Alessandra Tedeschi

The Role of Catalogues of Threats and Security Controls in Security Risk Assessment: An Empirical Study with ATM Professionals

[Context and motivation] To remedy the lack of security expertise, industrial security risk assessment methods come with catalogues of threats and security controls. [Question/problem] We investigate in both qualitative and quantitative terms whether the use of catalogues of threats and security controls has an effect on the actual and perceived effectiveness of a security risk assessment method. In particular, we assessed the effect of using domain-specific versus domain-general catalogues on the actual and perceived efficacy of a security risk assessment method conducted by non-experts and compare it with the effect of running the same method by security experts but without catalogues.

Assessing a requirements evolution approach: Empirical studies in the air traffic management domain

Requirements evolution is still a challenging problem in engineering practices. In this paper, we report the results of the empirical evaluation of a novel approach for modeling and reasoning on evolving requirements. We evaluated the effectiveness of the approach in modeling requirements evolution by means of a series of empirical studies in the air traffic management (ATM) domain. As we also wanted to assess whether the knowledge of the method and/or the application domain influences the effectiveness of the approach, the studies involved researchers, master students and domain experts with different level of knowledge of the approach and of the ATM domain. The participants have applied the approach to a real evolutionary scenario which focuses on the introduction of a new queue management tool, the Arrival MANager (AMAN) and a new network for information sharing (SWIM) connecting the main ATM actors. The results from the studies show that the modeling approach is effective in capturing requirements evolution. In addition, domain knowledge and method knowledge do not have an observable effect on the effectiveness of the approach. Furthermore, the evaluation provided us useful insights on how to improve the modeling approach.

Organizational Patterns for Security and Dependability: From Design to Application

Designing secure and dependable IT systems requires a deep analysis of organizational as well as social aspects of the environment where the system will operate. Domain experts and analysts often face security and dependability S&D issues they have already encountered before. These concerns require the design of S&D patterns to facilitate designers when developing IT systems. This article presents the experience in designing S&D organizational patterns, which was gained in the course of an industry lead EU project. The authors use an agent-goal-oriented modeling framework i.e., the SI* framework to analyze organizational settings jointly with technical functionalities. This framework can assist domain experts and analysts in designing S&D patterns from their experience, validating them by proof-of-concept implementations, and applying them to increase the security level of the system.

Supporting resilience in air traffic management

This paper reports about the empirical validation of a tool for decision support in the conext of Air Traffic Management (ATM). The empirical validation highlights how resilience emerges in complex socio-technical settings.

Assessing a requirements evolution approach: Empirical studies in the Air Traffic Management domain

Requirements evolution is still a challenging problem in engineering practices. This paper presents a family of empirical studies about the applicability and usefulness of an approach for modeling evolving requirements. The empirical studies involved different categories of users (researchers, master students and domain experts) who have applied the approach to a real industrial evolutionary scenario drawn from the Air Traffic Management (ATM) domain. The results from the studies demonstrated the usefulness of the approach for requirements evolution in complex industrial settings such as the ones in the ATM domain. Furthermore, the validation provided us useful insights about the problem of requirements evolution faced in different industrial contexts.

Graphical vs. tabular notations for risk models: on the role of textual labels and complexity

[Background] Security risk assessment methods in industry mostly use a tabular notation to represent the assessment results whilst academic works advocate graphical methods. Experiments with MSc students showed that the tabular notation is better than an iconic graphical notation for the comprehension of security risks. [Aim] We investigate whether the availability of textual labels and terse UML-style notation could improve comprehensibility. [Method] We report the results of an online comprehensibility experiment involving 61 professionals with an average of 9 years of working experience, in which we compared the ability to comprehend security risk assessments represented in tabular, UML-style with textual labels, and iconic graphical modeling notations. [Results] Tabular notation are still the most comprehensible notion in both recall and precision. However, the presence of textual labels does improve the precision and recall of participants over iconic graphical models. [Conclusion] Tabular representation better supports extraction of correct information of both simple and complex comprehensibility questions about security risks than the graphical notation but textual labels help.

Trust Observations in Validation Exercises

This paper is concerned with an operational account of trust. It reports our experience in observing different trust aspects during a validation session for the assessment of a new tool and relevant operational concepts in the Air Traffic Management (ATM) domain. Despite the fact that trust is yet an elusive concept, our results show how monitoring trust can support the validation of alternative system settings and their operational aspects. This paper reports our experimental work on observing trust during validations exercises. Moreover, it provides new insights about the nature and the investigation of trust.

Airports as Critical Transportation Infrastructures Increasingly Impacted by Cyberattacks: A Case Study

The current state of cyber security in today’s critical infrastructures reveals that there have been a limited but growing number of incidents in which the defences of safety-critical applications have been penetrated. In this work we concentrate on airports’ infrastructures and investigate how airport authorities are concerned with emerging terrorist threats, such as cyber threats, against airport installations and systems, and security gain and risk perception of passengers. A review of actual attacks and real issues in the airport infrastructures allowed us to build projections or potential future scenarios. In the context of the present research, we analyzed in a deeper detail these factors, developed an emerging threat scenario, and calibrated a prediction model on our findings.

Evaluation of Airport Security Training Programs: Perspectives and Issues

While many governments and airport operators have emphasized the importance of security training and committed a large amount of budget to security training programs, the implementation of security training programs was not proactive but reactive. Moreover, most of the security training programs were employed as a demand or a trend-chasing activity from the government. In order to identify issues in airport security training and to develop desirable security training procedures in an airport, this preliminary study aims at providing (1) the description of current state of airport security training and training in general, (2) the study design and interview guide for studying airport security training, and (3) expected outcome from the study.

Evolutionary risk analysis: expert judgement

New systems and functionalities are continuously deployed in complex domains such as Air Traffic Management (ATM). Unfortunately, methodologies provide limited support in order to deal with changes and to assess their impacts on critical features (e.g. safety, security, etc.). This paper is concerned with how change requirements affect security properties. A change requirement is a specification of changes that are to be implemented in a system. The paper reports our experience to support an evolutionary risk analysis in order to assess change requirements and their impacts on security properties. In particular, this paper discusses how changes to structured risk analysis models are perceived by domain experts by presenting insights from a risk assessment exercise that uses the CORAS model-driven risk analysis in an ATM case study. It discusses how structured models supporting risk analysis help domain experts to analyse and assess the impact of changes on critical system features.