Empirical Validation of Risk and Security Methodologies

Among the research topics of the Security Group we try to understand whether security and risk assessment methodologies can actually work in practice.

There are many risk assessment methodologies and many security requirements methods both from industry (CoBIT, ISO2700x, ISECOM's OSST), and academia (CORAS, SecureTropos, SI*, SREP etc.).

To answer this question we need to ask first what does it mean in practice? The usual interpretation of researchers is the researchers tackle a real world problem.

But this is just the first mile of a long road. We can explain it with an anecdote: V.M., a former air traffic controller with 30+ years of experience of evaluation of controller software, was evaluating our tool for safety patterns (See Security Requirements Engineering). He told us our software generated a Windows error message (the kind of `error at exAB91A'). It was not an error, it was a window showing that a logical formula would not hold on his proposed safety pattern!

A methodology works in practice if

1. it can be used effectively and
2. efficiently
3. by somebody else beside the methodology's own inventors
4. on a real world problem.

Everybody can of course use any techniques on any problem with sufficient time and patience… but slicing beef with a stone knife is not going to be quick and the results is surely not a fine carpaccio.

In this research stream of empirical analysis we n experiments that evaluate how “normal” people (auditors, domain experts, even students etc.) uses researchers' and consultants' tools and methods to understand what's really the problem in practice.

Since our research questions are exploratory in nature, we applied a mix-method experimental methodology combining both qualitative and quantitative data collection and analysis techniques. We evaluate methods' effectiveness based on the reports delivered by the participants, while we investigate the whys methods are effective by means of questionnaires, focus group interviews and post-it notes.

One of our goals is to investigate whether the methods under evaluation could be used effectively by users who have no prior knowledge of the methods. Therefore we have designed a protocol to conduct comparative empirical studies in this setting. The protocol consists of three main phases:

• Training. First, participants are administered a questionnaire to collect information about their level of expertise in requirement engineering, security and on other methods they may know. Then, they are divided in groups where each group is composed of one master students and two professionals. The groups are assigned to a security requirements or a risk analysis method and to an industrial case to be analyzed using the method. The participants have to attend lectures about the method and on the industrial application scenario. At the end of the Training phase, the participants are administered a questionnaire to determine their level of understanding of the methods and of the industrial applications scenario.

• Application. Participants work in groups and apply the method to analyze the application scenario.Group collaboration takes place both face-to-face and remotely by using multiple communication channels (e.g. mail, chat, video conferencing facilities). At the end of this phase, participants are involved in focus groups interviews, and they are requested to fill in post-it notes and a questionnaire about their impressions on the method. To document the application of the methods, the groups are audio-video recorded. In addition, groups have to deliver a final report.

• Evaluation. On one side, participants assess the methods' effectiveness: they are involved in focus groups interviews, and they are requested to fill in post-it notes and a questionnaire about their impressions on the method. On the other side, method designers assess if the participants have a followed the method while customers, instead, evaluate if the groups have identified a set of security requirements or countermeasures that are specific for the application scenario, and if they are able to justify their results based on the method's application.

Our Experimental Protocol involves five types of actors:

1. Method Designer is the researcher who has proposed one of the method under evaluation. His main responsibility is to train participants in the method and to answer participants' questions during the Application phase. S/he also contributes to the assessment of the methods'effectiveness by analyzing groups' reports.
2. Customer is an industrial partner who introduces the industrial application scenario to the participants. S/he also has to be available during the Application phase to answers all possible questions that participants may raise during analysis.
3. Observer plays an important role during the Application phase because they supplement audio-video recording with information about the behavior of participants e.g (if the Participants work in group vs work alone) and the difficulties that they face during the application of the method. The observer also interviews the groups and leads the post-it notes sessions.
4. Researcher takes care of the organization, sets the research questions, selects the participants, invites the method designers and the customers, and analyzes the data collected during the study.
5. Participant is the most important role. Participants work in group and apply a method provided by one of the method designers to analyze the risk and security issues of the scenario provided by the customer.

Within the main stream project we covered a number of themes.

1. Empirical validation of Risk and Security Requirements Methodologies
   • The e-RISE challenge. eRISE is an annual challenge that aims to compare the effectiveness of academic methods for the elicitation and analysis of threats and security requirements and investigate why these methods are effective. Four editions of eRISE challenge has been held:
     • eRISE 2011 (13 students and 36 professionals),
     • eRISE 2012 (15 students and 27 professionals),
     • eRISE 2013 (29 students and 28 professionals),
     • eRISE 2014 (56 professionals).
   • An Experimental Comparison of Tabular vs. Graphical Security Methods. We have conducted several experiments on this topic in:
     • Fall 2012 (28 participants),
     • Fall 2013 (29 participants),
     • Fall 2014 (35 participants),
     • Fall 2015 (28 participants).
2. The Role of Catalogues of Threats and Security Controls in Security Risk Assessment. On this topic we have conducted three controlled experiments in:
   • Jan 2014 with novices (18 participants),
   • May 2014 with practitioners (15 participants).
   • Nov 2016 we conducted an additional study with novices (40 participants).
3. Risk Models Comprehension: An Empirical Comparison of Tabular vs. Graphical Representations. We have conducted seven experiments on this topic on:
   • Oct 1st, 2014 in University of Trento, Italy (35 participants),
   • Nov 14th, 2014 in PUCRS University in Porto Alegre, Brazil (13 participants),
   • Nov 18th, 2014 in PUCRS University in Porto Alegre, Brazil (27 participants),
   • Sep 16th, 2015 in Cosenza, Italy at Poste Italiane cyber-security lab (52 participants),
   • Sep 21st, 2015 in University of Trento, Italy (51 participants),
   • Dec 2nd, 2015 in Bologna, Italy with ATM professionals (15 participants),
   • Jan-Feb, 2016 an online comprehensibility experiment with IT professionals (58 participants),
   • Sep 21st, 2016 in University of Trento, Italy (35 participants).
4. Empirical Evaluation of CVSS Environmental Metrics.
   • Nov 2016 in University of Trento, Italy (29 participants).

