Goal-directed requirements acquisition
6IWSSD Selected Papers of the Sixth International Workshop on Software Specification and Design
Handling Obstacles in Goal-Oriented Requirements Engineering
IEEE Transactions on Software Engineering - special section on current trends in exception handling—part II
Information Security Risk Analysis
Information Security Risk Analysis
Requirements Engineering: Processes and Techniques
Requirements Engineering: Processes and Techniques
Classification of malicious host threats in mobile agent computing
SAICSIT '02 Proceedings of the 2002 annual research conference of the South African institute of computer scientists and information technologists on Enablement through technology
Software Risk Management: Principles and Practices
IEEE Software
An Enhanced Neural Network Technique for Software Risk Analysis
IEEE Transactions on Software Engineering
Using Abuse Case Models for Security Requirements Analysis
ACSAC '99 Proceedings of the 15th Annual Computer Security Applications Conference
Using Influence Diagrams for Software Risk Analysis
TAI '95 Proceedings of the Seventh International Conference on Tools with Artificial Intelligence
Agile and Iterative Development: A Manager's Guide
Agile and Iterative Development: A Manager's Guide
Modelling strategic relationships for process reengineering
Modelling strategic relationships for process reengineering
Software Security Checklist for the Software Life Cycle
WETICE '03 Proceedings of the Twelfth International Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises
Tropos: An Agent-Oriented Software Development Methodology
Autonomous Agents and Multi-Agent Systems
Elaborating Security Requirements by Construction of Intentional Anti-Models
Proceedings of the 26th International Conference on Software Engineering
Risk Analysis in Software Design
IEEE Security and Privacy
Eliciting security requirements with misuse cases
Requirements Engineering
Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors
IEEE Security and Privacy
Software Security: Building Security In
Software Security: Building Security In
A Neural Networks Approach for Software Risk Analysis
ICDMW '06 Proceedings of the Sixth IEEE International Conference on Data Mining - Workshops
Threats and countermeasures for information system security: A cross-industry study
Information and Management
CAiSE '08 Proceedings of the 20th international conference on Advanced Information Systems Engineering
The relationship between software development team size and software development cost
Communications of the ACM - Rural engineering development
An Empirical Study on Views of Importance of Change Impact Analysis Issues
IEEE Transactions on Software Engineering
Experimental comparison of attack trees and misuse cases for security threat identification
Information and Software Technology
Journal of Systems and Software
Context in industrial software engineering research
ESEM '09 Proceedings of the 2009 3rd International Symposium on Empirical Software Engineering and Measurement
Protection Poker: The New Software Security "Game";
IEEE Security and Privacy
An empirical study of lead-times in incremental and agile software development
ICSP'10 Proceedings of the 2010 international conference on New modeling concepts for today's software processes: software process
Information and Software Technology
Prioritizing countermeasures through the countermeasure method for software security (CM-Sec)
PROFES'10 Proceedings of the 11th international conference on Product-Focused Software Process Improvement
Experimentation in Software Engineering
Experimentation in Software Engineering
Comparing attack trees and misuse cases in an industrial setting
Information and Software Technology
Hi-index | 0.00 |
Software security risk analysis is an important part of improving software quality. In previous research we proposed countermeasure graphs (CGs), an approach to conduct risk analysis, combining the ideas of different risk analysis approaches. The approach was designed for reuse and easy evolvability to support agile software development. CGs have not been evaluated in industry practice in agile software development. In this research we evaluate the ability of CGs to support practitioners in identifying the most critical threats and countermeasures. The research method used is participatory action research where CGs were evaluated in a series of risk analyses on four different telecom products. With Peltier (used prior to the use of CGs at the company) the practitioners identified attacks with low to medium risk level. CGs allowed practitioners to identify more serious risks (in the first iteration 1 serious threat, 5 high risk threats, and 11 medium threats). The need for tool support was identified very early, tool support allowed the practitioners to play through scenarios of which countermeasures to implement, and supported reuse. The results indicate that CGs support practitioners in identifying high risk security threats, work well in an agile software development context, and are cost-effective.