An Empirical Study on the Comprehensibility of Graphical Security Risk Models Based on Sequence Diagrams

Risk-driven testing and test-driven risk assessment are two strongly related approaches, though the latter is less explored. This chapter presents an evaluation of a test-driven security risk assessment approach to assess how useful testing is for validating and correcting security risk models. Based on the guidelines for case study research, two industrial case studies were analyzed: a multilingual financial web application and a mobile financial application. In both case studies, the testing yielded new information, which was not found in the risk assessment phase. In the first case study, new vulnerabilities were found that resulted in an update of the likelihood values of threat scenarios and risks in the risk model. New vulnerabilities were also identified and added to the risk model in the second case study. These updates led to more accurate risk models, which indicate that the testing was indeed useful for validating and correcting the risk models.

Download Full-text

Assessing the Usefulness of Testing for Validating and Correcting Security Risk Models Based on Two Industrial Case Studies

Business Intelligence ◽

10.4018/978-1-4666-9562-7.ch053 ◽

2016 ◽

pp. 1016-1037

Author(s):

Gencer Erdogan ◽

Fredrik Seehusen ◽

Ketil Stølen ◽

Jon Hofstad ◽

Jan Øyvind Aagedal

Keyword(s):

Risk Assessment ◽

Case Studies ◽

Web Application ◽

Risk Model ◽

Security Risk ◽

Risk Models ◽

First Case ◽

New Information ◽

Financial Application

The authors present the results of an evaluation in which the objective was to assess how useful testing is for validating and correcting security risk models. The evaluation is based on two industrial case studies. In the first case study the authors analyzed a multilingual financial Web application, while in the second case study they analyzed a mobile financial application. In both case studies, the testing yielded new information which was not found in the risk assessment phase. In particular, in the first case study, new vulnerabilities were found which resulted in an update of the likelihood values of threat scenarios and risks in the risk model. New vulnerabilities were also identified and added to the risk model in the second case study. These updates led to more accurate risk models, which indicate that the testing was indeed useful for validating and correcting the risk models.

Download Full-text

Security Risk Models for Cyber Insurance

10.1201/9780429329487 ◽

2020 ◽

Keyword(s):

Security Risk ◽

Risk Models ◽

Cyber Insurance

Download Full-text

Assessing the Usefulness of Testing for Validating and Correcting Security Risk Models Based on Two Industrial Case Studies

International Journal of Secure Software Engineering ◽

10.4018/ijsse.2015040105 ◽

2015 ◽

Vol 6 (2) ◽

pp. 90-112

Author(s):

Gencer Erdogan ◽

Fredrik Seehusen ◽

Ketil Stølen ◽

Jon Hofstad ◽

Jan Øyvind Aagedal

Keyword(s):

Risk Assessment ◽

Case Studies ◽

Web Application ◽

Risk Model ◽

Security Risk ◽

Risk Models ◽

First Case ◽

New Information ◽

Financial Application

The authors present the results of an evaluation in which the objective was to assess how useful testing is for validating and correcting security risk models. The evaluation is based on two industrial case studies. In the first case study the authors analyzed a multilingual financial Web application, while in the second case study they analyzed a mobile financial application. In both case studies, the testing yielded new information which was not found in the risk assessment phase. In particular, in the first case study, new vulnerabilities were found which resulted in an update of the likelihood values of threat scenarios and risks in the risk model. New vulnerabilities were also identified and added to the risk model in the second case study. These updates led to more accurate risk models, which indicate that the testing was indeed useful for validating and correcting the risk models.

Download Full-text

Empirical Study on the Transparency of Security Risk Information in Chinese Listed Pharmaceutical Enterprises Based on the ANP-DS Method

Journal of Healthcare Engineering ◽

10.1155/2020/4109354 ◽

2020 ◽

Vol 2020 ◽

pp. 1-15

Author(s):

Jining Wang ◽

Chong Guo ◽

Tingqiang Chen

Keyword(s):

Empirical Study ◽

Comprehensive Evaluation ◽

Adverse Drug Reaction Reporting ◽

Evaluation Model ◽

Health And Safety ◽

Analytic Network Process ◽

Risk Information ◽

Security Risk ◽

Network Process ◽

Pharmaceutical Enterprises

Frequent outbreaks of drug safety incidents pose a massive threat to public health and safety, while the transparency of security risk information in medical enterprises is not optimistic. Therefore, this study uses the analytic network process (Dempster-Shafer method) to construct a transparent comprehensive evaluation model for security risk information in listed pharmaceutical enterprises from the perspective of government supervision and listed pharmaceutical enterprises. On the basis of 59,305 data obtained by 303 enterprises listed in the Chinese biomedical sector, this research conducted an empirical study on the transparency of safety risk information in Chinese listed pharmaceutical enterprises. The current study found that the transparency of security risk information in Chinese listed pharmaceutical enterprises is generally between “general” and “relatively good” and tends to be “relatively good.” However, administrative punishment information, adverse drug reaction reporting systems, and production processes need continuous improvement.

Download Full-text