A new, evidence-based, theory for knowledge reuse in security risk analysis

Security risk analysis (SRA) is a key activity in software engineering but requires heavy manual effort. Community knowledge in the form of security patterns or security catalogs can be used to support the identification of threats and security controls. However, no evidence-based theory exists abou...

Full description

Saved in:
Bibliographic Details
Published inEmpirical software engineering : an international journal Vol. 28; no. 4; p. 90
Main Authors Labunets, Katsiaryna, Massacci, Fabio, Paci, Federica, Tuma, Katja
Format Journal Article
LanguageEnglish
Published New York Springer US 01.07.2023
Springer Nature B.V
Subjects
Automation
Compilers
Computer Science
Design
Grounded theory
Interpreters
Knowledge
Performance evaluation
Programming Languages
Risk analysis
Risk assessment
Security
Software engineering
Software Engineering/Programming and Operating Systems
Subject specialists
Success factors
Threats
Knowledge reuse
Information security
Risk assessment
Empirical study
Online AccessGet full text

Cover

Abstract Security risk analysis (SRA) is a key activity in software engineering but requires heavy manual effort. Community knowledge in the form of security patterns or security catalogs can be used to support the identification of threats and security controls. However, no evidence-based theory exists about the effectiveness of security catalogs when used for security risk analysis. We adopt a grounded theory approach to propose a conceptual, revised and refined theory of SRA knowledge reuse. The theory refinement is backed by evidence gathered from conducting interviews with experts (20) and controlled experiments with both experts (15) and novice analysts (18). We conclude the paper by providing insights into the use of catalogs and managerial implications.
AbstractList Security risk analysis (SRA) is a key activity in software engineering but requires heavy manual effort. Community knowledge in the form of security patterns or security catalogs can be used to support the identification of threats and security controls. However, no evidence-based theory exists about the effectiveness of security catalogs when used for security risk analysis. We adopt a grounded theory approach to propose a conceptual, revised and refined theory of SRA knowledge reuse. The theory refinement is backed by evidence gathered from conducting interviews with experts (20) and controlled experiments with both experts (15) and novice analysts (18). We conclude the paper by providing insights into the use of catalogs and managerial implications.
ArticleNumber 90
Author Tuma, Katja
Massacci, Fabio
Paci, Federica
Labunets, Katsiaryna
Author_xml – sequence: 1
  givenname: Katsiaryna
  surname: Labunets
  fullname: Labunets, Katsiaryna
  organization: Utrecht University
– sequence: 2
  givenname: Fabio
  surname: Massacci
  fullname: Massacci, Fabio
  organization: Vrije Universteit Amsterdam, University of Trento
– sequence: 3
  givenname: Federica
  surname: Paci
  fullname: Paci, Federica
  organization: University of Verona
– sequence: 4
  givenname: Katja
  orcidid: 0000-0001-7189-2817
  surname: Tuma
  fullname: Tuma, Katja
  email: k.tuma@vu.nl
  organization: Vrije Universteit Amsterdam
BookMark eNp9kD1PwzAURS1UJNrCH2CyxFqD7ZfY8VhVfIlKLDBbTvJS0han2AlV_j2BILExvTvcc_V0ZmTiG4-EXAp-LTjXN1FwpRLGJTDBQQrWn5CpSDUwrYSaDBkyyUCm6ozMYtxyzo1O0il5WlKPxwXFz7pEXyDLXcRyQds3bEJPqybQnW-Oeyw3SAN2EWntacSiC3Xb01DHHXXe7ftYx3NyWrl9xIvfOyevd7cvqwe2fr5_XC3XrACRtCwVVZUW4JQyiqs8RwNZrspEpanQWphCGoclaDAmy1E6npvKKa1NmTsoUcCcXI27h9B8dBhbu226MDwRrcyEEWAA1NCSY6sITYwBK3sI9bsLvRXcfkuzozQ7SLM_0mw_QDBCcSj7DYa_6X-oLwLtcTo
Cites_doi 10.1007/978-3-030-00761-4_23
10.1007/978-3-642-12323-8
10.1016/j.jss.2018.06.073
10.1016/j.foodqual.2012.05.003
10.1109/RCIS.2011.6006849
10.2307/4132331
10.2307/249008
10.21236/ADA470450
10.1007/s10664-016-9481-1
10.1109/MSEC.2021.3093137
10.2307/3250983
10.1007/3-540-45732-1_11
10.1007/s00766-013-0195-2
10.1080/07421222.2001.11045671
10.1145/2961111.2962599
10.1109/ICSE.2015.49
10.1109/MSP.2005.45
10.2307/41165948
10.1109/ASWEC.2018.00023
10.1007/s10664-017-9502-8
10.1145/3145905
10.1109/EmpiRE.2014.6890113
10.1016/0004-3702(82)90012-1
10.1109/ICSAW.2017.25
10.1016/j.infsof.2013.10.004
10.2139/ssrn.1907412
10.1007/s00766-004-0194-4
10.1007/s00766-015-0220-8
10.1016/j.jss.2015.02.040
10.1007/978-3-319-30806-7_4
10.1007/s00766-010-0115-7
10.1145/2601248.2601255
10.1016/j.jss.2021.111003
10.1109/ICSE.2013.6606612
10.1016/j.im.2011.02.002
10.1016/j.cola.2019.100938
10.1145/3365438.3410954
10.1109/ESEM.2017.40
10.1007/978-3-642-34210-3_7
10.1111/j.1440-172X.2006.00587.x
10.1109/MS.2002.1003450
10.4018/ijismd.2014010101
10.1016/j.im.2008.06.001
10.1109/APSEC.2013.19
10.1016/j.infsof.2008.05.013
10.1287/orsc.1110.0723
10.1007/s10664-013-9268-6
10.1109/ESEM.2013.29
10.1109/TSE.2011.79
10.1016/S0963-8687(00)00045-7
10.1016/j.jss.2014.05.075
10.1111/j.1467-6486.2004.00444.x
10.1145/2621906.2621908
10.1080/00220973.2012.699904
ContentType Journal Article
Copyright The Author(s) 2023
The Author(s) 2023. This work is published under http://creativecommons.org/licenses/by/4.0/ (the “License”). Notwithstanding the ProQuest Terms and Conditions, you may use this content in accordance with the terms of the License.
