Table of Contents

eRISE Challenge 2011

The eRISE challenge 2011 was conducted for empirical evaluation of security engineering methods. The event was carried out in May 2011. Both parts of experiment, training and application phases, took place at Dauphine University, Paris, France.

You can look a video of eRISE 2011 presentation on YouTube and download slides. See the main page for our work on empirical validation of security risk assessment methods and other experiments.

Participants

In eRISE 2011 were involved the following participants:

Evaluated Methods

The selection of the security requirements methods to be evaluated was driven by three main factors: the number of citations, the fact that research on the method is still ongoing, and availability of the methods designers.

Four methods have been evaluated and compared during eRISE 2011:

Application scenario

In eRISE 2011 fictional application scenario, Healthcare Collaboration Network(HCN), was proposed to the participant for analysis.

Regional HealthCare Authority needs to monitor and alert citizens on occurrence of endemic or pandemic diseases within the region of CityVille. Healthcare Authority decides to create Healthcare Collaboration network involving data source organizations (like hospitals, physicians) and data review organizations (like government agencies, health insurers). Participants perform the role of consultants in analyzing the main threats; ensuring the information security and privacy protection of Healthcare collaboration network.

The participants, during the Training day, received two chapters of the HCN book (Ch.1 and Ch.6). Moreover the participants received a 1-hour seminar about HCN, which was given by one member of the organizing team.

The materials about this scenario are available online: HCN chapters, presentation, customer's email, Adverse Drug Event FAQ.

Experimental Procedure

eRISE 2011 was conducted in three main phases:

Data Collection and Analysis

We have collected different kinds of data:

* These materials are available upon e-mail request.

Data Analysis

Questionnaires have been analyzed using statistical analysis. For post-it notes we have used affinity analysis in order to group similar feedback on positive and negative aspects of the methods. The transcripts of the focus groups discussions have been analyzed using coding, a content analysis technique used in grounded theory. Coding helped us to discover text patterns that are relevant to what makes methods effective in identifying security requirements and why.