This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
emfase [2016/03/03 14:14] fabio.massacci@unitn.it [Publications] |
emfase [2021/01/29 10:58] (current) |
||
---|---|---|---|
Line 38: | Line 38: | ||
===== Partners ===== | ===== Partners ===== | ||
- | University of Trento (Coordinator), SINTEF and DeepBlue. | + | University of Trento (Coordinator, Italy), SINTEF, DeepBlue and University of Southampton. |
===== Project Internal Information ===== | ===== Project Internal Information ===== | ||
Line 44: | Line 44: | ||
Please check [[https://trinity.disi.unitn.it/emfase/|SVN Repository]] (Restricted Access) | Please check [[https://trinity.disi.unitn.it/emfase/|SVN Repository]] (Restricted Access) | ||
+ | ===== Project presentation ===== | ||
+ | {{:projects:emfase:deliverable:emfase_poster_35x50_cmyk_small.pdf|EMFASE Poster presented at SID 2013}} | ||
Line 62: | Line 63: | ||
==== Experiments ==== | ==== Experiments ==== | ||
+ | |||
+ | === Comparison of Security Risk Assessment methods === | ||
- UNITN Security Engineering course 2013-14: | - UNITN Security Engineering course 2013-14: | ||
- | * Participants: students around 60 sort of controlled participants | + | * Participants: 29 MSc students enrolled to Security Engineering course at the University of Trento |
- | * Method: Coras vs Eurocontrol SECRAM (*) | + | * Method: CORAS vs Eurocontrol SECRAM (*) |
* Case Study: SmartGrid | * Case Study: SmartGrid | ||
* Final result: excel file with threats and controls, presentations, report | * Final result: excel file with threats and controls, presentations, report | ||
* Feedback: questionnaire, interview | * Feedback: questionnaire, interview | ||
+ | - First International Week with Italian Post on Cyber Security in Complex Information Systems 2014 (Rome, Italy): | ||
+ | * Participants: students - around 60 sort of controlled participants | ||
+ | * Method: CORAS vs SESAR SECRAM (*) | ||
+ | * Case Study: Online Banking | ||
+ | * Final result: excel file with threats and controls, report | ||
+ | * Feedback: questionnaire | ||
+ | - UNITN Security Engineering course 2014-15: | ||
+ | * Participants: MSc students - around 30 sort of controlled participants | ||
+ | * Method: CORAS vs SESAR SecRAM (*) | ||
+ | * Case Study: Remotely Operated Tower (ATM) (*) | ||
+ | * Final result: excel file with threats and controls, presentations, report | ||
+ | * Feedback: questionnaire, focus groups interview | ||
+ | - UNITN Security Engineering course 2015-16: | ||
+ | * Participants: MSc students - around 50 sort of controlled participants | ||
+ | * Method: CORAS vs SESAR SecRAM (*) | ||
+ | * Case Study: Unmanned Aerial System Traffic Management (UTM) | ||
+ | * Final result: excel file with threats and controls, presentations, report | ||
+ | * Feedback: questionnaire, focus groups interview | ||
+ | |||
+ | === Effectiveness of Catalogues of Threats and Security Controls in Security Risk Assessment === | ||
- EIT Winter School 2014: | - EIT Winter School 2014: | ||
* Participants: students around 20 sort of controlled participants | * Participants: students around 20 sort of controlled participants | ||
Line 74: | Line 97: | ||
* Final result: excel file with requirements, hand-drawn poster for result presentation, report | * Final result: excel file with requirements, hand-drawn poster for result presentation, report | ||
* Feedback: questionnaire | * Feedback: questionnaire | ||
+ | - EMFASE SecRAM Evaluation Workshop 2014: | ||
+ | * Participants: professionals around 15 sort of controlled participants | ||
+ | * Method: SESAR SecRAM (*) + [ BSI catalogue vs SECRAM catalogue (*) vs No catalogue (control group)] | ||
+ | * Case Study: Remotely Operated Tower (*) | ||
