A first empirical evaluation framework for security risk assessment methods in the ATM domain

K. Labunets; F. Massacci; F. Paci; M. Ragosta; B. Solhaug; K. Stølen; A. Tedeschi

A first empirical evaluation framework for security risk assessment methods in the ATM domain

K. Labunets, F. Massacci, F. Paci, M. Ragosta, B. Solhaug, K. Stølen, A. Tedeschi

Research output: Chapter in Book / Report / Conference proceeding › Conference contribution › Academic › peer-review

Abstract

Evaluation and validation methodologies are integral parts of Air Traffic Management (ATM). They are well understood for safety, environmental and other business cases for which operational validation guidelines exist which are well defined and widely used. In contrast, there are no accepted methods to evaluate and compare the effectiveness of risk assessment practices for security. The EMFASE project aims to address this gap by providing an innovative framework to compare and evaluate in a qualitative and quantitative manner risk assessment methods for security in ATM. This paper presents the initial version of the framework and the results of the experiments we conducted to compare and assess security risk assessment methods in ATM. The results indicate that participants better perceive graphical methods for security risk assessment. In addition, the use of domain-specific catalogues of threats and security controls seems to have a significant effect on the perceived usefulness of the methods.

Original language	English
Title of host publication	SIDs 2014 - Proceedings of the SESAR Innovation Days
Editors	D. Schaefer
Publisher	Eurocontrol
ISBN (Print)	9782874970771
Publication status	Published - 2014
Externally published	Yes
Event	4th SESAR Innovation Days - Madrid, Spain Duration: 25 Nov 2014 → 27 Nov 2014

Publication series

Name	SIDs 2014 - Proceedings of the SESAR Innovation Days

Conference

Conference	4th SESAR Innovation Days
Country/Territory	Spain
City	Madrid
Period	25/11/14 → 27/11/14

Persistent URL (handle)

Persistent link

Cite this

@inproceedings{7757b83a2243482b80e6fe60622d26ff,

title = "A first empirical evaluation framework for security risk assessment methods in the ATM domain",

abstract = "Evaluation and validation methodologies are integral parts of Air Traffic Management (ATM). They are well understood for safety, environmental and other business cases for which operational validation guidelines exist which are well defined and widely used. In contrast, there are no accepted methods to evaluate and compare the effectiveness of risk assessment practices for security. The EMFASE project aims to address this gap by providing an innovative framework to compare and evaluate in a qualitative and quantitative manner risk assessment methods for security in ATM. This paper presents the initial version of the framework and the results of the experiments we conducted to compare and assess security risk assessment methods in ATM. The results indicate that participants better perceive graphical methods for security risk assessment. In addition, the use of domain-specific catalogues of threats and security controls seems to have a significant effect on the perceived usefulness of the methods.",

author = "K. Labunets and F. Massacci and F. Paci and M. Ragosta and B. Solhaug and K. St{\o}len and A. Tedeschi",

year = "2014",

language = "English",

isbn = "9782874970771",

series = "SIDs 2014 - Proceedings of the SESAR Innovation Days",

publisher = "Eurocontrol",

editor = "D. Schaefer",

booktitle = "SIDs 2014 - Proceedings of the SESAR Innovation Days",

note = "4th SESAR Innovation Days ; Conference date: 25-11-2014 Through 27-11-2014",

}

Labunets, K, Massacci, F, Paci, F, Ragosta, M, Solhaug, B, Stølen, K & Tedeschi, A 2014, A first empirical evaluation framework for security risk assessment methods in the ATM domain. in D Schaefer (ed.), SIDs 2014 - Proceedings of the SESAR Innovation Days. SIDs 2014 - Proceedings of the SESAR Innovation Days, Eurocontrol, 4th SESAR Innovation Days, Madrid, Spain, 25/11/14.

A first empirical evaluation framework for security risk assessment methods in the ATM domain. / Labunets, K.; Massacci, F.; Paci, F. et al.
SIDs 2014 - Proceedings of the SESAR Innovation Days. ed. / D. Schaefer. Eurocontrol, 2014. (SIDs 2014 - Proceedings of the SESAR Innovation Days).

Research output: Chapter in Book / Report / Conference proceeding › Conference contribution › Academic › peer-review

TY - GEN

T1 - A first empirical evaluation framework for security risk assessment methods in the ATM domain

AU - Labunets, K.

AU - Massacci, F.

AU - Paci, F.

AU - Ragosta, M.

AU - Solhaug, B.

AU - Stølen, K.

AU - Tedeschi, A.

PY - 2014

Y1 - 2014

N2 - Evaluation and validation methodologies are integral parts of Air Traffic Management (ATM). They are well understood for safety, environmental and other business cases for which operational validation guidelines exist which are well defined and widely used. In contrast, there are no accepted methods to evaluate and compare the effectiveness of risk assessment practices for security. The EMFASE project aims to address this gap by providing an innovative framework to compare and evaluate in a qualitative and quantitative manner risk assessment methods for security in ATM. This paper presents the initial version of the framework and the results of the experiments we conducted to compare and assess security risk assessment methods in ATM. The results indicate that participants better perceive graphical methods for security risk assessment. In addition, the use of domain-specific catalogues of threats and security controls seems to have a significant effect on the perceived usefulness of the methods.

AB - Evaluation and validation methodologies are integral parts of Air Traffic Management (ATM). They are well understood for safety, environmental and other business cases for which operational validation guidelines exist which are well defined and widely used. In contrast, there are no accepted methods to evaluate and compare the effectiveness of risk assessment practices for security. The EMFASE project aims to address this gap by providing an innovative framework to compare and evaluate in a qualitative and quantitative manner risk assessment methods for security in ATM. This paper presents the initial version of the framework and the results of the experiments we conducted to compare and assess security risk assessment methods in ATM. The results indicate that participants better perceive graphical methods for security risk assessment. In addition, the use of domain-specific catalogues of threats and security controls seems to have a significant effect on the perceived usefulness of the methods.

M3 - Conference contribution

SN - 9782874970771

T3 - SIDs 2014 - Proceedings of the SESAR Innovation Days

BT - SIDs 2014 - Proceedings of the SESAR Innovation Days

A2 - Schaefer, D.

PB - Eurocontrol

T2 - 4th SESAR Innovation Days

Y2 - 25 November 2014 through 27 November 2014

ER -

A first empirical evaluation framework for security risk assessment methods in the ATM domain

Abstract

Publication series

Conference

Persistent URL (handle)

Fingerprint

Cite this