The following is a list a people that has been involved in the project at some point in time.

• Katsiaryna Labunets (Post Doc at Univ of Trento)
• Fabio Massacci (Prof. at Univ. of Trento)
• Federica Paci (Now Lecturer at Univ. Of southampton)
• Le Minh Sang Tran (Now Quant Researcher at WorldQuant LCC)
• Yudis Asnar (Now Lecturer at ID Bandung)

This activity was supported by a number of projects

• EMFASE
• NESSOS
• SECURECHANGE

• M. de Gramatica, K. Labunets, F. Massacci, F. Paci, M. Ragosta, A. Tedeschi. On the Effectiveness of Sourcing Knowledge from Catalogues in Security Risk Assessment. To be submitted to journal.
• K. Labunets, F. Massacci, F. Paci. An Empirical Comparison of Security Risk Assessment Methods. To be submitted to journal.

• K. Labunets, F. Massacci, F. Paci, S. Marczak, F. Moreira de Oliveira. Model Comprehension for Security Risk Assessment: An Empirical Comparison of Tabular vs. Graphical Representations. Empirical Software Engineering (2014). Available at SSRN: https://ssrn.com/abstract=2906745
• K. Labunets, F. Massacci, F. Paci. On the Equivalence Between Graphical and Tabular Representations for Security Risk Assessment. In Proceedings of REFSQ'17. Authors' Draft PDF.
• K. Labunets, F. Paci, F. Massacci. Which Security Catalogue Is Better for Novices? In Proc. of EmpiRE Workshop at IEEE RE'15. PDF (preprint)
• M. de Gramatica, K. Labunets, F. Massacci, F. Paci, and A. Tedeschi. The Role of Catalogues of Threats and Security Controls in Security Risk Assessment: An Empirical Study with ATM Professionals. In Proc. of REFSQ'15. PDF
• M. Giacalone, R. Mammoliti, F. Massacci, F. Paci, R. Perugino, and C. Selli. Security Triage: A Report of a Lean Security Requirements Methodology for Cost-Effective Security Analysis. A short summary appears In Proc. of EmpiRE Workshop at IEEE RE'14. 3 pages PDF. A longer Industry report appears in Proc. of ESEM'2014. PDF (preprint)
• K. Labunets, F. Paci, F. Massacci, and R. Ruprai. An Experiment on Comparing Textual vs. Visual Industrial Methods for Security Risk Assessment. In Proc. of EmpiRE Workshop at IEEE RE'14 PDF
• Labunets, K., Massacci, F., Paci, F., and Tran, L.M.S. An experimental comparison of two risk-based security methods. In Proceedings of the 7th International Symposium on Empirical Software Engineering and Measurement (ESEM), 163–172, 2013. PDF
• Fabio Massacci, Federica Paci, Le Minh Sang Tran, Alessandra Tedeschi: Assessing a requirements evolution approach: Empirical studies in the air traffic management domain. Journal of Systems and Software 95: 70-88 (2014). PDF at publisher
• Riccardo Scandariato, Federica Paci, Le Minh Sang Tran, Katsiaryna Labunets, Koen Yskout, Fabio Massacci, Wouter Joosen: Empirical Assessment of Security Requirements and Architecture: Lessons Learned. In Engineering Secure Future Internet Services and Systems 2014: 35-64
• Massacci F., and Paci F. How to Select a Security Requirements Method? A comparative study with students and practitioners. In Proceedings of the 17th Nordic Conference in Secure IT Systems (NordSec), 2012.PDF
• Massacci F., Nagaraj D., Paci F., Tran L.M.S, Tedeschi, A. Assessing a Requirements Evolution Approach: Empirical Studies in the Air Traffic Management Domain. In Proceedings of International Workshop on Empirical Requirements Engineering (EmpiRE), 49–56, 2012.PDF

• Federica Paci. An experimental comparison of two risk-based security methods. International Symposium on Empirical Software Engineering and Measurement (ESEM), Baltimore, Maryland, USA, October 11, 2013. PDF
• Fabio Massacci. How do you know that a security methodology work? An empirical approach to evaluate security design methods. ISTD, Singapore University of Technology and Design, September 13, 2012.PDF
• Federica Paci. How do you know that a security requirements method actually work? ITT Trust and Security Seminar (TSS), University of Illinois, Urbana-Champaign, IL, USA, September 26, 2012.PDF

We collected a huge pile of data to have evidence of methods’ effectiveness: questionnaires, final reports, hours of focus group interviews’ audio recordings, hundreds of post it notes, and more than 300 hours of videos of the training and application phases. If you would like to have access to the raw data you are welcomed to do so but we would need to discuss access.