+ | * Final result: excel file with requirements, report | ||
+ | * Feedback: questionnaire, focus groups interview | ||
+ | === An Empirical Comparison of Tabular vs. Graphical Risk Model Representations === | ||
+ | - UNITN Security Engineering course 2014-15: | ||
+ | * Participants: 35 MSc students - controlled participants | ||
+ | * Representation: Graphical (CORAS) vs Tabular (NIST) | ||
+ | * Scenario: Online Banking and Health Care Network | ||
+ | * Final result: responses to the online comprehensibility task | ||
+ | * Feedback: post-task questionnaire | ||
+ | - University of Oslo Model Engineering course 2014-2015: | ||
+ | * Participants: 11 MSc students - controlled participants | ||
+ | * Representation: Graphical (CORAS) vs Tabular (NIST) | ||
+ | * Scenario: Online Banking | ||
+ | * Final result: responses to the online comprehensibility task | ||
+ | * Feedback: post-task questionnaire | ||
+ | - PUCRS Information Systems course 2014-15: | ||
+ | * Participants: 27 MSc and 13 BSc students - controlled participants | ||
+ | * Representation: Graphical (CORAS) vs Tabular (NIST) | ||
+ | * Scenario: Online Banking and Health Care Network | ||
+ | * Final result: responses to the online comprehensibility task | ||
+ | * Feedback: post-task questionnaire | ||
+ | - University of Calabria Cybersecurity professional master course - September 2015: | ||
+ | * Participants: 52 MSc students - controlled participants | ||
+ | * Representation: Graphical (CORAS) vs Tabular (NIST) | ||
+ | * Scenario: Online Banking and Health Care Network | ||
+ | * Final result: responses to the online comprehensibility task | ||
+ | * Feedback: post-task questionnaire | ||
+ | - UNITN Security Engineering course 2015-16: | ||
+ | * Participants: 51 MSc students - controlled participants | ||
+ | * Representation: Graphical (CORAS) vs Tabular (NIST) | ||
+ | * Scenario: Online Banking and Health Care Network | ||
+ | * Final result: responses to the online comprehensibility task | ||
+ | * Feedback: post-task questionnaire | ||
+ | - EMFASE - Security Risk Assessment Tutorial at SESAR Innovation Days 2015 (Bologna, Italy): | ||
+ | * Participants: 14 professionals - sort of controlled participants | ||
+ | * Representation: Graphical (CORAS) vs Tabular (SESAR SecRAM) | ||
+ | * Scenario: Online Banking | ||
+ | * Final result: responses to the paper-based comprehensibility task | ||
+ | * Feedback: post-task questionnaire | ||
+ | - EMFASE Online Study on Comprehensibility of Risk Models: | ||
+ | * Participants: 60 professionals | ||
+ | * Representation: Graphical (CORAS) vs Tabular (NIST) | ||
+ | * Scenario: Online Banking | ||
+ | * Final result: responses to the online comprehensibility task | ||
+ | * Feedback: post-task questionnaire | ||
In part (*) means confidential documents are distributed | In part (*) means confidential documents are distributed | ||
===== Deliverables ===== | ===== Deliverables ===== | ||
- | - {{:projects:emfase:e.02.32_d1.1_selection_of_risk_assessment_methods_object_of_study_00.01.03.pdf|Selection of risk assessment methods object of study}} | + | - {{:projects:emfase:e.02.32_d1.1_selection_of_risk_assessment_methods_object_of_study_00.01.03.pdf|D1.1 Selection of risk assessment methods object of study}} |
+ | - {{:projects:emfase:deliverable:d1-2_firstempiricalevaluationframework_v000102.pdf|D1.2 First Empirical Evaluation Framework}} | ||
+ | - {{:projects:emfase:deliverable:e.02.32_d1.3_refinedempiricalevaluationframework_v000100.pdf|D1.3 Refined Empirical Evaluation Framework}} | ||
+ | - {{:projects:emfase:deliverable:d2_1_scenariodescriptions_v00_01_03.pdf|D2.1 Scenario Descriptions}} | ||
