A new, evidence-based, theory for knowledge reuse in security risk analysis

被引：1

作者：

Labunets, Katsiaryna ^{[1
]}

Massacci, Fabio ^{[2
,3
]}

Paci, Federica ^{[4
]}

Tuma, Katja ^{[2
]}

机构：

[1] Univ Utrecht, Utrecht, Netherlands

[2] Vrije Univ Amsterdam, Amsterdam, Netherlands

[3] Univ Trento, Trento, Italy

[4] Univ Verona, Verona, Italy

来源：

EMPIRICAL SOFTWARE ENGINEERING | 2023年 / 28卷 / 04期

关键词：

Information security; Risk assessment; Empirical study; Knowledge reuse; THREAT ANALYSIS; ATTACK TREES; MANAGEMENT; COMMUNITIES; DISCOURSES; SYSTEMS; IF;

D O I：

10.1007/s10664-023-10321-y

中图分类号：

TP31 [计算机软件];

学科分类号：

081202 ; 0835 ;

摘要：

Security risk analysis (SRA) is a key activity in software engineering but requires heavy manual effort. Community knowledge in the form of security patterns or security catalogs can be used to support the identification of threats and security controls. However, no evidence-based theory exists about the effectiveness of security catalogs when used for security risk analysis. We adopt a grounded theory approach to propose a conceptual, revised and refined theory of SRA knowledge reuse. The theory refinement is backed by evidence gathered from conducting interviews with experts (20) and controlled experiments with both experts (15) and novice analysts (18). We conclude the paper by providing insights into the use of catalogs and managerial implications.

引用

页数：33

共 50 条

[31] New knowledge discussion groups: Counteracting the common barriers to evidence-based practice
Moch, Susan D.
Cronie, Ruth J.
WORLDVIEWS ON EVIDENCE-BASED NURSING, 2007, 4 (02) : 112 - 115
[32] Evidence-Based Security in Aerospace From Safety to Security and Back Again
Paulitsch, Michael
Reiger, Rupert
Strigini, Lorenzo
Bloomfield, Robin
23RD IEEE INTERNATIONAL SYMPOSIUM ON SOFTWARE RELIABILITY ENGINEERING WORKSHOPS (ISSRE 2012), 2012, : 21 - +
[33] Jordanian nurses' knowledge of Evidence-Based Practice
Saleh, Ahmad Mahmoud
RAWAL MEDICAL JOURNAL, 2023, 48 (01): : 224 - 227
[34] Evidence-based medicine and the reconfiguration of medical knowledge
Timmermans, Stefan
Kolker, Emily S.
JOURNAL OF HEALTH AND SOCIAL BEHAVIOR, 2004, 45 : 177 - 193
[35] Evidence-based policy: where is our theory of evidence?
Cartwright, Nancy
Goldfinch, Andrew
Howick, Jeremy
JOURNAL OF CHILDRENS SERVICES, 2009, 4 (04) : 6 - 14
[36] Translating evidence-based knowledge objects into practice
Scheuer, John Damm
FRONTIERS IN HEALTH SERVICES, 2023, 3
[37] Knowledge Translation, Evidence-Based Practice, and You
Salbach, Nancy M.
PHYSIOTHERAPY CANADA, 2010, 62 (04) : 293 - 294
[38] The evidence-based paradox and the question of the Tree of Knowledge
Saad, Amit
JOURNAL OF EVALUATION IN CLINICAL PRACTICE, 2008, 14 (05) : 650 - 652
[39] Evidence-based knowledge in the context of social practice
Mullen, Edward J.
SCANDINAVIAN JOURNAL OF PUBLIC HEALTH, 2014, 42 : 59 - 73
[40] Implementation of evidence-based knowledge in general practice
Le, Jette Videbaek
DANISH MEDICAL JOURNAL, 2017, 64 (12):

← 1 2 3 4 5 →