AU - De Gramatica, Martina

AU - Labunets, Katsiaryna

AU - Massacci, Fabio

AU - Paci, Federica

AU - Tedeschi, Alessandra

PY - 2015

Y1 - 2015

N2 - [Context and motivation] To remedy the lack of security expertise, industrial security risk assessment methods come with catalogues of threats and security controls. [Question/problem] We investigate in both qualitative and quantitative terms whether the use of catalogues of threats and security controls has an effect on the actual and perceived effectiveness of a security risk assessment method. In particular, we assessed the effect of using domain-specific versus domain-general catalogues on the actual and perceived efficacy of a security risk assessment method conducted by non-experts and compare it with the effect of running the same method by security experts but without catalogues. [Principal ideas/results] The quantitative analysis shows that nonsecurity experts who applied the method with catalogues identified threats and controls of the same quality of security experts without catalogues. The perceived ease of use was higher when participants used method without catalogues albeit only at 10% significance level. The qualitative analysis indicates that security experts have different expectations from a catalogue than non-experts. Non-experts are mostly worried about the difficulty of navigating through the catalogue (the larger and less specific the worse it was) while expert users found it mostly useful to get a common terminology and a checklist that nothing was forgotten. [Contribution] This paper sheds light on the important features of the catalogues and discuss how they contribute into risk assessment process.

AB - [Context and motivation] To remedy the lack of security expertise, industrial security risk assessment methods come with catalogues of threats and security controls. [Question/problem] We investigate in both qualitative and quantitative terms whether the use of catalogues of threats and security controls has an effect on the actual and perceived effectiveness of a security risk assessment method. In particular, we assessed the effect of using domain-specific versus domain-general catalogues on the actual and perceived efficacy of a security risk assessment method conducted by non-experts and compare it with the effect of running the same method by security experts but without catalogues. [Principal ideas/results] The quantitative analysis shows that nonsecurity experts who applied the method with catalogues identified threats and controls of the same quality of security experts without catalogues. The perceived ease of use was higher when participants used method without catalogues albeit only at 10% significance level. The qualitative analysis indicates that security experts have different expectations from a catalogue than non-experts. Non-experts are mostly worried about the difficulty of navigating through the catalogue (the larger and less specific the worse it was) while expert users found it mostly useful to get a common terminology and a checklist that nothing was forgotten. [Contribution] This paper sheds light on the important features of the catalogues and discuss how they contribute into risk assessment process.

KW - Empirical study

KW - MEM

KW - Security risk assessment methods

UR - http://www.scopus.com/inward/record.url?scp=84930426757&partnerID=8YFLogxK

U2 - 10.1007/978-3-319-16101-3_7

DO - 10.1007/978-3-319-16101-3_7

M3 - Conference contribution

AN - SCOPUS:84930426757

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 98

EP - 114

BT - Requirements Engineering

A2 - Fricker, Samuel A.

A2 - Schneider, Kurt

PB - Springer

Y2 - 23 March 2015 through 26 March 2015

ER -

De Gramatica M, Labunets K, Massacci F, Paci F, Tedeschi A. The role of catalogues of threats and security controls in security risk assessment: An empirical study with atm professionals. In Fricker SA, Schneider K, editors, Requirements Engineering: Foundation for Software Quality - 21st International Working Conference, REFSQ 2015, Proceedings. Springer. 2015. p. 98-114. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-319-16101-3_7

The role of catalogues of threats and security controls in security risk assessment: An empirical study with atm professionals

Abstract

Publication series

Conference

Bibliographical note

Keywords

Access to Document

Other files and links

Fingerprint

Cite this