Copyright_xml – notice: The Author(s) 2023
– notice: The Author(s) 2023. This work is published under http://creativecommons.org/licenses/by/4.0/ (the “License”). Notwithstanding the ProQuest Terms and Conditions, you may use this content in accordance with the terms of the License.
DBID C6C
AAYXX
CITATION
7SC
8FD
8FE
8FG
ABJCF
AFKRA
ARAPS
BENPR
BGLVJ
CCPQU
DWQXO
HCIFZ
JQ2
L6V
L7M
L~C
L~D
M7S
P5Z
P62
PHGZM
PHGZT
PKEHL
PQEST
PQGLB
PQQKQ
PQUKI
PTHSS
S0W
DOI 10.1007/s10664-023-10321-y
DatabaseName Springer Nature OA Free Journals
CrossRef
Computer and Information Systems Abstracts
Technology Research Database
ProQuest SciTech Collection
ProQuest Technology Collection
Materials Science & Engineering Collection
ProQuest Central UK/Ireland
Advanced Technologies & Aerospace Collection
ProQuest Central
Technology Collection
ProQuest One
ProQuest Central Korea
SciTech Premium Collection
ProQuest Computer Science Collection
ProQuest Engineering Collection
Advanced Technologies Database with Aerospace
Computer and Information Systems Abstracts – Academic
Computer and Information Systems Abstracts Professional
Engineering Database
Advanced Technologies & Aerospace Database
ProQuest Advanced Technologies & Aerospace Collection
ProQuest Central Premium
ProQuest One Academic (New)
ProQuest One Academic Middle East (New)
ProQuest One Academic Eastern Edition (DO NOT USE)
ProQuest One Applied & Life Sciences
ProQuest One Academic
ProQuest One Academic UKI Edition
Engineering Collection
DELNET Engineering & Technology Collection
DatabaseTitle CrossRef
Technology Collection
Technology Research Database
Computer and Information Systems Abstracts – Academic
ProQuest One Academic Middle East (New)
ProQuest Advanced Technologies & Aerospace Collection
ProQuest Computer Science Collection
Computer and Information Systems Abstracts
SciTech Premium Collection
ProQuest One Community College
ProQuest Central
ProQuest One Applied & Life Sciences
ProQuest Engineering Collection
ProQuest Central Korea
ProQuest Central (New)
Advanced Technologies Database with Aerospace
Engineering Collection
Advanced Technologies & Aerospace Collection
Engineering Database
ProQuest One Academic Eastern Edition
ProQuest Technology Collection
ProQuest SciTech Collection
Computer and Information Systems Abstracts Professional
Advanced Technologies & Aerospace Database
ProQuest One Academic UKI Edition
ProQuest DELNET Engineering and Technology Collection
Materials Science & Engineering Collection
ProQuest One Academic
ProQuest One Academic (New)
DatabaseTitleList Technology Collection

CrossRef
Database_xml – sequence: 1
  dbid: C6C
  name: Springer Nature OA Free Journals
  url: http://www.springeropen.com/
  sourceTypes: Publisher
– sequence: 2
  dbid: 8FG
  name: ProQuest Technology Collection
  url: https://search.proquest.com/technologycollection1
  sourceTypes: Aggregation Database
DeliveryMethod fulltext_linktorsrc
Discipline Computer Science
EISSN 1573-7616
ExternalDocumentID 10_1007_s10664_023_10321_y
GrantInformation_xml – fundername: SESAR project EMFASE and the European Union and the FP7 project 285223 (SECONOMICS)
GroupedDBID -4Z
-59
-5G
-BR
-EM
-Y2
-~C
.86
.DC
.VR
06D
0R~
0VY
199
1N0
1SB
2.D
203
28-
29G
2J2
2JN
2JY
2KG
2LR
2P1
2VQ
2~H
30V
4.4
406
408
409
40D
40E
5GY
5QI
5VS
67Z
6NX
78A
8FE
8FG
8TC
8UJ
95-
95.
95~
96X
AABHQ
AACDK
AAHNG
AAIAL
AAJBT
AAJKR
AANZL
AAOBN
AARHV
AARTL
AASML
AATNV
AATVU
AAUYE
AAWCG
AAYIU
AAYOK
AAYQN
AAYTO
AAYZH
ABAKF
ABBBX
ABBXA
ABDZT
ABECU
ABFTD
ABFTV
ABHLI
ABHQN
ABJCF
ABJNI
ABJOX
ABKCH
ABKTR
ABMNI
ABMQK
ABNWP
ABQBU
ABQSL
ABSXP
ABTEG
ABTHY
ABTKH
ABTMW
ABULA
ABWNU
ABXPI
ACAOD
ACBXY
ACDTI
ACGFS
ACHSB
ACHXU
ACIWK
ACKNC
ACMDZ
ACMLO
ACOKC
ACOMO
ACPIV
ACSNA
ACZOJ
ADHHG
ADHIR
ADIMF
ADINQ
ADKNI
ADKPE
ADRFC
ADTPH
ADURQ
ADYFF
ADZKW
AEBTG
AEFIE
AEFQL
AEGAL
AEGNC
AEJHL
AEJRE
AEKMD
AEMSY
AENEX
AEOHA
AEPYU
AESKC
AETLH
AEVLU
AEXYK
AFBBN
AFEXP
AFGCZ
AFKRA
AFLOW
AFQWF
AFWTZ
AFZKB
AGAYW
AGDGC
AGGDS
AGJBK
AGMZJ
AGQEE
AGQMX
AGRTI
AGWIL
AGWZB
AGYKE
AHAVH
AHBYD
AHKAY
AHSBF
AHYZX
AIAKS
AIGIU
AIIXL
AILAN
AITGF
AJBLW
AJRNO
AJZVZ
ALMA_UNASSIGNED_HOLDINGS
ALWAN
AMKLP
AMXSW
AMYLF
AMYQR
AOCGG
ARAPS
ARMRJ
ASPBG
AVWKF
AXYYD
AYJHY
AZFZN
B-.
BA0
BBWZM
BDATZ
BENPR
BGLVJ
BGNMA
BSONS
C6C
CAG
CCPQU
COF
CS3
CSCUP
DDRTE
DL5
DNIVK
DPUIP
DU5
EBLON
EBS
EIOEI
EJD
ESBYG
FEDTE
FERAY
FFXSO
FIGPU
FINBP
FNLPD
FRRFC
FSGXE
FWDCC
GGCAI
GGRSB
GJIRD
GNWQR
GQ6
GQ7
GQ8
GXS
H13
HCIFZ
HF~
HG5
HG6
HMJXF
HQYDN
HRMNR
HVGLF
HZ~
I09
IHE
IJ-
IKXTQ
ITM
IWAJR
IXC
IZIGR
IZQ
I~X
I~Z
J-C
J0Z
JBSCW
JCJTX
JZLTJ
KDC
KOV
KOW
L6V
LAK
LLZTM
M4Y
M7S
MA-
N2Q
NB0
NDZJH
NPVJJ
NQJWS
NU0
O9-
O93
O9G
O9I
O9J
OAM
P19
P62
P9O
PF0
PT4
PT5
PTHSS
Q2X
QOK
QOS
R4E
R89
R9I
RHV
RNI
RNS
ROL
RPX
RSV
RZC
RZE
RZK
S0W
S16
S1Z
S26
S27
S28
S3B
SAP
SCJ
SCLPG
SCO
SDH
SDM
SHX
SISQX
SJYHP
SNE
SNPRN
SNX
SOHCF
SOJ
SPISZ
SRMVM
SSLCW
STPWE
SZN
T13
T16
TSG
TSK
TSV
TUC
U2A
UG4
UOJIU
UTJUX
UZXMN
VC2
VFIZW
W23
W48
WK8
YLTOR
Z45
Z7R
Z7S
Z7V
Z7X
Z7Z
Z81
Z83
Z86
Z88
Z8M
Z8N
Z8P
Z8R
Z8T
Z8U
Z8W
Z92
ZMTXR
~EX
AAPKM
AAYXX
ABBRH
ABDBE
ABFSG
ACSTC
ADHKG
AEZWR
AFDZB
AFHIU
AFOHR
AGQPQ
AHPBZ
AHWEU
AIXLP
ATHPR
AYFIA
CITATION
PHGZM
PHGZT
7SC
8FD
ABRTQ
DWQXO
JQ2
L7M
L~C
L~D
PKEHL
PQEST
PQGLB
PQQKQ
PQUKI
ID FETCH-LOGICAL-c314t-51ff5c3a669606bbe938b6d465517719c29aed373998be2a0b9fa6779dba3de13
IEDL.DBID BENPR
ISSN 1382-3256
IngestDate Fri Jul 25 12:11:37 EDT 2025
Tue Jul 01 03:32:22 EDT 2025
Fri Feb 21 02:41:35 EST 2025
IsDoiOpenAccess true
IsOpenAccess true
IsPeerReviewed true
IsScholarly true
Issue 4
Keywords Knowledge reuse
Information security
Risk assessment
Empirical study
Language English
LinkModel DirectLink
MergedId FETCHMERGED-LOGICAL-c314t-51ff5c3a669606bbe938b6d465517719c29aed373998be2a0b9fa6779dba3de13
Notes ObjectType-Article-1
SourceType-Scholarly Journals-1
ObjectType-Feature-2
content type line 14
ORCID 0000-0001-7189-2817
OpenAccessLink https://link.springer.com/10.1007/s10664-023-10321-y
PQID 2819139336
PQPubID 326341
ParticipantIDs proquest_journals_2819139336
crossref_primary_10_1007_s10664_023_10321_y
springer_journals_10_1007_s10664_023_10321_y
ProviderPackageCode CITATION
AAYXX
PublicationCentury 2000
PublicationDate 2023-07-01
PublicationDateYYYYMMDD 2023-07-01
PublicationDate_xml – month: 07
  year: 2023
  text: 2023-07-01
  day: 01
PublicationDecade 2020
PublicationPlace New York
PublicationPlace_xml – name: New York
– name: Dordrecht
PublicationSubtitle An International Journal
PublicationTitle Empirical software engineering : an international journal
PublicationTitleAbbrev Empir Software Eng
PublicationYear 2023
Publisher Springer US
Springer Nature B.V
Publisher_xml – name: Springer US
– name: Springer Nature B.V
References GammaEHelmRJohnsonRDesign Patterns: Elements of Reusable Object-oriented Software1995BostonAddison Wesley
Labunets K, Massacci F, Paci F, et al (2013) An experimental comparison of two risk-based security methods. In: Proc. of the 7th ACM/IEEE Int. Symp. on Empirical Software Eng. and Measurement, p 163–172
Pilat L, Kaindl H (2011) A knowledge management perspective of requirements engineering. In: Proc. of the 5th IEEE Int. Conf. on Research Challenges in Information Science, IEEE, p 1–12
RiazMKingJSlankasJIdentifying the implied: Findings from three differentiated replications on the use of security requirements templatesEmpir Softw Eng20172242127217810.1007/s10664-016-9481-1
MarkusLMToward a theory of knowledge reuse: Types of knowledge reuse situations and factors in reuse successJ Manag Inform Syst2001181579310.1080/07421222.2001.11045671
Massacci F, Paci F (2012) How to select a security requirements method? a comparative study with students and practitioners. In: Proc. of the 17th Nordic Conf. on Secure IT Systems, Karlskrona, Sweden, Springer, Karlskrona, pp 89–104
Labunets K, Massacci F, Paci F, et al (2017a) Model comprehension for security risk assessment: an empirical comparison of tabular vs. graphical representations. Empir Soft Eng 22(6):3017–3056
StålhaneTSindreGAn experimental comparison of system diagrams and textual use cases for the identification of safety hazardsInt J Inform Syst Model Design20145112410.4018/ijismd.2014010101
Souag A, Mazo R, Salinesi C, et al (2015) Reusable knowledge in security requirements engineering: a systematic mapping study. Req Eng 1–33
BarnumSMcGrawGKnowledge for software securityIEEE Secur Priv200532747810.1109/MSP.2005.45
Cruzes DS, Jaatun MG, Bernsmed K, et al (2018) Challenges and experiences with applying microsoft threat modeling in agile development projects. In: Proc. of the 25th Australasian Software Eng. Conf., IEEE, pp 111–120
Center NCS (2021) 10 steps to cyber security. https://www.ncsc.gov.uk/collection/10-steps
BohWFReuse of knowledge assets from repositories: A mixed methods studyInform Manag200845636537510.1016/j.im.2008.06.001
Tuma K, Scandariato R (2018) Two architectural threat analysis techniques compared. In: Proc. of the 12th European Conf. on Software Architecture, Springer, pp 347–363
