EEMCS EPrints Service

Education

Research

Prospective Students

Jobs

Publications

Intranet (internal)

Nederlands

Contact

Sitemap

Organisation

14963 Extended eTVRA vs. Security Checklist: Experiences in a Value-Web

Home Policy Brochure Browse Search User Area Contact Help

Morali, A. and Zambon, Emmanuele and Houmb, S.H. and Sallhammar, K. and Etalle, S. (2009) Extended eTVRA vs. Security Checklist: Experiences in a Value-Web. In: 31st International Conference on Software Engineering - Companion Volume, 16-24 May 2009, Vancouver, Canada. pp. 130-140. IEEE Computer Society. ISBN 978-1-4244-3494-7

This is the latest version of this eprint.

Full text available as:

PDF

- Univ. of Twente only - Requires a PDF viewer such as GSview, Xpdf or Adobe Acrobat Reader
681 Kb

Official URL: http://dx.doi.org/10.1109/ICSE-COMPANION.2009.5070971

Abstract

Security evaluation according to ISO 15408 (common criteria) is a resource and time demanding activity, as well as being costly. For this reason, only few companies take their products through a common criteria evaluation. To support security evaluation, the European Telecommunications Standards Institute (ETSI) has developed a threat, vulnerability, risk analysis (eTVRA) method for the Telecommunication (Telco) domain. eTVRA builds on the security risk management methodology CORAS and is structured in such a way that it provides output that can be directly fed into a common criteria security evaluation. In this paper, we evaluate the time and resource efficiency of parts of eTVRA and the quality of the result produced by following eTVRA compared to a more pragmatic approach (protection profile-based checklists). We use both approaches to identify and analyze risks of a new SIM card currently under joint development by a small hardware company and a large Telco provider.

Item Type:	Conference or Workshop Paper (Full Paper, Talk)
Research Group:	EWI-DIES: Distributed and Embedded Security, EWI-IS: Information Systems
Research Program:	CTIT-ISTRICE: Integrated Security and Privacy in a Networked World
Research Project:	VRIEND: Value-Based Security Risk Mitigation in Enterprise Networks that are Decentralized
Uncontrolled Keywords:	Risk Assessment, value-webs
ID Code:	14963
Status:	Published
Deposited On:	27 January 2009
Refereed:	Yes
International:	Yes
More Information:	statistics metis

Available Versions of this Item

Extended eTVRA vs. Security Checklist: Experiences in a Value-Web (deposited 06 November 2008)
- Extended eTVRA vs. Security Checklist: Experiences in a Value-Web (deposited 27 January 2009)
  [Currently Displayed]

Export this item as:

To request a copy of the PDF please email us request copy

To correct this item please ask your editor

Repository Staff Only: edit this item