Extended eTVRA vs. Security Checklist: Experiences in a Value-Web

A. Morali, Emmanuele Zambon, S.H. Houmb, Karin Sallhammar, Sandro Etalle

    Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

    1 Citation (Scopus)
    159 Downloads (Pure)


    Security evaluation according to ISO 15408 (common criteria) is a resource and time demanding activity, as well as being costly. For this reason, only few companies take their products through a common criteria evaluation. To support security evaluation, the European Telecommunications Standards Institute (ETSI) has developed a threat, vulnerability, risk analysis (eTVRA) method for the Telecommunication (Telco) domain. eTVRA builds on the security risk management methodology CORAS and is structured in such a way that it provides output that can be directly fed into a common criteria security evaluation. In this paper, we evaluate the time and resource efficiency of parts of eTVRA and the quality of the result produced by following eTVRA compared to a more pragmatic approach (protection profile-based checklists). We use both approaches to identify and analyze risks of a new SIM card currently under joint development by a small hardware company and a large Telco provider.
    Original languageUndefined
    Title of host publication31st International Conference on Software Engineering - Companion Volume
    Place of PublicationLos Alamitos
    Number of pages11
    ISBN (Print)978-1-4244-3494-7
    Publication statusPublished - 26 Jan 2009
    Event31st IEEE International Conference on Software Engineering, ICSE 2009 - Vancouver, Canada
    Duration: 16 May 200924 May 2009
    Conference number: 31

    Publication series

    PublisherIEEE Computer Society Press


    Conference31st IEEE International Conference on Software Engineering, ICSE 2009
    Abbreviated titleICSE


    • SCS-Cybersecurity
    • Risk analysis
    • Internet
    • telecommunication security
    • METIS-265738
    • value-webs
    • EWI-14963
    • IR-65344
    • ISO standards
    • telecommunication standards

    Cite this