SchultzeULeidnerDEStudying knowledge management in information systems research: discourses and theoretical assumptionsMIS Quart20022621324210.2307/4132331
HibshiHBreauxTDRiazMA grounded analysis of experts’ decision-making during security assessmentsJ Cybersecurity201622147163
MITRE (2020b) CWE - Common Weakness Enumeration. https://cwe.mitre.org
for Internet Security C (2023) Cis critical security controls. https://www.cisecurity.org/controls
DixonNThe neglected receiver of knowledge sharingIvey Businees J2002663540
KarpatiPReddaYOpdahlALComparing attack trees and misuse cases in an industrial settingInform Soft Tech201456329430810.1016/j.infsof.2013.10.004
MITRE (2022) Mitre att &ck enterprise matrix. https://attack.mitre.org/matrices/enterprise
of Standards NI, Technologies (2023) Cyber security framework v1.1. https://www.nist.gov/cyberframework
BharadwajASA resource-based perspective on information technology capability and firm performance: an empirical investigationMIS Quart20002416919610.2307/3250983
Food and Drug Administration (2001) Guidance for industry: Statistical approaches to establishing bioequivalence
TumaKSandbergCThorssonUFinding security threats that matter: Two industrial case studiesJ Syst Soft202117910.1016/j.jss.2021.111003
DavisFDPerceived usefulness, perceived ease of use, and user acceptance of information technologyMIS Quart19891331934010.2307/249008
SchultzeUStabellCKnowing what you don’t know? discourses and contradictions in knowledge management researchJ Manag Stud200441454957310.1111/j.1467-6486.2004.00444.x
of Standards NI, Technology (2012) Nist special publication 800-30 - revision 1 - guide for conducting risk assessment. https://www.nist.gov/privacy-framework/nist-sp-800-30
Blažič BJ (2021) Cybersecurity skills in eu: New educational concept for closing the missing workforce gap. In: Cybersecurity Threats with New Perspectives
TumaKWidmanMSeven pain points of threat analysis and risk assessment in the automotive domainIEEE Secur Priv2021195788210.1109/MSEC.2021.3093137
Riaz M, Stallings J, Singh MP, et al (2016) Digs: A framework for discovering goals for security requirements engineering. In: Proceedings of the 10th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement. Association for Computing Machinery, New York, NY, USA, ESEM ’16. https://doi.org/10.1145/2961111.2962599
da Silva Santos JC (2016) Toward establishing a catalog of security architecture weaknesses. https://scholarworks.rit.edu/theses/9004
DengMWuytsKScandariatoRA privacy threat analysis framework: supporting the elicitation and fulfillment of privacy requirementsReq Eng201116133210.1007/s00766-010-0115-7
BSI G (2017) Bsi standards 100-1, 100-2, 100-3, 100-4. https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/IT-Grundschutz/it-grundschutz_node.html
NewellAThe knowledge levelArtif Intell198218187127122030810.1016/0004-3702(82)90012-1
BohWFKnowledge sharing in communities of practice: examining usefulness of knowledge from discussion forums versus repositoriesData Base Adv Inf Sy201445283110.1145/2621906.2621908
Berger BJ, Sohr K, Koschke R (2016) Automatically extracting threats from extended data flow diagrams. In: Proc. of the 8th Int. Symp. on Eng. Secure Software and Systems, pp. 56–71
la Sécurité Des Systèmes D’information (ANSSI) AND (2019) Ebios risk manager. https://www.ssi.gouv.fr/uploads/2019/11/anssi-guide-ebios_risk_manager-en-v1.0.pdf
WaskoMMFarajS“It is what one does": why people participate and help others in electronic communities of practiceJ Strat Inf Syst20009215517310.1016/S0963-8687(00)00045-7
SindreGOpdahlALEliciting security requirements with misuse casesReq Eng2005101344410.1007/s00766-004-0194-4
Arce I, Clark-Fisher K, Daswani N, et al (2014) Avoiding the top 10 software security design flaws. IEEE Comput Soc Cent Secure Des (CSD), Tech Rep
Labunets K, Paci F, Massacci F, et al (2014a) A first empirical evaluation framework for security risk assessment methods in the atm domain. Proc. of the 4th SESAR Innovation Days
Mouaffo A, Taibi D, Jamboti K (2014) Controlled experiments comparing fault-tree-based safety analysis techniques. In: Proc. of the 18th Int. Conf. on Evaluation and Assessment in Software Eng., ACM, p 46:1–46:10
Raman R, Bharadwaj A (2010) Knowledge and agency based performative deviations in practice transfer routines: The case of evidence-based medicine. Available at SSRN 1907412
Tuma K, Sion L, Scandariato R, et al (2020) Automating the early detection of security design flaws. In: Proc. of the 23rd ACM/IEEE Int. Conf. on Model Driven Eng. Languages and Systems, p 332–342
ScandariatoRWuytsKJoosenWA descriptive study of microsoft’s threat modeling techniqueReq Eng201520216318010.1007/s00766-013-0195-2
