DISI Security Research Group Wiki

User Tools

Site Tools

Trace:
emfase

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
emfase [2016/03/03 14:12] – [Publications] fabio.massacci@unitn.itemfase [2021/01/29 10:58] (current) – external edit 127.0.0.1
Line 38: Line 38:
 ===== Partners ===== ===== Partners =====
  
-University of Trento (Coordinator), SINTEF and DeepBlue.+University of Trento (Coordinator, Italy), SINTEFDeepBlue and University of Southampton.
  
 ===== Project Internal Information ===== ===== Project Internal Information =====
Line 44: Line 44:
 Please check [[https://trinity.disi.unitn.it/emfase/|SVN Repository]] (Restricted Access) Please check [[https://trinity.disi.unitn.it/emfase/|SVN Repository]] (Restricted Access)
  
 +===== Project presentation ===== 
 +{{:projects:emfase:deliverable:emfase_poster_35x50_cmyk_small.pdf|EMFASE Poster presented at SID 2013}}
  
  
Line 62: Line 63:
  
 ==== Experiments ==== ==== Experiments ====
 +
 +=== Comparison of Security Risk Assessment methods ===
   - UNITN Security Engineering course 2013-14:   - UNITN Security Engineering course 2013-14:
-    * Participants: students around 60 sort of controlled participants +    * Participants: 29 MSc students enrolled to Security Engineering course at the University of Trento 
-    * Method: Coras vs Eurocontrol SECRAM (*)+    * Method: CORAS vs Eurocontrol SECRAM (*)
     * Case Study: SmartGrid     * Case Study: SmartGrid
     * Final result: excel file with threats and controls, presentations, report     * Final result: excel file with threats and controls, presentations, report
     * Feedback: questionnaire, interview     * Feedback: questionnaire, interview
 +  - First International Week with Italian Post on Cyber Security in Complex Information Systems 2014 (Rome, Italy):
 +    * Participants: students - around 60 sort of controlled participants
 +    * Method: CORAS vs SESAR SECRAM (*)
 +    * Case Study: Online Banking
 +    * Final result: excel file with threats and controls, report
 +    * Feedback: questionnaire
 +  - UNITN Security Engineering course 2014-15:
 +    * Participants: MSc students - around 30 sort of controlled participants
 +    * Method: CORAS vs SESAR SecRAM (*)
 +    * Case Study: Remotely Operated Tower (ATM) (*)
 +    * Final result: excel file with threats and controls, presentations, report
 +    * Feedback: questionnaire, focus groups interview
 +  - UNITN Security Engineering course 2015-16:
 +    * Participants: MSc students - around 50 sort of controlled participants 
 +    * Method: CORAS vs SESAR SecRAM (*)
 +    * Case Study: Unmanned Aerial System Traffic Management (UTM)
 +    * Final result: excel file with threats and controls, presentations, report
 +    * Feedback: questionnaire, focus groups interview
 +
 +=== Effectiveness of Catalogues of Threats and Security Controls in Security Risk Assessment ===
   - EIT Winter School 2014:    - EIT Winter School 2014: 
     * Participants: students around 20 sort of controlled participants     * Participants: students around 20 sort of controlled participants
Line 74: Line 97:
     * Final result: excel file with requirements, hand-drawn poster for result presentation, report     * Final result: excel file with requirements, hand-drawn poster for result presentation, report
     * Feedback: questionnaire     * Feedback: questionnaire
 +  - EMFASE SecRAM Evaluation Workshop  2014: 
 +    * Participants: professionals around 15 sort of controlled participants
 +    * Method: SESAR SecRAM (*) + [ BSI catalogue vs SECRAM catalogue (*) vs No catalogue (control group)]
 +    * Case Study: Remotely Operated Tower (*)
 +    * Final result: excel file with requirements, report
 +    * Feedback: questionnaire, focus groups interview
  
 +=== An Empirical Comparison of Tabular vs. Graphical Risk Model Representations ===
 +  - UNITN Security Engineering course 2014-15:
 +    * Participants: 35 MSc students - controlled participants
 +    * Representation: Graphical (CORAS) vs Tabular (NIST)
 +    * Scenario: Online Banking and Health Care Network
 +    * Final result: responses to the online comprehensibility task
 +    * Feedback: post-task questionnaire
 +  - University of Oslo Model Engineering course 2014-2015:
 +    * Participants: 11 MSc students - controlled participants
 +    * Representation: Graphical (CORAS) vs Tabular (NIST)
 +    * Scenario: Online Banking
 +    * Final result: responses to the online comprehensibility task
 +    * Feedback: post-task questionnaire
 +  - PUCRS Information Systems course 2014-15:
 +    * Participants: 27 MSc and 13 BSc students - controlled participants
 +    * Representation: Graphical (CORAS) vs Tabular (NIST)
 +    * Scenario: Online Banking and Health Care Network
 +    * Final result: responses to the online comprehensibility task
 +    * Feedback: post-task questionnaire
 +  - University of Calabria Cybersecurity professional master course - September 2015:
 +    * Participants: 52 MSc students - controlled participants
 +    * Representation: Graphical (CORAS) vs Tabular (NIST)
 +    * Scenario: Online Banking and Health Care Network
 +    * Final result: responses to the online comprehensibility task
 +    * Feedback: post-task questionnaire
 +  - UNITN Security Engineering course 2015-16:
 +    * Participants: 51 MSc students - controlled participants
 +    * Representation: Graphical (CORAS) vs Tabular (NIST)
 +    * Scenario: Online Banking and Health Care Network
 +    * Final result: responses to the online comprehensibility task
 +    * Feedback: post-task questionnaire
 +  - EMFASE - Security Risk Assessment Tutorial at SESAR Innovation Days 2015 (Bologna, Italy):
 +    * Participants: 14 professionals - sort of controlled participants
 +    * Representation: Graphical (CORAS) vs Tabular (SESAR SecRAM)
 +    * Scenario: Online Banking 
 +    * Final result: responses to the paper-based comprehensibility task
 +    * Feedback: post-task questionnaire
 +  - EMFASE Online Study on Comprehensibility of Risk Models:
 +    * Participants: 60 professionals
 +    * Representation: Graphical (CORAS) vs Tabular (NIST)
 +    * Scenario: Online Banking 
 +    * Final result: responses to the online comprehensibility task
 +    * Feedback: post-task questionnaire
 In part (*) means confidential documents are distributed In part (*) means confidential documents are distributed
  
