DISI Security Research Group Wiki

User Tools

Site Tools

Trace:
emfase

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
emfase [2016/03/03 14:12]
fabio.massacci@unitn.it [Current Activities] 		emfase [2021/01/29 10:58] (current)
Line 38: Line 38:
 ===== Partners ===== ===== Partners =====
  
-University of Trento (Coordinator),​ SINTEF ​and DeepBlue.+University of Trento (Coordinator, Italy), SINTEFDeepBlue ​and University of Southampton.
  
 ===== Project Internal Information ===== ===== Project Internal Information =====
Line 44: Line 44:
 Please check [[https://​trinity.disi.unitn.it/​emfase/​|SVN Repository]] (Restricted Access) Please check [[https://​trinity.disi.unitn.it/​emfase/​|SVN Repository]] (Restricted Access)
  
 +===== Project presentation ===== 
 +{{:​projects:​emfase:​deliverable:​emfase_poster_35x50_cmyk_small.pdf|EMFASE Poster presented at SID 2013}}
  
  
Line 62: Line 63:
  
 ==== Experiments ==== ==== Experiments ====
 +
 +=== Comparison of Security Risk Assessment methods ===
   - UNITN Security Engineering course 2013-14:   - UNITN Security Engineering course 2013-14:
-    * Participants:​ students ​around 60 sort of controlled participants +    * Participants: ​29 MSc students ​enrolled to Security Engineering course at the University ​of Trento 
-    * Method: ​Coras vs Eurocontrol SECRAM (*)+    * Method: ​CORAS vs Eurocontrol SECRAM (*)
     * Case Study: SmartGrid     * Case Study: SmartGrid
     * Final result: excel file with threats and controls, presentations,​ report     * Final result: excel file with threats and controls, presentations,​ report
     * Feedback: questionnaire,​ interview     * Feedback: questionnaire,​ interview
 +  - First International Week with Italian Post on Cyber Security in Complex Information Systems 2014 (Rome, Italy):
 +    * Participants:​ students - around 60 sort of controlled participants
 +    * Method: CORAS vs SESAR SECRAM (*)
 +    * Case Study: Online Banking
 +    * Final result: excel file with threats and controls, report
 +    * Feedback: questionnaire
 +  - UNITN Security Engineering course 2014-15:
 +    * Participants:​ MSc students - around 30 sort of controlled participants
 +    * Method: CORAS vs SESAR SecRAM (*)
 +    * Case Study: Remotely Operated Tower (ATM) (*)
 +    * Final result: excel file with threats and controls, presentations,​ report
 +    * Feedback: questionnaire,​ focus groups interview
 +  - UNITN Security Engineering course 2015-16:
 +    * Participants:​ MSc students - around 50 sort of controlled participants ​
 +    * Method: CORAS vs SESAR SecRAM (*)
 +    * Case Study: Unmanned Aerial System Traffic Management (UTM)
 +    * Final result: excel file with threats and controls, presentations,​ report
 +    * Feedback: questionnaire,​ focus groups interview
 +
 +=== Effectiveness of Catalogues of Threats and Security Controls in Security Risk Assessment ===
   - EIT Winter School 2014:    - EIT Winter School 2014: 
     * Participants:​ students around 20 sort of controlled participants     * Participants:​ students around 20 sort of controlled participants
Line 74: Line 97:
     * Final result: excel file with requirements,​ hand-drawn poster for result presentation,​ report     * Final result: excel file with requirements,​ hand-drawn poster for result presentation,​ report
     * Feedback: questionnaire     * Feedback: questionnaire
 +  - EMFASE SecRAM Evaluation Workshop ​ 2014: 
 +    * Participants:​ professionals around 15 sort of controlled participants
 +    * Method: SESAR SecRAM (*) + [ BSI catalogue vs SECRAM catalogue (*) vs No catalogue (control group)]
 +    * Case Study: Remotely Operated Tower (*)
 +    * Final result: excel file with requirements,​ report
 +    * Feedback: questionnaire,​ focus groups interview
  
 +=== An Empirical Comparison of Tabular vs. Graphical Risk Model Representations ===
 +  - UNITN Security Engineering course 2014-15:
 +    * Participants:​ 35 MSc students - controlled participants
 +    * Representation:​ Graphical (CORAS) vs Tabular (NIST)
 +    * Scenario: Online Banking and Health Care Network
 +    * Final result: responses to the online comprehensibility task
 +    * Feedback: post-task questionnaire
 +  - University of Oslo Model Engineering course 2014-2015:
 +    * Participants:​ 11 MSc students - controlled participants
 +    * Representation:​ Graphical (CORAS) vs Tabular (NIST)
 +    * Scenario: Online Banking
 +    * Final result: responses to the online comprehensibility task
 +    * Feedback: post-task questionnaire
 +  - PUCRS Information Systems course 2014-15:
 +    * Participants:​ 27 MSc and 13 BSc students - controlled participants
 +    * Representation:​ Graphical (CORAS) vs Tabular (NIST)
 +    * Scenario: Online Banking and Health Care Network
 +    * Final result: responses to the online comprehensibility task
 +    * Feedback: post-task questionnaire
 +  - University of Calabria Cybersecurity professional master course - September 2015:
 +    * Participants:​ 52 MSc students - controlled participants
 +    * Representation:​ Graphical (CORAS) vs Tabular (NIST)
 +    * Scenario: Online Banking and Health Care Network
 +    * Final result: responses to the online comprehensibility task
 +    * Feedback: post-task questionnaire
 +  - UNITN Security Engineering course 2015-16:
 +    * Participants:​ 51 MSc students - controlled participants
 +    * Representation:​ Graphical (CORAS) vs Tabular (NIST)
 +    * Scenario: Online Banking and Health Care Network
 +    * Final result: responses to the online comprehensibility task
 +    * Feedback: post-task questionnaire
 +  - EMFASE - Security Risk Assessment Tutorial at SESAR Innovation Days 2015 (Bologna, Italy):
 +    * Participants:​ 14 professionals - sort of controlled participants
 +    * Representation:​ Graphical (CORAS) vs Tabular (SESAR SecRAM)
 +    * Scenario: Online Banking ​
 +    * Final result: responses to the paper-based comprehensibility task
 +    * Feedback: post-task questionnaire
 +  - EMFASE Online Study on Comprehensibility of Risk Models:
 +    * Participants:​ 60 professionals
 +    * Representation:​ Graphical (CORAS) vs Tabular (NIST)
 +    * Scenario: Online Banking ​
 +    * Final result: responses to the online comprehensibility task
 +    * Feedback: post-task questionnaire
 In part (*) means confidential documents are distributed In part (*) means confidential documents are distributed
  
-==== Deliverables ==== +===== Deliverables ​===== 
-  - {{:​projects:​emfase:​e.02.32_d1.1_selection_of_risk_assessment_methods_object_of_study_00.01.03.pdf|Selection of risk assessment methods object of study}}+  - {{:​projects:​emfase:​e.02.32_d1.1_selection_of_risk_assessment_methods_object_of_study_00.01.03.pdf|D1.1 Selection of risk assessment methods object of study}} 
 +  - {{:​projects:​emfase:​deliverable:​d1-2_firstempiricalevaluationframework_v000102.pdf|D1.2 First Empirical Evaluation Framework}} 
 +  - {{:​projects:​emfase:​deliverable:​e.02.32_d1.3_refinedempiricalevaluationframework_v000100.pdf|D1.3 Refined Empirical Evaluation Framework}} 
 +  - {{:​projects:​emfase:​deliverable:​d2_1_scenariodescriptions_v00_01_03.pdf|D2.1 Scenario Descriptions}} 
 +  - {{:​projects:​emfase:​deliverable:​e.02.32_-_emfase_-_d2.2_-_first_evaluation_report_ed.00.01.00.pdf|D2.2 First Evaluation Report}} 
 +  - {{:​projects:​emfase:​deliverable:​e_02_32_-_emfase_-_d3_1_-_draft_causal_explanations-ed.00.01.00.pdf|D3.1 Draft Causal Explanations}} 
 +  
 +===== Publications ===== 
 +    * K. Labunets, Y. Li, F. Massacci, F. Paci, M. Ragosta, B. Solhaug, K. Stølen, A. Tedeschi. **Preliminary Experiments on the Relative Comprehensibility of Tabular and Graphical Risk Models**, In //the Proceedings of 5th SESAR Innovation Days (SIDs'​15).//​ {{:​research_activities:​experiments:​2014-comprehensibility:​labunets-etal-sids_2015_paper_32.pdf|PDF}} 
 +    * K. Labunets, F. Paci, F. Massacci. **Which Security Catalogue Is Better for Novices?** In //Proc. of EmpiRE Workshop at IEEE RE'​15.//​ {{:​research_activities:​experiments:​2014-winter-school:​labunets-etal-empire-re15-preprint.pdf|PDF (preprint)}} 
 +  * M. de Gramatica, K. Labunets, F. Massacci, F. Paci, and A. Tedeschi. **The Role of Catalogues of Threats and Security Controls in Security Risk Assessment: An Empirical Study with ATM Professionals.** In //Proc. of REFSQ'​15//​. {{:​research_activities:​experiments:​2014-rome-deepblue:​gramatica-etal-refsq2015.pdf|PDF}} 
 +  * K. Labunets, F. Massacci, F. Paci, M. Ragosta, B. Solhaug, K. Stølen, A. Tedeschi. **A First Empirical Evaluation Framework for Security Risk Assessment Methods in the ATM Domain**, In //the Proceedings of 4th SESAR Innovation Days (SIDs'​14).//​ {{:​research_activities:​experiments:​2014-seceng:​labunets-etal-sids_2014_paper_40.pdf|PDF}} 
 +  * M. Giacalone, R. Mammoliti, F. Massacci, F. Paci, R. Perugino, and C. Selli. **Security Triage: A Report of a Lean Security Requirements Methodology for Cost-Effective Security Analysis.** A short summary appears In //Proc. of EmpiRE Workshop at IEEE RE'​14//​. {{:​research_activities:​experiments:​giacalone-etal-re14-preprint.pdf|3 pages PDF}}. A longer Industry report appears in //Proc. of ESEM'​2014//​. {{:​research_activities:​security_requirements_engineering:​paper-207-esem-2014.pdf|PDF (preprint)}} 
 +  * K. Labunets, F. Paci, F. Massacci, and R. Ruprai. **An Experiment on Comparing Textual vs. Visual Industrial Methods for Security Risk Assessment.** In //Proc. of EmpiRE Workshop at IEEE RE'​14//​ {{:​research_activities:​experiments:​labunets-etal-empire-re14-preprint.pdf|PDF}}
  
-==== Publications ==== 
-  -  
  
emfase.1457010744.txt.gz · Last modified: 2021/01/29 10:58 (external edit)

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki