DISI Security Research Group Wiki

User Tools

Site Tools

Trace:
winter-schl-exp2014

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
winter-schl-exp2014 [2015/06/09 13:50] – [Supplement Materials] katsiaryna.labunets@unitn.itwinter-schl-exp2014 [2021/01/29 10:58] (current) – external edit 127.0.0.1
Line 1: Line 1:
  
 +====== Evaluating the Effect of the Catalogs Usage on Security Threats and Controls Identification (Novices) ======
  
-====== Evaluating the Effect of the Catalogs Usage on Security Threats and Controls Identification ======+This page provides additional resources that enable replication of our work published at {{:research_activities:experiments:2014-winter-school:labunets-etal-empire-re15-preprint.pdf|EmpiRE2015}}. See the [[validation_of_risk_and_security_requirements_methodologies|main page]] for our work on empirical validation of security risk assessment methods and other experiments.
  
 +===== Goals =====
 The goal of the experiment is to compare the effect of using domain-general versus domain-specific catalogs of threats and security controls on security risk assessment's actual effectiveness and perception.  The goal of the experiment is to compare the effect of using domain-general versus domain-specific catalogs of threats and security controls on security risk assessment's actual effectiveness and perception. 
  
-==== Supplement Materials ====+===== Context of the Experiment ===== 
 + 
 +==== Subjects ==== 
 +The participants of the experiment were 18 MSc students from different universities in Europe participating to EIT ICT Labs, a partnership between universities, research center and companies that promotes innovation in education and research. The participants worked in group of two. The groups were randomly assigned to two types of security catalogues: five groups used domain-specific catalogues and four groups used domain-general catalogues. 
 + 
 +==== Method and Catalogue ==== 
 +To conduct security risk assessment the groups used SESAR ATM Security Risk Assessment Method (SecRAM). As an instance of domain-specific catalogues we used the security catalogue developed by EUROCONTROL which come with SecRAM method. As an instance of domain-general catalogues we chose the threats and security controls catalogues of the [[https://www.bsi.bund.de/EN/Topics/ITGrundschutz/ITGrundschutzCatalogues/itgrundschutzcatalogues_node.html|BSI IT-Grundschutz standard]]. 
 + 
 +**The materials related to SecRAM method and EUROCONTROL EATM catalogues are confidential.** 
 + 
 +==== Application Scenario ==== 
 +As application scenario to be used by the participants, we chose a new operational concept which is emerging in the ATM named Remotely Operated Tower (ROT). The participants conducted security risk assessment using SecRAM with the assigned catalogues.  
 + 
 +{{:research_activities:experiments:2014-winter-school:rot_introduction_massacci.pdf|ROT tutorial}} 
 + 
 +==== Task ==== 
 +The experiment was conducted as part of the Winter School. The participants were given a tutorial on SESAR SecRAM method of the duration of 8 hours spanned over 2 days. The tutorial was divided into different parts. Each part consisted of 45 minutes of introduction of a couple of steps of the method, followed by 45 minutes of application of the steps and 15 minutes of presentation and discussion of the results with the expert. Once trained on the application scenario and the method, the participants had at least 6 hours in the class to revise the security risk assessment. After the application phase participants delivered their final reports documenting the conducted security risk assessment of the ROT.  
 + 
 +===== Measurements =====
 During the experiment we distributed among participants two type of questionnaires:   During the experiment we distributed among participants two type of questionnaires:  
-  * Pre-task questionnaire to collect some information about participants and thier background:{{:research_activities:experiments:2014-winter-school:2014-trento-winter-school-q1.pdf|Q1}}. +  * Pre-task questionnaire to collect some information about participants and their background:{{:research_activities:experiments:2014-winter-school:2014-trento-winter-school-q1.pdf|Background Questionnaire}}. 
-  * Post-task questionnaire to collect participants' perception of the method and catalogues: {{:research_activities:experiments:2014-winter-school:2014-trento-winter-school-q2-domcat.pdf|Q2}} .+  * Post-task questionnaire to collect participants' perception of the method and catalogues: {{:research_activities:experiments:2014-winter-school:2014-trento-winter-school-q2-domcat.pdf|version for domain-specific catalogues}} and {{:research_activities:experiments:2014-winter-school:2014-trento-winter-school-q2-gencat.pdf|domain-general catalogues}}. 
 + 
 +**Data collected during the experiment are available upon request.**
winter-schl-exp2014.1433850619.txt.gz · Last modified: (external edit)
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki