The eRISE 2013 challenge has been conducted to empirically evaluate security engineering and risk analysis methods. The event has been carried out in May and June 2013. The first part of experiment took place at the University of Trento, Italy (13-17 May, 2013), the second at Dauphine University, Paris, France (13-14 June, 2013).

It is part of our long term project of empirical evaluation of security methodologies, the eRISE Challenge. See the main page for our work on empirical validation of security risk assessment methods and other experiments.

In eRISE 2013 the following people took part:

• Customers
  • Raminder Ruprai (National Grid, UK)
  • Jan Stijohann (Siemens AG, Germany);
• Method Designers:
  • Le Minh Sang Tran - SINTEF/University of Trento (CORAS)
  • Kim Wuyts, Riccardo Scandariato - Katholieke Universiteit Leuven (LINDDUN)
  • David Garcia Rosado, Daniel Mellado - University of Castilla La Mancha (SREP)
  • Seda Güerses - Katholieke Universiteit Leuven (MPRA)
• Observers:
  • Katsiaryna Labunets
  • Martina Degramatica
  • Mattia Salnitri
  • Tong Li
• Participants:
  • 29 students are enrolled in the Master in Computer Science and Telecommunications at the University of Trento and had a background in Security Engineering and Information Systems
  • 28 professionals are attending a Master Course in Audit for Information System in Enterprises at Dauphine University. This master has an admission requirement of a minimum of five years of working experience in the field of Auditing in Information Systems

eRISE 2013 will be conducted in three main phases:

• eRISE 2013 Presentation. Introduction to Objectives and Activities:
  1. April 23, 2013 at the University of Trento, Italy slides
• Training Phase. Participants attend tutorials on the methods under evaluation and on the Smart Grid industrial cases:
  1. May 13-15, 2013 at the University of Trento, Italy
• Application Phases. Participants apply the methods to analyse security issues of the Smart Grid industrial cases:
  1. May 16-17, 2013 at University of Trento, Italy
  2. June 13-14, 2013 at Dauphine University, Paris, France
• Evaluation Phase. Participants discuss the methods through focused group interviews and post-it notes sessions, while method designers and customers evaluate the final reports:
  1. June 14, 2013 Focus Groups and Post-it notes sessions with participants, at Dauphine University, Paris, France
  2. June 30- July 15, 2013 Reports assessment by method designers and customers

The selection of the security requirements methods to be evaluated is driven by three main factors: the number of citations, the fact that research on the method is still ongoing, and availability of the methods designers.

Five methods will be evaluated and compared during eRISE 2013:

• CORAS is a model-driven method for risk analysis proposed by SINTEF, Norway. Materials: book chapter, tutorial, example.
• LINDDUN is a methodology to elicit the privacy requirements of software-intensive systems and select privacy enhancing technologies designed by Distrinet Research Group at Katholieke Universiteit Leuven, Belgium. Materials: paper, case study, tutorial, additional materials.
• MPRA is a multilateral privacy requirements analysis methodology proposed by Katholieke Universiteit Leuven, Belgium. Materials: paper, tutorial.
• SREP is an asset-based and risk-driven method developed at University of Castilla-La Mancha, Spain for the establishment of security requirements in the development of secure Information Systems. Materials: paper, case study,tutorial.

In eRISE 2013 two industrial application scenarios from Smart Grid domain will be proposed to the participant for analysis.

The Electricity Transmission Network scenario has been proposed by National Grid, London, UK. This case study focuses on the electricity transmission network and service that National Grid plc provides in the United Kingdom. This scenario is focused on managing and balancing the Electricity Transmission Network.

The materials about this scenario are available here: scenario description, presentation, threat analysis, additional materials.

The Smart Metering scenario has been proposed by Siemens. The Smart Grid is a large, flexible, self-monitoring, auto-balancing, and self-regulating infrastructure which uses ICT to gather and respond on information in an automated manner in order to improve the efficiency, reliability, and sustainability of the production and distribution of energy. The core of a Smart Grid depends on intelligent, reliable, secure and cost effective technology. The Smart Grid can be characterized as a combination of two infrastructures, the electrical grid carrying the energy and maintaining the safety, availability, and performance of the grid, and the information infrastructure used to supervise and control the electrical grid operation.

The materials about this scenario are available here: scenario description and presentation.

eRISE 2013 - Goals and Organizational Details slides

Template to deliver the final report template

For organizational matters send an email to:

• Prof. Fabio Massacci - fabio.massacci@unitn.it
• Dr. Federica Paci - paci@disi.unitn.it

For questions about methods send an email to:

• CORAS - Le Minh Sang Tran - tran@disi.unitn.it
• LINDDUN - Kim Wuyts - kim.wuyts@cs.kuleuven.be
• MPRA - Seda Guerses - sguerses@esat.kuleuven.be
• SREP - Daniel Mellado - damefe@esdebian.org

For questions about the case study send an email to:

• Electricity Transmission Network - Dr. Raminder Ruprai - Raminder.Ruprai@nationalgrid.com
• Smart Metering scenario - Santiago Suppan - santiago.suppan.ext@siemens.com