User Tools

Site Tools


seceng-course-exp-2012

This is an old revision of the document!


An Experimental Comparison of Two Risk-Based Security Methods

An experiment by Katsyarina Labunets, Fabio Massacci, Federica Paci, Le Minh Sang Tran.

This page provides additional resources that enable replication of our work published at ESEM 2013.

Goals

The goal of the experiment was to evaluate and compare two types of risk-driven methods, namely, visual methods (CORAS) and textual methods (SREP) with respect to their effectiveness in identifying threats and security requirements, and the participants’ perception of the two methods.

Context of the Experiment

Subjects

The experiment involved 28 participants: 16 students of the master in Computer Science and 12 students of the EIT ICT LAB master in Security and Privacy. They were divided into 16 groups using a randomized block design.

Methods

Method experts presented to the participants a CORAS tutorial and a SREP tutorial. The methods are briefly introduced as follows:

CORAS is a visual method which consists of three tightly integrated parts: a method for risk analysis, a language for risk modeling, and a tool to support the risk analysis process. The risk analysis in CORAS is a structured and systematic process which use diagrams to document the result of the execution of each step. The steps are based on the international standard ISO 31000 for risk management: context establishment, risk analysis (that identifies assets, unwanted incidents, threats and vulnerabilities), and risk treatments.

SREP is an asset-based and risk-driven method for the establishment of security requirements of secure Information Systems. SREP supports a micro-process, consisting of nine steps: agree on definitions, identify critical assets, identify security objectives, identify threats and develop artifacts, risk assessment, elicit security requirements, categorize and prioritize security requirements, requirements inspection, and repository improvement. The result of the execution of each step of the process is represented using tables or natural language. SREP is compliant with international standards ISO/IEC 27002 and ISO/IEC 15408 within the scope of requirements engineering and security management.

Case Study

A domain expert introduced to the participants the Smart Grid application scenario. The Smart Grid is an electricity network that can integrate in a cost-efficient manner the behavior and actions of all users connected to it like generators, and consumers. They use information and communication technologies to optimize the transmission and distribution of electricity from suppliers to consumers.

Task

The experiment was conducted as part of the Security Engineering course. Here, you can find the summary of the tasks to be accomplished in the experiment.

Measurements

During the experiment two type of questionnaires have been distributed to the participants: a Background Questionnaire (Q1) and a Post-Task Questionnaire (Q2) to assess the difference in the participants’ perception of visual and textual methods. Students also evaluated the methods through an interview session giving their overall opinion and listing advantages and disadvantages of the considered methodologies. Lastly, the participants had to summarize the results they achieved in a final report.

Results

Additional Material

seceng-course-exp-2012.1404826308.txt.gz · Last modified: 2021/01/29 10:58 (external edit)