KankanhalliALeeOKDLimKHKnowledge reuse through electronic repositories: A study in the context of customer service supportInform Manag201148210611310.1016/j.im.2011.02.002
MITRE (2020a) CVE - Common Vulnerabilities and Exposures. https://cve.mitre.org
ShostackAThreat modeling: Designing for security2014IndianapolisJohn Wiley & Sons
Karahasanovic A, Kleberger P, Almgren M (2017) Adapting threat modeling methods for the automotive industry. In: Proc. of the 15th European Conf. on Embedded Security in Cars, p 1–10
Knowles MS (1970) The modern practice of adult education; andragogy versus pedagogy
Gritzalis D, Iseppi G, Mylonas A, et al (2018) Exiting the risk assessment maze: A meta-survey. ACM Comput Surv 51(1). https://doi.org/10.1145/3145905
JafariAJRasoolzadeganASecurity patterns: A systematic mapping studyJ Comput Lang20205610.1016/j.cola.2019.100938
Barnum S (2008) Common attack pattern enumeration and classification (CAPEC) schema. Department of Homeland Security
OWASP (2021) Owasp top 10. https://owasp.org/www-project-top-ten
Santos JC, Tarrit K, Mirakhorli M (2017) A catalog of security architecture weaknesses. In: Proc. of the Int. Conf. on Software Architecture Workshops, p 220–223
LeachMJEvidence-based practice: A framework for clinical practice and research designInt J Nurs Pract200612524825110.1111/j.1440-172X.2006.00587.x
YinRKQualitative Research from Start to Finish2010New YorkGuilford Press
TumaKCalikliGScandariatoRThreat analysis of software systems: A systematic literature reviewJ Syst Softw201814427529410.1016/j.jss.2018.06.073
Lund MS, Solhaug B, Stølen K (2010) Model-driven risk analysis: the CORAS approach. Springer Science & Business Media
of Standards NI, Technology (2020) Nist special publication 800-53 - revision 5 - security and privacy controls for information systems and organizations. https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
Publicas MDA (2012) Magerit - methodology for information systems risk analysis and management. https://administracionelectronica.gob.es/pae_Home/pae_Documentacion/pae_Metodolog/pae_Magerit.html
GrayPHMeisterDBKnowledge sourcing effectiveness. Manag Sci2004506821834
WuytsKScandariatoRJoosenWEmpirical evaluation of a privacy-focused threat modeling methodologyJ Syst Soft20149612213810.1016/j.jss.2014.05.075
Labunets K, Paci F, Massacci F, et al (2014b) An experiment on comparing textual vs. visual industrial methods for security risk assessment. In: Proc. of the 4th IEEE Int. Workshop on Empirical Requirements Eng. at the 22nd IEEE Int. Requirements Eng. Conf., pp. 28–35
RusILindvallMKnowledge management in software engineeringIEEE Soft2002193263810.1109/MS.2002.1003450
JedlitschkaAJuristoNRombachDReporting experiments to satisfy professionals’ information needsEmpir Soft Eng20141961921195510.1007/s10664-013-9268-6
Almorsy M, Grundy J, Ibrahim AS (2013) Automated software architecture security risk analysis using formalized signatures. I
M Riaz (10321_CR61) 2017; 22
U Schultze (10321_CR69) 2004; 41
L Garicano (10321_CR24) 2012; 23
MJ Leach (10321_CR43) 2006; 12
JP Meyer (10321_CR47) 2013; 81
10321_CR38
10321_CR39
C Zhang (10321_CR89) 2012; 38
D Schuirmann (10321_CR67) 1981; 37
AJ Jafari (10321_CR31) 2020; 56
10321_CR46
A Kankanhalli (10321_CR33) 2011; 48
10321_CR44
10321_CR88
10321_CR41
10321_CR42
10321_CR83
10321_CR40
G Guest (10321_CR28) 2011
10321_CR80
M Schumacher (10321_CR70) 2006
A Jedlitschka (10321_CR32) 2014; 19
N Dixon (10321_CR20) 2002; 66
WF Boh (10321_CR12) 2014; 45
10321_CR27
10321_CR37
10321_CR34
10321_CR78
10321_CR76
K Tuma (10321_CR81) 2021; 19
10321_CR77
10321_CR30
10321_CR75
10321_CR73
K Tuma (10321_CR84) 2021; 179
10321_CR71
LM Markus (10321_CR45) 2001; 18
K Wuyts (10321_CR86) 2014; 96
M Deng (10321_CR19) 2011; 16
AL Opdahl (10321_CR55) 2009; 51
10321_CR16
WF Boh (10321_CR11) 2008; 45
10321_CR17
E Gamma (10321_CR23) 1995
PH Gray (10321_CR25) 2004; 50
10321_CR26
MM Wasko (10321_CR85) 2000; 9
10321_CR21
10321_CR65
FD Davis (10321_CR18) 1989; 13
10321_CR22
A Newell (10321_CR53) 1982; 18
10321_CR63
10321_CR64
AS Bharadwaj (10321_CR9) 2000; 24
S Barnum (10321_CR7) 2005; 3
C O’Dell (10321_CR54) 1998; 40
K Tuma (10321_CR82) 2018; 144
10321_CR60
I Rus (10321_CR62) 2002; 19
R Scandariato (10321_CR66) 2015; 20
A Shostack (10321_CR72) 2014
RK Yin (10321_CR87) 2010
H Hibshi (10321_CR29) 2016; 2
G Sindre (10321_CR74) 2005; 10
T Stålhane (10321_CR79) 2014; 5
10321_CR49
M Meyners (10321_CR48) 2012; 26
10321_CR14
10321_CR58
10321_CR15
10321_CR59
10321_CR56
10321_CR13
10321_CR57
10321_CR10
10321_CR1
P Karpati (10321_CR35) 2014; 56
10321_CR52
U Schultze (10321_CR68) 2002; 26
10321_CR2
10321_CR3
10321_CR50
10321_CR4
10321_CR51
10321_CR5
10321_CR6
10321_CR8
P Karpati (10321_CR36) 2015; 104
References_xml – reference: Knowles MS (1970) The modern practice of adult education; andragogy versus pedagogy
