IRIS

Security risk analysis (SRA) is a key activity in software engineering but requires heavy manual effort. Community knowledge in the form of security patterns or security catalogs can be used to support the identification of threats and security controls. However, no evidence-based theory exists about the effectiveness of security catalogs when used for security risk analysis. We adopt a grounded theory approach to propose a conceptual, revised and refined theory of SRA knowledge reuse. The theory refinement is backed by evidence gathered from conducting interviews with experts (20) and controlled experiments with both experts (15) and novice analysts (18). We conclude the paper by providing insights into the use of catalogs and managerial implications.

A new, evidence-based, theory for knowledge reuse in security risk analysis / Labunets, Katsiaryna; Massacci, Fabio; Paci, Federica; Tuma, Katja. - In: EMPIRICAL SOFTWARE ENGINEERING. - ISSN 1573-7616. - 28:90(2023), p. 4. [10.1007/s10664-023-10321-y]

A new, evidence-based, theory for knowledge reuse in security risk analysis

Katsiaryna Labunets;Fabio Massacci
;Federica Paci;
2023-01-01

Abstract

Security risk analysis (SRA) is a key activity in software engineering but requires heavy manual effort. Community knowledge in the form of security patterns or security catalogs can be used to support the identification of threats and security controls. However, no evidence-based theory exists about the effectiveness of security catalogs when used for security risk analysis. We adopt a grounded theory approach to propose a conceptual, revised and refined theory of SRA knowledge reuse. The theory refinement is backed by evidence gathered from conducting interviews with experts (20) and controlled experiments with both experts (15) and novice analysts (18). We conclude the paper by providing insights into the use of catalogs and managerial implications.
2023
EMPIRICAL SOFTWARE ENGINEERING
90
Settore ING-INF/05 - Sistemi di Elaborazione delle Informazioni
Settore INF/01 - Informatica
Settore INFO-01/A - Informatica
Settore IINF-05/A - Sistemi di elaborazione delle informazioni
2-s2.0-85160200681
WOS:000994865100002
Labunets, Katsiaryna; Massacci, Fabio; Paci, Federica; Tuma, Katja
A new, evidence-based, theory for knowledge reuse in security risk analysis / Labunets, Katsiaryna; Massacci, Fabio; Paci, Federica; Tuma, Katja. - In: EMPIRICAL SOFTWARE ENGINEERING. - ISSN 1573-7616. - 28:90(2023), p. 4. [10.1007/s10664-023-10321-y]
File in questo prodotto:
File Dimensione Formato  
labunets-tuma-s10664-023-10321-y.pdf

accesso aperto

Descrizione: Versione finale
Tipologia: Versione editoriale (Publisher’s layout)
Licenza: Creative commons
Dimensione 1.7 MB
Formato Adobe PDF
Visualizza/Apri
1.7 MB Adobe PDF Visualizza/Apri

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11572/445498
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 3
  • ???jsp.display-item.citation.isi??? 2
  • OpenAlex 3
social impact