Security Risk Assessment Methods: An Evaluation Framework and Theoretical Model of the Criteria Behind Methods’ Success

Labunets, Katsiaryna (2016) Security Risk Assessment Methods: An Evaluation Framework and Theoretical Model of the Criteria Behind Methods’ Success. PhD thesis, University of Trento.

[img]
Preview
PDF - Doctoral Thesis
3096Kb

Abstract

Over the past decades a significant number of methods to identify and mitigate security risks have been proposed, but there are few empirical evaluations that show whether these methods are actually effective. So how can practitioners decide which method is the best for security risk assessment of their projects? To this end, we propose an evaluation framework to compare security risk assessment methods that evaluates the quality of results of methods application with help of external industrial experts and can identify aspects having an effect on the successful application of these methods. The results of the framework application helped us to build the model of key aspects that impact the success of a security risk assessment. Among these aspects are i) the use of catalogues of threats and security controls which can impact methods' actual effectiveness and perceived usefulness and ii) the use of visual representation of risk models that can positively impact methods' perceived ease of use, but negatively affect methods' perceived usefulness if the visual representation is not comprehensible due to scalability issues. To further investigate these findings, we conducted additional empirical investigations: i) how different features of the catalogues of threats and security controls contribute into an effective risk assessment process for novices and experts in either domain or security knowledge, and ii) how comprehensible are different representation approaches for risk models (e.g. tabular and graphical).

Item Type:Doctoral Thesis (PhD)
Doctoral School:Information and Communication Technology
PhD Cycle:27
Subjects:Area 01 - Scienze matematiche e informatiche > INF/01 INFORMATICA
Uncontrolled Keywords:security risk assessment; empirical comparison; controlled experiments; security catalogues; risk model comprehensibility
Repository Staff approval on:31 Mar 2017 10:17

Repository Staff Only: item control page