– reference: BarnumSMcGrawGKnowledge for software securityIEEE Secur Priv200532747810.1109/MSP.2005.45
– reference: Abe T, Hayashi S, Saeki M (2013) Modeling security threat patterns to derive negative scenarios. In: Proc. of the 20th Asia-Pacific Software Eng. Conf., vol. 1. IEEE, p 58–66
– reference: GuestGMacQueenKMNameyEEApplied Thematic Analysis2011Thousand OaksSage
– reference: da Silva Santos JC (2016) Toward establishing a catalog of security architecture weaknesses. https://scholarworks.rit.edu/theses/9004
– reference: Labunets K, Paci F, Massacci F, et al (2014b) An experiment on comparing textual vs. visual industrial methods for security risk assessment. In: Proc. of the 4th IEEE Int. Workshop on Empirical Requirements Eng. at the 22nd IEEE Int. Requirements Eng. Conf., pp. 28–35
– reference: NewellAThe knowledge levelArtif Intell198218187127122030810.1016/0004-3702(82)90012-1
– reference: Riaz M, Stallings J, Singh MP, et al (2016) Digs: A framework for discovering goals for security requirements engineering. In: Proceedings of the 10th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement. Association for Computing Machinery, New York, NY, USA, ESEM ’16. https://doi.org/10.1145/2961111.2962599
– reference: DengMWuytsKScandariatoRA privacy threat analysis framework: supporting the elicitation and fulfillment of privacy requirementsReq Eng201116133210.1007/s00766-010-0115-7
– reference: TumaKSandbergCThorssonUFinding security threats that matter: Two industrial case studiesJ Syst Soft202117910.1016/j.jss.2021.111003
– reference: Scandariato R, Wuyts K, Joosen W (2014) A descriptive study of microsoft’s threat modeling technique. Req Eng 1–18
– reference: Yskout K, Scandariato R, Joosen W (2015) Do security patterns really help designers? In: Proc. of the 37th Int. Conf. on Software Eng., IEEE, p 292–302
– reference: CyberSeek (2019) Cybersecurity Supply/Demand Heat Map. https://www.cyberseek.org/heatmap.html
– reference: BohWFKnowledge sharing in communities of practice: examining usefulness of knowledge from discussion forums versus repositoriesData Base Adv Inf Sy201445283110.1145/2621906.2621908
– reference: GrayPHMeisterDBKnowledge sourcing effectiveness. Manag Sci2004506821834
– reference: RusILindvallMKnowledge management in software engineeringIEEE Soft2002193263810.1109/MS.2002.1003450
– reference: KarpatiPOpdahlALSindreGInvestigating security threats in architectural context: Experimental evaluations of misuse case mapsJ Syst Soft20151049011110.1016/j.jss.2015.02.040
– reference: Labunets K, Massacci F, Tedeschi A (2017b) Graphical vs. tabular notations for risk models: on the role of textual labels and complexity. In: Proc. of the 12th ACM/IEEE Int. Symp. on Empirical Software Eng. and Measurement, IEEE, pp 267–276
– reference: BSI G (2017) Bsi standards 100-1, 100-2, 100-3, 100-4. https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/IT-Grundschutz/it-grundschutz_node.html
– reference: Labunets K, Paci F, Massacci F, et al (2014a) A first empirical evaluation framework for security risk assessment methods in the atm domain. Proc. of the 4th SESAR Innovation Days
– reference: Raman R, Bharadwaj A (2010) Knowledge and agency based performative deviations in practice transfer routines: The case of evidence-based medicine. Available at SSRN 1907412
– reference: RiazMKingJSlankasJIdentifying the implied: Findings from three differentiated replications on the use of security requirements templatesEmpir Softw Eng20172242127217810.1007/s10664-016-9481-1
– reference: YinRKQualitative Research from Start to Finish2010New YorkGuilford Press
– reference: Labunets K, Massacci F, Paci F, et al (2013) An experimental comparison of two risk-based security methods. In: Proc. of the 7th ACM/IEEE Int. Symp. on Empirical Software Eng. and Measurement, p 163–172
– reference: Fredriksen R, Kristiansen M, Gran BA, et al (2002) The coras framework for a model-based risk management process. In: Proc. of the 21st Int. Conf. on Computer Safety, Reliability, and Security, Springer, pp 94–105
– reference: ScandariatoRWuytsKJoosenWA descriptive study of microsoft’s threat modeling techniqueReq Eng201520216318010.1007/s00766-013-0195-2
– reference: of Standards NI, Technologies (2023) Cyber security framework v1.1. https://www.nist.gov/cyberframework
– reference: Berger BJ, Sohr K, Koschke R (2016) Automatically extracting threats from extended data flow diagrams. In: Proc. of the 8th Int. Symp. on Eng. Secure Software and Systems, pp. 56–71
– reference: SchuirmannDOn hypothesis-testing to determine if the mean of a normal-distribution is contained in a known intervalBiometrics1981373617
– reference: Agency CIS (2023) Cisa security bulletins. https://www.cisa.gov/uscert/ncas/bulletins
– reference: Almorsy M, Grundy J, Ibrahim AS (2013) Automated software architecture security risk analysis using formalized signatures. In: Proc. of the 35th Int. Conf. on Software Eng., p 662–671
– reference: Publicas MDA (2012) Magerit - methodology for information systems risk analysis and management. https://administracionelectronica.gob.es/pae_Home/pae_Documentacion/pae_Metodolog/pae_Magerit.html
– reference: HibshiHBreauxTDRiazMA grounded analysis of experts’ decision-making during security assessmentsJ Cybersecurity201622147163
– reference: SANS (2011) SANS Top 25 Software Errors. https://www.sans.org/top25-software-errors/
– reference: Arora A, Belenzon S, Patacconi A (2015) Knowledge sharing in alliances and alliance portfolios. Available at SSRN 2719747
– reference: Caralli R, Stevens J, Young L, et al (2007) Introducing octave allegro: Improving the information security risk assessment process. Tech. Rep. CMU/SEI-2007-TR-012, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA, http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=8419
– reference: Center NCS (2021) 10 steps to cyber security. https://www.ncsc.gov.uk/collection/10-steps
– reference: Group SSI (2021) Building security in maturity model (bsimm12). https://www.bsimm.com
– reference: StålhaneTSindreGAn experimental comparison of system diagrams and textual use cases for the identification of safety hazardsInt J Inform Syst Model Design20145112410.4018/ijismd.2014010101
– reference: OpdahlALSindreGExperimental comparison of attack trees and misuse cases for security threat identificationInform Soft Tech200951591693210.1016/j.infsof.2008.05.013
– reference: of Standards NI, Technology (2012) Nist special publication 800-30 - revision 1 - guide for conducting risk assessment. https://www.nist.gov/privacy-framework/nist-sp-800-30
– reference: Blažič BJ (2021) Cybersecurity skills in eu: New educational concept for closing the missing workforce gap. In: Cybersecurity Threats with New Perspectives
– reference: ShostackAThreat modeling: Designing for security2014IndianapolisJohn Wiley & Sons
– reference: GaricanoLWuYKnowledge, communication, and organizational capabilitiesOrgan Sci20122351382139710.1287/orsc.1110.0723
– reference: MITRE (2020b) CWE - Common Weakness Enumeration. https://cwe.mitre.org
– reference: TumaKWidmanMSeven pain points of threat analysis and risk assessment in the automotive domainIEEE Secur Priv2021195788210.1109/MSEC.2021.3093137
– reference: KarpatiPReddaYOpdahlALComparing attack trees and misuse cases in an industrial settingInform Soft Tech201456329430810.1016/j.infsof.2013.10.004
– reference: WuytsKScandariatoRJoosenWEmpirical evaluation of a privacy-focused threat modeling methodologyJ Syst Soft20149612213810.1016/j.jss.2014.05.075
– reference: Labunets K, Massacci F, Paci F, et al (2017a) Model comprehension for security risk assessment: an empirical comparison of tabular vs. graphical representations. Empir Soft Eng 22(6):3017–3056
– reference: KankanhalliALeeOKDLimKHKnowledge reuse through electronic repositories: A study in the context of customer service supportInform Manag201148210611310.1016/j.im.2011.02.002
– reference: Massacci F, Paci F (2012) How to select a security requirements method? a comparative study with students and practitioners. In: Proc. of the 17th Nordic Conf. on Secure IT Systems, Karlskrona, Sweden, Springer, Karlskrona, pp 89–104
– reference: Santos JC, Tarrit K, Mirakhorli M (2017) A catalog of security architecture weaknesses. In: Proc. of the Int. Conf. on Software Architecture Workshops, p 220–223
– reference: MITRE (2020a) CVE - Common Vulnerabilities and Exposures. https://cve.mitre.org
– reference: BohWFReuse of knowledge assets from repositories: A mixed methods studyInform Manag200845636537510.1016/j.im.2008.06.001
– reference: of Standards NI, Technology (2020) Nist special publication 800-53 - revision 5 - security and privacy controls for information systems and organizations. https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
– reference: la Sécurité Des Systèmes D’information (ANSSI) AND (2019) Ebios risk manager. https://www.ssi.gouv.fr/uploads/2019/11/anssi-guide-ebios_risk_manager-en-v1.0.pdf
– reference: SindreGOpdahlALEliciting security requirements with misuse casesReq Eng2005101344410.1007/s00766-004-0194-4
– reference: WaskoMMFarajS“It is what one does": why people participate and help others in electronic communities of practiceJ Strat Inf Syst20009215517310.1016/S0963-8687(00)00045-7
– reference: SchultzeUStabellCKnowing what you don’t know? discourses and contradictions in knowledge management researchJ Manag Stud200441454957310.1111/j.1467-6486.2004.00444.x
