A new, evidence-based, theory for knowledge reuse in security risk analysis

• Published in: Empirical software engineering : an international journal Vol. 28; no. 4; p. 90
• Main Authors: Labunets, Katsiaryna, Massacci, Fabio, Paci, Federica, Tuma, Katja
• Format: Journal Article
• Language: English
• Published: New York Springer US 01.07.2023; Springer Nature B.V
• Subjects: Automation; Compilers; Computer Science; Design; Grounded theory; Interpreters; Knowledge; Performance evaluation; Programming Languages; Risk analysis; Risk assessment; Security; Software engineering; Software Engineering/Programming and Operating Systems; Subject specialists; Success factors; Threats; Knowledge reuse; Information security; Risk assessment; Empirical study
• ISSN: 1382-3256; 1573-7616
• DOI: 10.1007/s10664-023-10321-y

Security risk analysis (SRA) is a key activity in software engineering but requires heavy manual effort. Community knowledge in the form of security patterns or security catalogs can be used to support the identification of threats and security controls. However, no evidence-based theory exists about the effectiveness of security catalogs when used for security risk analysis. We adopt a grounded theory approach to propose a conceptual, revised and refined theory of SRA knowledge reuse. The theory refinement is backed by evidence gathered from conducting interviews with experts (20) and controlled experiments with both experts (15) and novice analysts (18). We conclude the paper by providing insights into the use of catalogs and managerial implications.