 ===== Deliverables ===== ===== Deliverables =====
-  - {{:projects:emfase:e.02.32_d1.1_selection_of_risk_assessment_methods_object_of_study_00.01.03.pdf|Selection of risk assessment methods object of study}} +  - {{:projects:emfase:e.02.32_d1.1_selection_of_risk_assessment_methods_object_of_study_00.01.03.pdf|D1.1 Selection of risk assessment methods object of study}} 
 +  - {{:projects:emfase:deliverable:d1-2_firstempiricalevaluationframework_v000102.pdf|D1.2 First Empirical Evaluation Framework}} 
 +  - {{:projects:emfase:deliverable:e.02.32_d1.3_refinedempiricalevaluationframework_v000100.pdf|D1.3 Refined Empirical Evaluation Framework}} 
 +  - {{:projects:emfase:deliverable:d2_1_scenariodescriptions_v00_01_03.pdf|D2.1 Scenario Descriptions}} 
 +  - {{:projects:emfase:deliverable:e.02.32_-_emfase_-_d2.2_-_first_evaluation_report_ed.00.01.00.pdf|D2.2 First Evaluation Report}} 
 +  - {{:projects:emfase:deliverable:e_02_32_-_emfase_-_d3_1_-_draft_causal_explanations-ed.00.01.00.pdf|D3.1 Draft Causal Explanations}} 
 + 
 ===== Publications ===== ===== Publications =====
-  +    * K. Labunets, Y. Li, F. Massacci, F. Paci, M. Ragosta, B. Solhaug, K. Stølen, A. Tedeschi. **Preliminary Experiments on the Relative Comprehensibility of Tabular and Graphical Risk Models**, In //the Proceedings of 5th SESAR Innovation Days (SIDs'15).// {{:research_activities:experiments:2014-comprehensibility:labunets-etal-sids_2015_paper_32.pdf|PDF}} 
 +    * K. Labunets, F. Paci, F. Massacci. **Which Security Catalogue Is Better for Novices?** In //Proc. of EmpiRE Workshop at IEEE RE'15.// {{:research_activities:experiments:2014-winter-school:labunets-etal-empire-re15-preprint.pdf|PDF (preprint)}} 
 +  * M. de Gramatica, K. Labunets, F. Massacci, F. Paci, and A. Tedeschi. **The Role of Catalogues of Threats and Security Controls in Security Risk Assessment: An Empirical Study with ATM Professionals.** In //Proc. of REFSQ'15//. {{:research_activities:experiments:2014-rome-deepblue:gramatica-etal-refsq2015.pdf|PDF}} 
 +  * K. Labunets, F. Massacci, F. Paci, M. Ragosta, B. Solhaug, K. Stølen, A. Tedeschi. **A First Empirical Evaluation Framework for Security Risk Assessment Methods in the ATM Domain**, In //the Proceedings of 4th SESAR Innovation Days (SIDs'14).// {{:research_activities:experiments:2014-seceng:labunets-etal-sids_2014_paper_40.pdf|PDF}} 
 +  * M. Giacalone, R. Mammoliti, F. Massacci, F. Paci, R. Perugino, and C. Selli. **Security Triage: A Report of a Lean Security Requirements Methodology for Cost-Effective Security Analysis.** A short summary appears In //Proc. of EmpiRE Workshop at IEEE RE'14//. {{:research_activities:experiments:giacalone-etal-re14-preprint.pdf|3 pages PDF}}. A longer Industry report appears in //Proc. of ESEM'2014//. {{:research_activities:security_requirements_engineering:paper-207-esem-2014.pdf|PDF (preprint)}} 
 +  * K. Labunets, F. Paci, F. Massacci, and R. Ruprai. **An Experiment on Comparing Textual vs. Visual Industrial Methods for Security Risk Assessment.** In //Proc. of EmpiRE Workshop at IEEE RE'14// {{:research_activities:experiments:labunets-etal-empire-re14-preprint.pdf|PDF}} 
  
emfase.1457010772.txt.gz · Last modified: (external edit)
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki