Differences

This shows you the differences between two versions of the page.

--- validation_of_risk_and_security_requirements_methodologies [2017/02/28 13:41] – [Experiments] katsiaryna.labunets@unitn.it
+++ validation_of_risk_and_security_requirements_methodologies [2021/01/29 10:58] (current) – external edit 127.0.0.1
@@ Line 45: / Line 45: @@
 Within the main stream project we covered a number of themes.
-  * **The e-RISE challenge**. eRISE is an annual challenge that aims to compare the effectiveness of academic methods for the elicitation and analysis of threats and security requirements and investigate why these methods are effective. Three editions of eRISE challenge has been held [[eRISE 2011]], [[eRISE 2012]], and [[eRISE 2013]].
+  - Empirical validation of Risk and Security Requirements Methodologies
+    * //The e-RISE challenge//. eRISE is an annual challenge that aims to compare the effectiveness of academic methods for the elicitation and analysis of threats and security requirements and investigate why these methods are effective. Four editions of eRISE challenge has been held:
-**Empirical validation of Risk and Security Requirements Methodologies**.
+      * [[eRISE 2011]] (13 students and 36 professionals),
-    -   An Experimental Comparison of Two Risk-Based Security Methods. [[seceng-course-exp-2012|Experiment Description]]
+      * [[eRISE 2012]] (15 students and 27 professionals),
-    - An Experiment on Comparing Textual vs Visual Industrial Methods for Security Risk Assessment. [[seceng-course-exp-2013|Experiment Description]]
+      * [[eRISE 2013]] (29 students and 28 professionals),
-    - Comparison of Domain-Specific and Domain-General catalogs for eliciting threats and security controls.  Description of the experiments with [[winter-schl-exp2014|novices]] and [[catalogues-rome-2014|practitioners]].
+      * eRISE 2014 (56 professionals).
-    - Risk Models Comprehension: An Empirical Comparison of Tabular vs. Graphical Representations. [[unitn-comprehensibility-exp-2015|Experiment Description]]
+    * //An Experimental Comparison of Tabular vs. Graphical Security Methods//. We have conducted several experiments on this topic in:
+      * Fall [[seceng-course-exp-2012|2012]] (28 participants),
+      * Fall [[seceng-course-exp-2013|2013]] (29 participants),
+      * Fall 2014 (35 participants),
+      * Fall 2015 (28 participants).
+  - The Role of Catalogues of Threats and Security Controls in Security Risk Assessment. On this topic we have conducted three controlled experiments in:
+      * Jan 2014 with [[winter-schl-exp2014|novices]] (18 participants),
+      * May 2014 with [[catalogues-rome-2014|practitioners]] (15 participants).
+      * Nov 2016 we conducted an additional study with novices (40 participants).
+  - Risk Models Comprehension: An Empirical Comparison of Tabular vs. Graphical Representations. We have conducted seven experiments on this topic on:
+      * [[unitn-comprehensibility-exp-2015|Oct 1st, 2014]] in University of Trento, Italy (35 participants),
+      * [[unitn-comprehensibility-exp-2015|Nov 14th, 2014]] in PUCRS University in Porto Alegre, Brazil (13 participants),
+      * [[unitn-comprehensibility-exp-2015|Nov 18th, 2014]] in PUCRS University in Porto Alegre, Brazil (27 participants),
+      * [[unitn-comprehensibility-exp-2015|Sep 16th, 2015]] in Cosenza, Italy at Poste Italiane cyber-security lab (52 participants),
+      * [[unitn-comprehensibility-exp-2015|Sep 21st, 2015]] in University of Trento, Italy (51 participants),
+      * [[sid-2015-tutorial|Dec 2nd, 2015]] in Bologna, Italy with ATM professionals (15 participants),
+      * [[online-comprehensibility-exp-2016|Jan-Feb,  2016]] an online comprehensibility experiment with IT professionals (58 participants),
+      * Sep 21st, 2016 in University of Trento, Italy (35 participants).
+  - Empirical Evaluation of CVSS Environmental Metrics.
+      * [[unitn_cvss_env_exp_2016|Nov 2016]] in University of Trento, Italy (29 participants).
@@ Line 73: / Line 92: @@
 ==== Publications ====
-   * K. Labunets, F. Massacci, F. Paci, S. Marczak, F. Moreira de Oliveira. **Model Comprehension for Security Risk Assessment: An Empirical Comparison of Tabular vs. Graphical Representations** To appear in //Empirical Software Engineering//. Available at SSRN: [[https://ssrn.com/abstract=2906745]]
+=== Working papers ===
+  * M. de Gramatica, K. Labunets, F. Massacci, F. Paci, M. Ragosta, A. Tedeschi. **On the Effectiveness of Sourcing Knowledge from Catalogues in Security Risk Assessment**. To be submitted to journal.
+  * K. Labunets, F. Massacci, F. Paci. **An Empirical Comparison of Security Risk Assessment Methods**. To be submitted to journal.
+=== Published papers ===
+   * K. Labunets, F. Massacci, F. Paci, S. Marczak, F. Moreira de Oliveira. **Model Comprehension for Security Risk Assessment: An Empirical Comparison of Tabular vs. Graphical Representations**. //Empirical Software Engineering// (2014). Available at SSRN: [[https://ssrn.com/abstract=2906745]]
   * K. Labunets, F. Massacci, F. Paci. **On the Equivalence Between Graphical and Tabular Representations for Security Risk Assessment**. In //Proceedings of REFSQ'17//. {{:research_activities:experiments:labunets-etal-refsq2017.pdf|Authors' Draft PDF}}.
   * K. Labunets, F. Paci, F. Massacci. **Which Security Catalogue Is Better for Novices?** In //Proc. of EmpiRE Workshop at IEEE RE'15.// {{:research_activities:experiments:2014-winter-school:labunets-etal-empire-re15-preprint.pdf|PDF (preprint)}}