Abstract
This report is an evaluation describing the experiences obtained from a case study, carried out in a period of eight months from June 2012 to January 2013, in which we conducted a test-driven security risk analysis. Test-driven security risk analysis is a method for carrying out security risk analysis in which security testing is used to support the security risk analysis. The method consists of three main phases. In Phase 1, a security risk analysis is carried out. In Phase 2, security testing is carried out with respect to the security risk analysis. In the 3rd and final phase, the results obtained from the security risk analysis are validated and updated with respect to the test results. Our objective with the case study was to assess how useful testing is for gaining confidence in the correctness of the risk models produced in the risk analysis. To make the evaluation precise, we analysed the difference between the risk model produced before testing and the updated risk model after testing. The results obtained from the case study shows that testing contributes in gaining higher confidence of the correctness of the risk models.
Oppdragsgiver: Norwegian Research Council
Oppdragsgiver: Norwegian Research Council