Table of Contents

eRISE Challenge 2012

The eRISE 2012 challenge was conducted to empirically evaluate security engineering and risk analysis methods. The event was carried out in May and June 2012. The first part of experiment took place at the University of Trento, Italy, the second at Dauphine University, Paris, France.

To have a glimpse of eRISE 2012 you can look a video on YouTube eRISE 2012. See the main page for our work on empirical validation of security risk assessment methods and other experiments.

Participants

In eRISE 2012 were involved the following participants:

Evaluated Methods

The selection of the security requirements methods to be evaluated was driven by three main factors: the number of citations, the fact that research on the method is still ongoing, and availability of the methods designers.

Five methods have been evaluated and compared during eRISE 2012:

Application scenarios

In eRISE 2012 two industrial application scenarios were proposed to the participant for analysis.

Health Care

The Health Care scenario was proposed by Siemens. This scenario was related to the management of electronic healthcare records. The scenario focused on registering new patients in a clinic including assigning the clinicians (doctors, nurses, etc.), reading and updating a record, retrieving patient information from external sources, and providing the results of examinations and treatment to authorized externals clinical entities.

The materials about this scenario are available online: scenario description and presentation.

Smart Grids

The Smart Grids scenario was proposed by Atos Research. Smart Grid is an electricity network using information and communication technology (ICT) to optimize the transmission and distribution of electricity from suppliers to consumers. In particular, the scenario was focused on the smart meter which records consumption of electric energy and communicates this information daily back to the utility for monitoring and billing purposes.

The materials about this scenario are available online: scenario description and presentation.

Experimental Procedure

eRISE 2012 was conducted in three main phases:

Data Collection and Analysis

We have collected different kinds of data:

* These materials are available upon e-mail request.

Data Analysis

Questionnaires have been analyzed using statistical analysis. For post-it notes we have used affinity analysis in order to group similar feedback on positive and negative aspects of the methods. The transcripts of the focus groups discussions have been analyzed using coding, a content analysis technique used in grounded theory. Coding helped us to discover text patterns that are relevant to what makes methods effective in identifying security requirements and why. We have performed a qualitative analysis of the final reports.