An experimental evaluation of bow-tie analysis for security. (25th September 2019)
- Record Type:
- Journal Article
- Title:
- An experimental evaluation of bow-tie analysis for security. (25th September 2019)
- Main Title:
- An experimental evaluation of bow-tie analysis for security
- Authors:
- Meland, Per Håkon
Bernsmed, Karin
Frøystad, Christian
Li, Jingyue
Sindre, Guttorm - Abstract:
- Abstract : Purpose: Within critical-infrastructure industries, bow-tie analysis is an established way of eliciting requirements for safety and reliability concerns. Because of the ever-increasing digitalisation and coupling between the cyber and physical world, security has become an additional concern in these industries. The purpose of this paper is to evaluate how well bow-tie analysis performs in the context of security, and the study's hypothesis is that the bow-tie notation has a suitable expressiveness for security and safety. Design/methodology/approach: This study uses a formal, controlled quasi-experiment on two sample populations – security experts and security graduate students – working on the same case. As a basis for comparison, the authors used a similar experiment with misuse case analysis, a well-known technique for graphical security modelling. Findings: The results show that the collective group of graduate students, inexperienced in security modelling, perform similarly as security experts in a well-defined scope and familiar target system/situation. The students showed great creativity, covering most of the same threats and consequences as the experts identified and discovering additional ones. One notable difference was that these naïve professionals tend to focus on preventive barriers, leading to requirements for risk mitigation or avoidance, while experienced professionals seem to balance this more with reactive barriers and requirements forAbstract : Purpose: Within critical-infrastructure industries, bow-tie analysis is an established way of eliciting requirements for safety and reliability concerns. Because of the ever-increasing digitalisation and coupling between the cyber and physical world, security has become an additional concern in these industries. The purpose of this paper is to evaluate how well bow-tie analysis performs in the context of security, and the study's hypothesis is that the bow-tie notation has a suitable expressiveness for security and safety. Design/methodology/approach: This study uses a formal, controlled quasi-experiment on two sample populations – security experts and security graduate students – working on the same case. As a basis for comparison, the authors used a similar experiment with misuse case analysis, a well-known technique for graphical security modelling. Findings: The results show that the collective group of graduate students, inexperienced in security modelling, perform similarly as security experts in a well-defined scope and familiar target system/situation. The students showed great creativity, covering most of the same threats and consequences as the experts identified and discovering additional ones. One notable difference was that these naïve professionals tend to focus on preventive barriers, leading to requirements for risk mitigation or avoidance, while experienced professionals seem to balance this more with reactive barriers and requirements for incident management. Originality/value: Our results are useful in areas where we need to evaluate safety and security concerns together, especially for domains that have experience in health, safety and environmental hazards, but now need to expand this with cybersecurity as well. … (more)
- Is Part Of:
- Information and computer security. Volume 26:Number 4(2018)
- Journal:
- Information and computer security
- Issue:
- Volume 26:Number 4(2018)
- Issue Display:
- Volume 26, Issue 4 (2018)
- Year:
- 2018
- Volume:
- 26
- Issue:
- 4
- Issue Sort Value:
- 2018-0026-0004-0000
- Page Start:
- 536
- Page End:
- 561
- Publication Date:
- 2019-09-25
- Subjects:
- Security -- Threats -- Bow-tie analysis -- Misuse case -- Controlled experiment
Computer security -- Management -- Periodicals
Computer networks -- Security measures -- Periodicals
Data protection -- Management -- Periodicals
658.47 - Journal URLs:
- http://www.emeraldinsight.com/loi/ics ↗
http://www.emeraldinsight.com/ ↗ - DOI:
- 10.1108/ICS-11-2018-0132 ↗
- Languages:
- English
- ISSNs:
- 2056-4961
- Deposit Type:
- Legaldeposit
- View Content:
- Available online (eLD content is only available in our Reading Rooms) ↗
- Physical Locations:
- British Library DSC - 4481.796000
British Library DSC - BLDSS-3PM
British Library HMNTS - ELD Digital store - Ingest File:
- 11826.xml