DISI Security Research Group Wiki

The eRISE challenge 2011 was conducted for empirical evaluation of security engineering methods. The event was carried out in May 2011. Both parts of experiment: training and application, took place at Dauphine University, Paris, France.

eRISE event has the objective of providing the method designer with:

• Empirical evaluation and Benchmarking of security engineering methods;
• Knowledge of how and why participants intend to adopt a method;
• Feedback to improve a security method by investigating strengths, weakness and limitations of the method.

eRISE aims to provide the participants with the benefit of:

• Knowledge about various state-of-the art methods in the research field, on analyzing security risks and requirements of a system;
• Opportunity to participate and work on an international collaborative project remotely.

In eRISE 2011 were involved the following participants:

• Customers
  • Yudistira Asnar (University of Trento)
  • Federica Paci (University of Trento)
• Method Designers:
  • Atle Refsdal - SINTEF (CORAS)
  • Thein Than Tun - Open University (Security Argumentation)
  • Michalis Pavlidis, Shareeful Islam - University of East London (Secure Tropos)
  • Fabio Massacci - University of Trento (Si*)
• Participants:
  • 13 students were enrolled in the Master in Computer Science at the University of Trento;
  • 36 professionals were attending a Master Course in Management of Information System Enterprise at Dauphine University. This master has an admission requirement of a minimum of five years of working experience in the field of Auditing in Information Systems

The selection of the security requirements methods to be evaluated was driven by three main factors: the number of citations, the fact that research on the method is still ongoing, and availability of the methods designers.

Four methods have been evaluated and compared during eRISE 2011:

• CORAS is a model-driven method for risk analysis proposed by SINTEF, Norway. Materials: book chapter, tutorial.
• SECURITY ARGUMENTATION is a framework for security requirements elicitation and analysis developed at Open University, Buckinghamshire, United Kingdom. Materials: paper, tutorial.
• SECURE TROPOS is a methodology designed at University of East London, United Kingdom; the methodology supports capturing, analysis and reasoning of security requirements from the early stages of the development process. Materials: paper, tutorial.
• SI* is a formal framework developed at the University of Trento, Italy for modeling and analyzing security requirements of an organization. Materials: paper, tutorial.

In eRISE 2011 fictional application scenario, Healthcare Collaboration Network(HCN), was proposed to the participant for analysis.

Regional HealthCare Authority needs to monitor and alert citizens on occurrence of endemic or pandemic diseases within the region of CityVille. Healthcare Authority decides to create Healthcare Collaboration network involving data source organizations (like hospitals, physicians) and data review organizations (like government agencies, health insurers). Participants perform the role of consultants in analyzing the main threats; ensuring the information security and privacy protection of Healthcare collaboration network.

The materials about this scenario are available online: scenario description and presentation.

eRISE 2011 was conducted in three main phases:

• Training Phase on May 13, 2011 (at Dauphine Paris University), where participants attended tutorials on the methods under evaluation and on the HCN case.
• Application Phases on May 14-27, 2011 (with face-to-face session on May 26-27 at Dauphine Paris University) where participants applied the methods to analyse security issues of the HCN case.
• Evaluation Phase, where participants evaluated the methods through focused group interviews while method designers evaluated the final reports. The goal is to assess the correctness of the methods application and the quality of the security requirements identified by the participants.

We have collected different kinds of data:

• Questionnaires include questions on subjects' knowledge of IT security, risk assessment, and requirements engineering and their evaluation of the methods' aspects. The participants were administered four questionnaires during the execution of the eRISE 2011:
  • Q1 was administered at the beginning of the Training phase to collect participants' background (Q1);
  • Q2 was distributed at the end of Training phase to collect participants' impression about the method that they were working with, regardless of the scenario on which they were asked to apply the method (Q2);
  • Q3 was administered at the end of remote part of the Application phase to collect participants' impression about the method that they were assigned to, after using it via remote collaboration tools (Q3);
  • Q4 was administered after face-to-face collaboration part of the Application phase (Q4);
• Audio/Video Recordings* capture the application of the methods by subjects and the focus groups interviews;
• Post-it Notes* list positive and negative aspects about the methods and the study itself;
• Focus Group Transcripts* report the discussion with method designers a number of topics related to the method, its application on the given scenario and the process of evaluation.
• Group Presentations* by participants summarize the results of method's application;
• Final Reports* describe in detail how participants have identified the security requirements following the method.

* These materials are available upon e-mail request.

Questionnaires have been analyzed using statistical analysis. For post-it notes we have used affinity analysis in order to group similar feedback on positive and negative aspects of the methods. The transcripts of the focus groups discussions have been analyzed using coding, a content analysis technique used in grounded theory. Coding helped us to discover text patterns that are relevant to what makes methods effective in identifying security requirements and why.