Differences

This shows you the differences between two versions of the page.

--- validation_of_risk_and_security_requirements_methodologies [2017/02/28 13:50] – [Experiments] katsiaryna.labunets@unitn.it
+++ validation_of_risk_and_security_requirements_methodologies [2017/04/22 23:18] – [Experiments] katsiaryna.labunets@unitn.it
@@ Line 46: / Line 46: @@
   - Empirical validation of Risk and Security Requirements Methodologies
-    * **The e-RISE challenge**. eRISE is an annual challenge that aims to compare the effectiveness of academic methods for the elicitation and analysis of threats and security requirements and investigate why these methods are effective. Three editions of eRISE challenge has been held [[eRISE 2011]], [[eRISE 2012]], and [[eRISE 2013]].
+    * //The e-RISE challenge//. eRISE is an annual challenge that aims to compare the effectiveness of academic methods for the elicitation and analysis of threats and security requirements and investigate why these methods are effective. Four editions of eRISE challenge has been held:
-    * An Experimental Comparison of Two Risk-Based Security Methods. We have conducted several experiments with students: [[seceng-course-exp-2012|Experiment 1]] and [[seceng-course-exp-2013|Experiment 2]].
+      * [[eRISE 2011]] (13 students and 36 professionals),
-  - The Role of Catalogues of Threats and Security Controls in Security Risk Assessment.  Description of the experiments with [[winter-schl-exp2014|novices]] and [[catalogues-rome-2014|practitioners]].
+      * [[eRISE 2012]] (15 students and 27 professionals),
-  - Risk Models Comprehension: An Empirical Comparison of Tabular vs. Graphical Representations. [[unitn-comprehensibility-exp-2015|Experiment Description]]
+      * [[eRISE 2013]] (29 students and 28 professionals),
+      * eRISE 2014 (56 professionals).
+    * //An Experimental Comparison of Tabular vs. Graphical Security Methods//. We have conducted several experiments on this topic in:
+      * Fall [[seceng-course-exp-2012|2012]] (28 participants),
+      * Fall [[seceng-course-exp-2013|2013]] (29 participants),
+      * Fall 2014 (35 participants),
+      * Fall 2015 (28 participants).
+  - The Role of Catalogues of Threats and Security Controls in Security Risk Assessment. On this topic we have conducted three controlled experiments in:
+      * Jan 2014 with [[winter-schl-exp2014|novices]] (18 participants),
+      * May 2014 with [[catalogues-rome-2014|practitioners]] (15 participants).
+      * Nov 2016 we conducted an additional study with novices (40 participants).
+  - Risk Models Comprehension: An Empirical Comparison of Tabular vs. Graphical Representations. We have conducted seven experiments on this topic on:
+      * [[unitn-comprehensibility-exp-2015|Oct 1st, 2014]] in University of Trento, Italy (35 participants),
+      * [[unitn-comprehensibility-exp-2015|Nov 14th, 2014]] in PUCRS University in Porto Alegre, Brazil (13 participants),
+      * [[unitn-comprehensibility-exp-2015|Nov 18th, 2014]] in PUCRS University in Porto Alegre, Brazil (27 participants),
+      * [[unitn-comprehensibility-exp-2015|Sep 16th, 2015]] in Cosenza, Italy at Poste Italiane cyber-security lab (52 participants),
+      * [[unitn-comprehensibility-exp-2015|Sep 21st, 2015]] in University of Trento, Italy (51 participants),
+      * [[sid-2015-tutorial|Dec 2nd, 2015]] in Bologna, Italy with ATM professionals (15 participants),
+      * [[online-comprehensibility-exp-2016|Jan-Feb,  2016]] an online comprehensibility experiment with IT professionals (58 participants),
+      * Sep 21st, 2016 in University of Trento, Italy (35 participants).
+  - Empirical Evaluation of CVSS Environmental Metrics.
+      * [[nov_2016|Nov 2016]] in University of Trento, Italy (29 participants).
@@ Line 71: / Line 92: @@
 ==== Publications ====
-   * K. Labunets, F. Massacci, F. Paci, S. Marczak, F. Moreira de Oliveira. **Model Comprehension for Security Risk Assessment: An Empirical Comparison of Tabular vs. Graphical Representations** To appear in //Empirical Software Engineering//. Available at SSRN: [[https://ssrn.com/abstract=2906745]]
+=== Working papers ===
+  * M. de Gramatica, K. Labunets, F. Massacci, F. Paci, M. Ragosta, A. Tedeschi. **On the Effectiveness of Sourcing Knowledge from Catalogues in Security Risk Assessment**. To be submitted to journal.
+  * K. Labunets, F. Massacci, F. Paci. **An Empirical Comparison of Security Risk Assessment Methods**. To be submitted to journal.
+=== Published papers ===
+   * K. Labunets, F. Massacci, F. Paci, S. Marczak, F. Moreira de Oliveira. **Model Comprehension for Security Risk Assessment: An Empirical Comparison of Tabular vs. Graphical Representations**. //Empirical Software Engineering// (2014). Available at SSRN: [[https://ssrn.com/abstract=2906745]]
   * K. Labunets, F. Massacci, F. Paci. **On the Equivalence Between Graphical and Tabular Representations for Security Risk Assessment**. In //Proceedings of REFSQ'17//. {{:research_activities:experiments:labunets-etal-refsq2017.pdf|Authors' Draft PDF}}.
   * K. Labunets, F. Paci, F. Massacci. **Which Security Catalogue Is Better for Novices?** In //Proc. of EmpiRE Workshop at IEEE RE'15.// {{:research_activities:experiments:2014-winter-school:labunets-etal-empire-re15-preprint.pdf|PDF (preprint)}}