To main content

An Evaluation of a Test-driven Security Risk Analysis Method Based on an Industrial Case Study

Abstract

This report is an evaluation describing the experiences obtained from a case study, carried out in a period of eight months from June 2012 to January 2013, in which we conducted a test-driven security risk analysis. Test-driven security risk analysis is a method for carrying out security risk analysis in which security testing is used to support the security risk analysis. The method consists of three main phases. In Phase 1, a security risk analysis is carried out. In Phase 2, security testing is carried out with respect to the security risk analysis. In the 3rd and final phase, the results obtained from the security risk analysis are validated and updated with respect to the test results. Our objective with the case study was to assess how useful testing is for gaining confidence in the correctness of the risk models produced in the risk analysis. To make the evaluation precise, we analysed the difference between the risk model produced before testing and the updated risk model after testing. The results obtained from the case study shows that testing contributes in gaining higher confidence of the correctness of the risk models.
Oppdragsgiver: Norwegian Research Council

Category

Report

Client

  • SINTEF AS / 102002253

Language

English

Author(s)

Affiliation

  • SINTEF Digital / Software and Service Innovation

Year

2013

Publisher

SINTEF

Issue

A25605

ISBN

9788214053371

View this publication at Cristin