To main content

Assessing the Usefulness of Testing for Validating and Correcting Security Risk Models Based on Two Industrial Case Studies

Abstract

The authors present the results of an evaluation in which the objective was to assess how useful testing is for validating and correcting security risk models. The evaluation is based on two industrial case studies. In the first case study the authors analyzed a multilingual financial Web application, while in the second case study they analyzed a mobile financial application. In both case studies, the testing yielded new information which was not found in the risk assessment phase. In particular, in the first case study, new vulnerabilities were found which resulted in an update of the likelihood values of threat scenarios and risks in the risk model. New vulnerabilities were also identified and added to the risk model in the second case study. These updates led to more accurate risk models, which indicate that the testing was indeed useful for validating and correcting the risk models.

Category

Academic chapter/article/Conference paper

Language

English

Author(s)

  • Gencer Erdogan
  • Fredrik Seehusen
  • Ketil Stølen
  • Jon Hofstad
  • Jan Øyvind Aagedal

Affiliation

  • SINTEF Digital / Sustainable Communication Technologies
  • Diverse norske bedrifter og organisasjoner

Year

2015

Publisher

IGI Global

Book

Business Intelligence: Concepts, Methodologies, Tools, and Applications

ISBN

9781466695627

View this publication at Cristin