erise_2011
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
erise_2011 [2013/04/09 11:24] – [eRISE Challenge 2011] katsiaryna.labunets@unitn.it | erise_2011 [2021/01/29 10:58] (current) – external edit 127.0.0.1 | ||
---|---|---|---|
Line 2: | Line 2: | ||
The eRISE challenge 2011 was conducted for empirical evaluation of security engineering methods. The event was carried out in May 2011. Both parts of experiment, training and application phases, took place at Dauphine University, Paris, France. | The eRISE challenge 2011 was conducted for empirical evaluation of security engineering methods. The event was carried out in May 2011. Both parts of experiment, training and application phases, took place at Dauphine University, Paris, France. | ||
+ | You can look a video of eRISE 2011 presentation on [[http:// | ||
==== Participants ==== | ==== Participants ==== | ||
- | In eRISE 2011 were involved the following participants: | + | In eRISE 2011 were involved the following participants: |
* **Customers** | * **Customers** | ||
- | * Yudistira Asnar (University of Trento) | + | |
- | * Federica Paci (University of Trento) | + | |
* **Method Designers**: | * **Method Designers**: | ||
- | * Atle Refsdal - SINTEF (CORAS) | + | |
- | * Thein Than Tun - Open University (Security Argumentation) | + | |
- | * Michalis Pavlidis, Shareeful Islam - University of East London (Secure Tropos) | + | |
- | * Fabio Massacci - University of Trento (Si*) | + | |
- | * **Participants**: | + | * **Participants**: |
- | * 13 students were enrolled in the Master in Computer Science at the University of Trento; | + | |
- | * 36 professionals were attending a Master Course in Management of Information System Enterprise at Dauphine University. This master has an admission requirement of a minimum of five years of working experience in the field of Auditing in Information Systems | + | |
==== Evaluated Methods ==== | ==== Evaluated Methods ==== | ||
The selection of the security requirements methods to be evaluated was driven | The selection of the security requirements methods to be evaluated was driven | ||
Line 24: | Line 23: | ||
Four methods have been evaluated and compared during eRISE 2011: | Four methods have been evaluated and compared during eRISE 2011: | ||
- | * **CORAS** is a model-driven method for risk analysis proposed by SINTEF, Norway. Materials: book chapter, tutorial. | + | * **CORAS** is a model-driven method for risk analysis proposed by SINTEF, Norway. Materials: |
- | * **SECURITY ARGUMENTATION** is a framework for security requirements elicitation and analysis developed at Open University, Buckinghamshire, | + | * **SECURITY ARGUMENTATION** is a framework for security requirements elicitation and analysis developed at Open University, Buckinghamshire, |
- | * **SECURE TROPOS** is a methodology designed at University of East London, United Kingdom; the methodology supports capturing, analysis and reasoning of security requirements from the early stages of the development process. Materials: paper, tutorial. | + | * **SECURE TROPOS** is a methodology designed at University of East London, United Kingdom; the methodology supports capturing, analysis and reasoning of security requirements from the early stages of the development process. Materials: |
- | * **SI* ** is a formal framework developed at the University of Trento, Italy for modeling and analyzing security requirements of an organization. Materials: paper, tutorial. | + | * **SI* ** is a formal framework developed at the University of Trento, Italy for modeling and analyzing security requirements of an organization. Materials: |
==== Application scenario ==== | ==== Application scenario ==== | ||
In eRISE 2011 fictional application scenario, Healthcare Collaboration Network(HCN), | In eRISE 2011 fictional application scenario, Healthcare Collaboration Network(HCN), | ||
- | Regional HealthCare Authority needs to monitor and alert citizens on occurrence of endemic or pandemic diseases within the region of CityVille. Healthcare Authority decides to create Healthcare Collaboration network involving data source organizations (like hospitals, physicians) and data review organizations (like government agencies, health insurers). Participants perform the role of consultants in analyzing the main threats; ensuring the information security and privacy protection of Healthcare collaboration network. | + | Regional HealthCare Authority needs to monitor and alert citizens on occurrence of endemic or pandemic diseases within the region of CityVille. Healthcare Authority decides to create Healthcare Collaboration network involving data source organizations (like hospitals, physicians) and data review organizations (like government agencies, health insurers). Participants perform the role of consultants in analyzing the main threats; ensuring the information security and privacy protection of Healthcare collaboration network. |
- | The materials about this scenario are available online: scenario description | + | The participants, |
+ | The materials about this scenario are available online: {{: | ||
==== Experimental Procedure ==== | ==== Experimental Procedure ==== | ||
- | eRISE 2011 was conducted in three main phases: | + | eRISE 2011 was conducted in three main phases: |
* **Training Phase** on May 13, 2011 (at Dauphine Paris University), | * **Training Phase** on May 13, 2011 (at Dauphine Paris University), | ||
* **Application Phases** on May 14-27, 2011 (with face-to-face session on May 26-27 at Dauphine Paris University) where participants applied the methods to analyse security issues of the HCN case. | * **Application Phases** on May 14-27, 2011 (with face-to-face session on May 26-27 at Dauphine Paris University) where participants applied the methods to analyse security issues of the HCN case. | ||
- | * **Evaluation Phase**, where participants evaluated the methods through focused group interviews while method designers evaluated the final reports. The goal is to assess the correctness of the methods application and the quality of the security requirements identified by the participants. | + | * **Evaluation Phase**, where participants evaluated the methods through focused group interviews while method designers evaluated the final reports. |
+ | | ||
+ | - **Two focus group discussions** were conducted for each method, each involving six participants, | ||
==== Data Collection and Analysis ==== | ==== Data Collection and Analysis ==== | ||
We have collected different kinds of data: | We have collected different kinds of data: | ||
- | * **Questionnaires** include questions on subjects' | + | * **Questionnaires** include questions on subjects' |
- | * **Q1** was administered | + | * **Q1** was administered |
- | * **Q2** was distributed at the end of Training phase to collect | + | * **Q2** was administered to participants after the Training phase and aimed at collecting |
- | * **Q3** was administered at the end of remote | + | * **Q3** was administered at the end of remote |
- | * **Q4** was administered after face-to-face | + | * **Q4** was administered |
* **Audio/ | * **Audio/ | ||
* **Post-it Notes* ** list positive and negative aspects about the methods and the study itself; | * **Post-it Notes* ** list positive and negative aspects about the methods and the study itself; |
erise_2011.1365499469.txt.gz · Last modified: 2021/01/29 10:58 (external edit)