+ | - {{:projects:emfase:deliverable:e.02.32_-_emfase_-_d2.2_-_first_evaluation_report_ed.00.01.00.pdf|D2.2 First Evaluation Report}} | ||
+ | - {{:projects:emfase:deliverable:e_02_32_-_emfase_-_d3_1_-_draft_causal_explanations-ed.00.01.00.pdf|D3.1 Draft Causal Explanations}} | ||
+ | |||
===== Publications ===== | ===== Publications ===== | ||
- | * K. Labunets, F. Paci, F. Massacci. **Which Security Catalogue Is Better for Novices?** In //Proc. of EmpiRE Workshop at IEEE RE'15.// {{:research_activities:experiments:2014-winter-school:labunets-etal-empire-re15-preprint.pdf|PDF (preprint)}} | + | * K. Labunets, Y. Li, F. Massacci, F. Paci, M. Ragosta, B. Solhaug, K. Stølen, A. Tedeschi. **Preliminary Experiments on the Relative Comprehensibility of Tabular and Graphical Risk Models**, In //the Proceedings of 5th SESAR Innovation Days (SIDs'15).// {{:research_activities:experiments:2014-comprehensibility:labunets-etal-sids_2015_paper_32.pdf|PDF}} |
+ | * K. Labunets, F. Paci, F. Massacci. **Which Security Catalogue Is Better for Novices?** In //Proc. of EmpiRE Workshop at IEEE RE'15.// {{:research_activities:experiments:2014-winter-school:labunets-etal-empire-re15-preprint.pdf|PDF (preprint)}} | ||
* M. de Gramatica, K. Labunets, F. Massacci, F. Paci, and A. Tedeschi. **The Role of Catalogues of Threats and Security Controls in Security Risk Assessment: An Empirical Study with ATM Professionals.** In //Proc. of REFSQ'15//. {{:research_activities:experiments:2014-rome-deepblue:gramatica-etal-refsq2015.pdf|PDF}} | * M. de Gramatica, K. Labunets, F. Massacci, F. Paci, and A. Tedeschi. **The Role of Catalogues of Threats and Security Controls in Security Risk Assessment: An Empirical Study with ATM Professionals.** In //Proc. of REFSQ'15//. {{:research_activities:experiments:2014-rome-deepblue:gramatica-etal-refsq2015.pdf|PDF}} | ||
+ | * K. Labunets, F. Massacci, F. Paci, M. Ragosta, B. Solhaug, K. Stølen, A. Tedeschi. **A First Empirical Evaluation Framework for Security Risk Assessment Methods in the ATM Domain**, In //the Proceedings of 4th SESAR Innovation Days (SIDs'14).// {{:research_activities:experiments:2014-seceng:labunets-etal-sids_2014_paper_40.pdf|PDF}} | ||
* M. Giacalone, R. Mammoliti, F. Massacci, F. Paci, R. Perugino, and C. Selli. **Security Triage: A Report of a Lean Security Requirements Methodology for Cost-Effective Security Analysis.** A short summary appears In //Proc. of EmpiRE Workshop at IEEE RE'14//. {{:research_activities:experiments:giacalone-etal-re14-preprint.pdf|3 pages PDF}}. A longer Industry report appears in //Proc. of ESEM'2014//. {{:research_activities:security_requirements_engineering:paper-207-esem-2014.pdf|PDF (preprint)}} | * M. Giacalone, R. Mammoliti, F. Massacci, F. Paci, R. Perugino, and C. Selli. **Security Triage: A Report of a Lean Security Requirements Methodology for Cost-Effective Security Analysis.** A short summary appears In //Proc. of EmpiRE Workshop at IEEE RE'14//. {{:research_activities:experiments:giacalone-etal-re14-preprint.pdf|3 pages PDF}}. A longer Industry report appears in //Proc. of ESEM'2014//. {{:research_activities:security_requirements_engineering:paper-207-esem-2014.pdf|PDF (preprint)}} | ||
* K. Labunets, F. Paci, F. Massacci, and R. Ruprai. **An Experiment on Comparing Textual vs. Visual Industrial Methods for Security Risk Assessment.** In //Proc. of EmpiRE Workshop at IEEE RE'14// {{:research_activities:experiments:labunets-etal-empire-re14-preprint.pdf|PDF}} | * K. Labunets, F. Paci, F. Massacci, and R. Ruprai. **An Experiment on Comparing Textual vs. Visual Industrial Methods for Security Risk Assessment.** In //Proc. of EmpiRE Workshop at IEEE RE'14// {{:research_activities:experiments:labunets-etal-empire-re14-preprint.pdf|PDF}} | ||