IAS Fellow’s Seminar by Professor Fabio Massacci, University of Trento and Vrije Universiteit Amsterdam

[Context] To remedy the lack of security expertise, industrial security risk assessment methods come with catalogues of threats and security controls.

[Question] We run an experiment with Air Traffic Management professionals on a security risk assessment method conducted by non-experts (with domain-specific versus domain-general catalogues) and compare it with the effect of running the same method by security experts but without catalogues.

[Finding] The quantitative analysis shows that non-security experts who applied the method with catalogues identified threats and controls of the same quality of security experts without catalogues. The qualitative analysis indicates that security experts have different expectations from a catalogue than non-experts. Non-experts are mostly worried about the difficulty of navigating through the catalogue (the larger and less specific the worse it was) while expert users found it mostly useful to get a common terminology and a checklist that nothing was forgotten.

[Contribution] This paper discusses how catalogues contribute into the risk assessment process. In a soundbite, if security experts are hard to get, a domain specific catalogue is your second best bet.

The Seminar will take place on Zoom. Please register here to attend.