The Role of Catalogues of Threats and Security Controls in Security Risk Assessment: An Empirical Study with ATM Professionals
نویسندگان
چکیده
[Context and motivation] To remedy the lack of security expertise, industrial security risk assessment methods come with catalogues of threats and security controls. [Question/problem] We investigate in both qualitative and quantitative terms whether the use of catalogues of threats and security controls has an effect on the actual and perceived effectiveness of a security risk assessment method. In particular, we assessed the effect of using domain-specific versus domain-general catalogues on the actual and perceived efficacy of a security risk assessment method conducted by non-experts and compare it with the effect of running the same method by security experts but without catalogues. [Principal ideas/results] The quantitative analysis shows that nonsecurity experts who applied the method with catalogues identified threats and controls of the same quality of security experts without catalogues. The perceived ease of use was higher when participants used method without catalogues albeit only at 10% significance level. The qualitative analysis indicates that security experts have different expectations from a catalogue than non-experts. Non-experts are mostly worried about the difficulty of navigating through the catalogue (the larger and less specific the worse it was) while expert users found it mostly useful to get a common terminology and a checklist that nothing was
منابع مشابه
A First Empirical Evaluation Framework for Security Risk Assessment Methods in the ATM Domain
Evaluation and validation methodologies are integral parts of Air Traffic Management (ATM). They are well understood for safety, environmental and other business cases for which operational validation guidelines exist which are well defined and widely used. In contrast, there are no accepted methods to evaluate and compare the effectiveness of risk assessment practices for security. The EMFASE ...
متن کاملA risk model for cloud processes
Traditionally, risk assessment consists of evaluating the probability of "feared events", corresponding to known threats and attacks, as well as these events' severity, corresponding to their impact on one or more stakeholders. Assessing risks of cloud-based processes is particularly difficult due to lack of historical data on attacks, which has prevented frequency-based identification...
متن کاملIdentifying Information Security Risk Components in Military Hospitals in Iran
Background and Aim: Information systems are always at risk of information theft, information change, and interruptions in service delivery. Therefore, the present study was conducted to develop a model for identifying information security risk in military hospitals in Iran. Methods: This study was a qualitative content analysis conducted in military hospitals in Iran in 2019. The sample consist...
متن کاملراههای تامین امنیت غذایی و جایگاه آن در پدافند غیر عامل
Background: This paper aims to examine the association between food security and passive defense and the position of food security in this context. Given the role of healthy manpower in the development of a country and the importance of healthy food and nutrition in human health as the core center of development and the main confronting factor with foreign threats, in this paper, we first discu...
متن کاملCritical Success Factors in implementing information security governance (Case study: Iranian Central Oil Fields Company)
The oil industry, as one of the main industries of the country, has always faced cyber attacks and security threats. Therefore, the integration of information security in corporate governance is essential and a governance challenge. The integration of information security and corporate governance is called information security governance. In this research, we identified "critical success factor...
متن کامل