Abstract
Security evaluation according to ISO 15408 (common criteria) is a resource and time demanding activity, as well as being costly. For this reason, only few companies take their products through a common criteria evaluation. To support security evaluation, the European Telecommunications Standards Institute (ETSI) has developed a threat, vulnerability, risk analysis (eTVRA) method for the Telecommunication (Telco) domain. eTVRA builds on the security risk management methodology CORAS and is structured in such a way that it provides output that can be directly fed into a common criteria security evaluation. In this paper, we evaluate the time and resource efficiency of parts of eTVRA and the quality of the result produced by following eTVRA compared to a more pragmatic approach (protection profile-based checklists). We use both approaches to identify and analyze risks of a new SIM card currently under joint development by a small hardware company and a large Telco provider.
Original language | Undefined |
---|---|
Title of host publication | 31st International Conference on Software Engineering - Companion Volume |
Place of Publication | Los Alamitos |
Publisher | IEEE Computer Society Press |
Pages | 130-140 |
Number of pages | 11 |
ISBN (Print) | 978-1-4244-3494-7 |
DOIs | |
Publication status | Published - 26 Jan 2009 |
Event | 31st IEEE International Conference on Software Engineering, ICSE 2009 - Vancouver, Canada Duration: 16 May 2009 → 24 May 2009 Conference number: 31 |
Publication series
Name | |
---|---|
Publisher | IEEE Computer Society Press |
Conference
Conference | 31st IEEE International Conference on Software Engineering, ICSE 2009 |
---|---|
Abbreviated title | ICSE |
Country/Territory | Canada |
City | Vancouver |
Period | 16/05/09 → 24/05/09 |
Keywords
- SCS-Cybersecurity
- Risk analysis
- Internet
- RISK ASSESSMENT
- telecommunication security
- METIS-265738
- value-webs
- EWI-14963
- IR-65344
- ISO standards
- telecommunication standards