Extended eTVRA vs. Security Checklist: Experiences in a Value-Web

A. Morali; Emmanuele Zambon; S.H. Houmb; Karin Sallhammar; Sandro Etalle

doi:10.1109/ICSE-COMPANION.2009.5070971

Extended eTVRA vs. Security Checklist: Experiences in a Value-Web

A. Morali
, Emmanuele Zambon
, S.H. Houmb
, Karin Sallhammar
, Sandro Etalle

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

1 Citation (Scopus)

207 Downloads (Pure)

Abstract

Security evaluation according to ISO 15408 (common criteria) is a resource and time demanding activity, as well as being costly. For this reason, only few companies take their products through a common criteria evaluation. To support security evaluation, the European Telecommunications Standards Institute (ETSI) has developed a threat, vulnerability, risk analysis (eTVRA) method for the Telecommunication (Telco) domain. eTVRA builds on the security risk management methodology CORAS and is structured in such a way that it provides output that can be directly fed into a common criteria security evaluation. In this paper, we evaluate the time and resource efficiency of parts of eTVRA and the quality of the result produced by following eTVRA compared to a more pragmatic approach (protection profile-based checklists). We use both approaches to identify and analyze risks of a new SIM card currently under joint development by a small hardware company and a large Telco provider.

Original language	Undefined
Title of host publication	31st International Conference on Software Engineering - Companion Volume
Place of Publication	Los Alamitos
Publisher	IEEE
Pages	130-140
Number of pages	11
ISBN (Print)	978-1-4244-3494-7
DOIs	https://doi.org/10.1109/ICSE-COMPANION.2009.5070971
Publication status	Published - 26 Jan 2009
Event	31st IEEE International Conference on Software Engineering, ICSE 2009 - Vancouver, Canada Duration: 16 May 2009 → 24 May 2009 Conference number: 31

Publication series

Name
Publisher	IEEE Computer Society Press

Conference

Conference	31st IEEE International Conference on Software Engineering, ICSE 2009
Abbreviated title	ICSE
Country/Territory	Canada
City	Vancouver
Period	16/05/09 → 24/05/09

Keywords

SCS-Cybersecurity
Risk analysis
Internet
RISK ASSESSMENT
telecommunication security
METIS-265738
value-webs
EWI-14963
IR-65344
ISO standards
telecommunication standards

UN SDGs

This output contributes to the following UN Sustainable Development Goals (SDGs)

Access to Document

10.1109/ICSE-COMPANION.2009.5070971

Morali09extended

http://eprints.eemcs.utwente.nl/secure2/14963/01/getPDF.pdf

1 Citations
1 Report

Extended eTVRA vs. Security Checklist: Experiences in a Value-Web
Morali, A., Zambon, E., Houmb, S. H., Sallhammar, K. & Etalle, S., 10 Oct 2008, Enschede: Centre for Telematics and Information Technology (CTIT). 10 p. (CTIT Technical Report Series; no. 10/TR-CTIT-08-62)
Research output: Book/Report › Report › Professional

Open Access
File

Cite this

@inproceedings{2c7fb76a9adf4dc88766650bd2c2e7fc,

title = "Extended eTVRA vs. Security Checklist: Experiences in a Value-Web",

abstract = "Security evaluation according to ISO 15408 (common criteria) is a resource and time demanding activity, as well as being costly. For this reason, only few companies take their products through a common criteria evaluation. To support security evaluation, the European Telecommunications Standards Institute (ETSI) has developed a threat, vulnerability, risk analysis (eTVRA) method for the Telecommunication (Telco) domain. eTVRA builds on the security risk management methodology CORAS and is structured in such a way that it provides output that can be directly fed into a common criteria security evaluation. In this paper, we evaluate the time and resource efficiency of parts of eTVRA and the quality of the result produced by following eTVRA compared to a more pragmatic approach (protection profile-based checklists). We use both approaches to identify and analyze risks of a new SIM card currently under joint development by a small hardware company and a large Telco provider.",

keywords = "SCS-Cybersecurity, Risk analysis, Internet, RISK ASSESSMENT, telecommunication security, METIS-265738, value-webs, EWI-14963, IR-65344, ISO standards, telecommunication standards",

author = "A. Morali and Emmanuele Zambon and S.H. Houmb and Karin Sallhammar and Sandro Etalle",

note = "10.1109/ICSE-COMPANION.2009.5070971 ; 31st IEEE International Conference on Software Engineering, ICSE 2009 ; Conference date: 16-05-2009 Through 24-05-2009",

year = "2009",

month = jan,

day = "26",

doi = "10.1109/ICSE-COMPANION.2009.5070971",

language = "Undefined",

isbn = "978-1-4244-3494-7",

publisher = "IEEE",

pages = "130--140",

booktitle = "31st International Conference on Software Engineering - Companion Volume",

address = "United States",

}

Morali, A, Zambon, E, Houmb, SH, Sallhammar, K & Etalle, S 2009, Extended eTVRA vs. Security Checklist: Experiences in a Value-Web. in 31st International Conference on Software Engineering - Companion Volume. IEEE, Los Alamitos, pp. 130-140, 31st IEEE International Conference on Software Engineering, ICSE 2009, Vancouver, Canada, 16/05/09. https://doi.org/10.1109/ICSE-COMPANION.2009.5070971

TY - GEN

T1 - Extended eTVRA vs. Security Checklist: Experiences in a Value-Web

AU - Morali, A.

AU - Zambon, Emmanuele

AU - Houmb, S.H.

AU - Sallhammar, Karin

AU - Etalle, Sandro

N1 - Conference code: 31

PY - 2009/1/26

Y1 - 2009/1/26

N2 - Security evaluation according to ISO 15408 (common criteria) is a resource and time demanding activity, as well as being costly. For this reason, only few companies take their products through a common criteria evaluation. To support security evaluation, the European Telecommunications Standards Institute (ETSI) has developed a threat, vulnerability, risk analysis (eTVRA) method for the Telecommunication (Telco) domain. eTVRA builds on the security risk management methodology CORAS and is structured in such a way that it provides output that can be directly fed into a common criteria security evaluation. In this paper, we evaluate the time and resource efficiency of parts of eTVRA and the quality of the result produced by following eTVRA compared to a more pragmatic approach (protection profile-based checklists). We use both approaches to identify and analyze risks of a new SIM card currently under joint development by a small hardware company and a large Telco provider.

AB - Security evaluation according to ISO 15408 (common criteria) is a resource and time demanding activity, as well as being costly. For this reason, only few companies take their products through a common criteria evaluation. To support security evaluation, the European Telecommunications Standards Institute (ETSI) has developed a threat, vulnerability, risk analysis (eTVRA) method for the Telecommunication (Telco) domain. eTVRA builds on the security risk management methodology CORAS and is structured in such a way that it provides output that can be directly fed into a common criteria security evaluation. In this paper, we evaluate the time and resource efficiency of parts of eTVRA and the quality of the result produced by following eTVRA compared to a more pragmatic approach (protection profile-based checklists). We use both approaches to identify and analyze risks of a new SIM card currently under joint development by a small hardware company and a large Telco provider.

KW - SCS-Cybersecurity

KW - Risk analysis

KW - Internet

KW - RISK ASSESSMENT

KW - telecommunication security

KW - METIS-265738

KW - value-webs

KW - EWI-14963

KW - IR-65344

KW - ISO standards

KW - telecommunication standards

U2 - 10.1109/ICSE-COMPANION.2009.5070971

DO - 10.1109/ICSE-COMPANION.2009.5070971

M3 - Conference contribution

SN - 978-1-4244-3494-7

SP - 130

EP - 140

BT - 31st International Conference on Software Engineering - Companion Volume

PB - IEEE

CY - Los Alamitos

T2 - 31st IEEE International Conference on Software Engineering, ICSE 2009

Y2 - 16 May 2009 through 24 May 2009

ER -