A new, evidence-based, theory for knowledge reuse in security risk analysis

被引：1

作者：

Labunets, Katsiaryna ^{[1
]}

Massacci, Fabio ^{[2
,3
]}

Paci, Federica ^{[4
]}

Tuma, Katja ^{[2
]}

机构：

[1] Univ Utrecht, Utrecht, Netherlands

[2] Vrije Univ Amsterdam, Amsterdam, Netherlands

[3] Univ Trento, Trento, Italy

[4] Univ Verona, Verona, Italy

来源：

EMPIRICAL SOFTWARE ENGINEERING | 2023年 / 28卷 / 04期

关键词：

Information security; Risk assessment; Empirical study; Knowledge reuse; THREAT ANALYSIS; ATTACK TREES; MANAGEMENT; COMMUNITIES; DISCOURSES; SYSTEMS; IF;

D O I：

10.1007/s10664-023-10321-y

中图分类号：

TP31 [计算机软件];

学科分类号：

081202 ; 0835 ;

摘要：

Security risk analysis (SRA) is a key activity in software engineering but requires heavy manual effort. Community knowledge in the form of security patterns or security catalogs can be used to support the identification of threats and security controls. However, no evidence-based theory exists about the effectiveness of security catalogs when used for security risk analysis. We adopt a grounded theory approach to propose a conceptual, revised and refined theory of SRA knowledge reuse. The theory refinement is backed by evidence gathered from conducting interviews with experts (20) and controlled experiments with both experts (15) and novice analysts (18). We conclude the paper by providing insights into the use of catalogs and managerial implications.

引用

页数：33

共 50 条

[1] A new, evidence-based, theory for knowledge reuse in security risk analysis
Katsiaryna Labunets
Fabio Massacci
Federica Paci
Katja Tuma
Empirical Software Engineering, 2023, 28
[2] The model of information security risk assessment based on advanced evidence theory
Qing H.
Qingsheng X.
Shaobo L.
International Journal of System Assurance Engineering and Management, 2017, 8 (Suppl 3) : 2030 - 2035
[3] Information security risk analysis model using fuzzy decision theory
Henriques de Gusmao, Ana Paula
Camara e Silva, Lucio
Silva, Maisa Mendonca
Poleto, Thiago
Cabral Seixas Costa, Ana Paula
INTERNATIONAL JOURNAL OF INFORMATION MANAGEMENT, 2016, 36 (01) : 25 - 34
[4] Knowledge Based Model for Holistic Information Security Risk Analysis
Huang, Jing-Wen
Ding, Yong-Sheng
Hu, Zhi-Hua
Huang, Jing-Wen
ISCSCT 2008: INTERNATIONAL SYMPOSIUM ON COMPUTER SCIENCE AND COMPUTATIONAL TECHNOLOGY, VOL 1, PROCEEDINGS, 2008, : 88 - +
[5] An Information Security Risk Assessment System Based on Knowledge
Ma, Jianqiang
2017 4TH ICMIBI INTERNATIONAL CONFERENCE ON TRAINING, EDUCATION, AND MANAGEMENT (ICMIBI-TEM 2017), 2017, 83 : 376 - 381
[6] Evidence-based analysis of risk factors for postoperative nausea and vomiting
Apfel, C. C.
Heidrich, F. M.
Jukar-Rao, S.
Jalota, L.
Hornuss, C.
Whelan, R. P.
Zhang, K.
Cakmakkaya, O. S.
BRITISH JOURNAL OF ANAESTHESIA, 2012, 109 (05) : 742 - 753
[7] Evaluation and reliability analysis of network security risk factors based on D-S evidence theory
Yu, Jingjie
Hu, Min
Wang, Peng
JOURNAL OF INTELLIGENT & FUZZY SYSTEMS, 2018, 34 (02) : 861 - 869
[8] ANALYSIS OF CORE DOCUMENTS IN INFORMATION SECURITY BASED ON MAPPING KNOWLEDGE DOMAINS
Shen, Hong-zhou
Yuan, Qin-jian
Zong, Qian-jin
Tong, Ling-yu
ICEIS 2011: PROCEEDINGS OF THE 13TH INTERNATIONAL CONFERENCE ON ENTERPRISE INFORMATION SYSTEMS, VOL 3, 2011, : 421 - 427
[9] Method of Information Security Risk Assessment Based on Improved Fuzzy Theory of Evidence
Huang Xuepeng
Xu Wei
INTERNATIONAL JOURNAL OF ONLINE ENGINEERING, 2018, 14 (03) : 188 - 196
[10] Toward a theory of collaboration for evidence-based management
HakemZadeh, Farimah
Baba, Vishwanath V.
MANAGEMENT DECISION, 2016, 54 (10) : 2587 - 2616

← 1 2 3 4 5 →