A first empirical evaluation framework for security risk assessment methods in the ATM domain