Vis enkel innførsel

dc.contributor.authorMeland, Per Håkon
dc.contributor.authorBernsmed, Karin
dc.contributor.authorFrøystad, Christian
dc.contributor.authorLi, Jingyue
dc.contributor.authorSindre, Guttorm
dc.identifier.citationInformation and Computer Security. 2019, 26 (4), 536-561.nb_NO
dc.description.abstractPurpose Within critical-infrastructure industries, bow-tie analysis is an established way of eliciting requirements for safety and reliability concerns. Because of the ever-increasing digitalisation and coupling between the cyber and physical world, security has become an additional concern in these industries. The purpose of this paper is to evaluate how well bow-tie analysis performs in the context of security, and the study’s hypothesis is that the bow-tie notation has a suitable expressiveness for security and safety. Design/methodology/approach This study uses a formal, controlled quasi-experiment on two sample populations – security experts and security graduate students – working on the same case. As a basis for comparison, the authors used a similar experiment with misuse case analysis, a well-known technique for graphical security modelling. Findings The results show that the collective group of graduate students, inexperienced in security modelling, perform similarly as security experts in a well-defined scope and familiar target system/situation. The students showed great creativity, covering most of the same threats and consequences as the experts identified and discovering additional ones. One notable difference was that these naïve professionals tend to focus on preventive barriers, leading to requirements for risk mitigation or avoidance, while experienced professionals seem to balance this more with reactive barriers and requirements for incident management. Originality/value Our results are useful in areas where we need to evaluate safety and security concerns together, especially for domains that have experience in health, safety and environmental hazards, but now need to expand this with cybersecurity as well.nb_NO
dc.rightsNavngivelse 4.0 Internasjonal*
dc.titleAn experimental evaluation of bow-tie analysis for securitynb_NO
dc.typeJournal articlenb_NO
dc.typePeer reviewednb_NO
dc.source.journalInformation and Computer Securitynb_NO
dc.description.localcode© Per Håkon Meland, Karin Bernsmed, Christian Frøystad, Jingyue Li and Guttorm Sindre. Published by Emerald Publishing Limited. This article is published under the Creative Commons Attribution (CC BY 4.0) licence.nb_NO
cristin.unitnameInstitutt for datateknologi og informatikk

Tilhørende fil(er)


Denne innførselen finnes i følgende samling(er)

Vis enkel innførsel

Navngivelse 4.0 Internasjonal
Med mindre annet er angitt, så er denne innførselen lisensiert som Navngivelse 4.0 Internasjonal