– reference: Mouaffo A, Taibi D, Jamboti K (2014) Controlled experiments comparing fault-tree-based safety analysis techniques. In: Proc. of the 18th Int. Conf. on Evaluation and Assessment in Software Eng., ACM, p 46:1–46:10
– reference: TumaKCalikliGScandariatoRThreat analysis of software systems: A systematic literature reviewJ Syst Softw201814427529410.1016/j.jss.2018.06.073
– reference: JafariAJRasoolzadeganASecurity patterns: A systematic mapping studyJ Comput Lang20205610.1016/j.cola.2019.100938
– reference: MarkusLMToward a theory of knowledge reuse: Types of knowledge reuse situations and factors in reuse successJ Manag Inform Syst2001181579310.1080/07421222.2001.11045671
– reference: JedlitschkaAJuristoNRombachDReporting experiments to satisfy professionals’ information needsEmpir Soft Eng20141961921195510.1007/s10664-013-9268-6
– reference: Karahasanovic A, Kleberger P, Almgren M (2017) Adapting threat modeling methods for the automotive industry. In: Proc. of the 15th European Conf. on Embedded Security in Cars, p 1–10
– reference: Tuma K, Sion L, Scandariato R, et al (2020) Automating the early detection of security design flaws. In: Proc. of the 23rd ACM/IEEE Int. Conf. on Model Driven Eng. Languages and Systems, p 332–342
– reference: LeachMJEvidence-based practice: A framework for clinical practice and research designInt J Nurs Pract200612524825110.1111/j.1440-172X.2006.00587.x
– reference: Barnum S (2008) Common attack pattern enumeration and classification (CAPEC) schema. Department of Homeland Security
– reference: Lund MS, Solhaug B, Stølen K (2010) Model-driven risk analysis: the CORAS approach. Springer Science & Business Media
– reference: ZhangCBudgenDWhat do we know about the effectiveness of software design patterns?IEEE Trans Soft Eng20123851213123110.1109/TSE.2011.79
– reference: MeyerJPSeamanMAA comparison of the exact Kruskal-Wallis distribution to asymptotic approximations for all sample sizes up to 105J Exp Educ201381213915610.1080/00220973.2012.699904
– reference: SchultzeULeidnerDEStudying knowledge management in information systems research: discourses and theoretical assumptionsMIS Quart20022621324210.2307/4132331
– reference: Cruzes DS, Jaatun MG, Bernsmed K, et al (2018) Challenges and experiences with applying microsoft threat modeling in agile development projects. In: Proc. of the 25th Australasian Software Eng. Conf., IEEE, pp 111–120
– reference: Gritzalis D, Iseppi G, Mylonas A, et al (2018) Exiting the risk assessment maze: A meta-survey. ACM Comput Surv 51(1). https://doi.org/10.1145/3145905
– reference: GammaEHelmRJohnsonRDesign Patterns: Elements of Reusable Object-oriented Software1995BostonAddison Wesley
– reference: SchumacherMFernandez-BuglioniEHybertsonDSecurity Patterns: Integrating Security and Systems Engineering2006ChichesterJohn Wiley & Sons
– reference: for Internet Security C (2023) Cis critical security controls. https://www.cisecurity.org/controls
– reference: MITRE (2022) Mitre att &ck enterprise matrix. https://attack.mitre.org/matrices/enterprise/
– reference: DixonNThe neglected receiver of knowledge sharingIvey Businees J2002663540
– reference: OWASP (2021) Owasp top 10. https://owasp.org/www-project-top-ten/
– reference: O’DellCGraysonCJIf only we knew what we know: Identification and transfer of internal best practicesCalif Manag Rev199840315417410.2307/41165948
– reference: Arce I, Clark-Fisher K, Daswani N, et al (2014) Avoiding the top 10 software security design flaws. IEEE Comput Soc Cent Secure Des (CSD), Tech Rep
– reference: DavisFDPerceived usefulness, perceived ease of use, and user acceptance of information technologyMIS Quart19891331934010.2307/249008
– reference: MeynersMEquivalence tests-a reviewFood quality and preference201226223124510.1016/j.foodqual.2012.05.003
– reference: Pilat L, Kaindl H (2011) A knowledge management perspective of requirements engineering. In: Proc. of the 5th IEEE Int. Conf. on Research Challenges in Information Science, IEEE, p 1–12
– reference: Tuma K, Scandariato R (2018) Two architectural threat analysis techniques compared. In: Proc. of the 12th European Conf. on Software Architecture, Springer, pp 347–363
– reference: Souag A, Mazo R, Salinesi C, et al (2015) Reusable knowledge in security requirements engineering: a systematic mapping study. Req Eng 1–33
– reference: BharadwajASA resource-based perspective on information technology capability and firm performance: an empirical investigationMIS Quart20002416919610.2307/3250983
– reference: Food and Drug Administration (2001) Guidance for industry: Statistical approaches to establishing bioequivalence
– ident: 10321_CR80
  doi: 10.1007/978-3-030-00761-4_23
– ident: 10321_CR44
  doi: 10.1007/978-3-642-12323-8
– volume: 144
  start-page: 275
  year: 2018
  ident: 10321_CR82
  publication-title: J Syst Softw
  doi: 10.1016/j.jss.2018.06.073
– volume: 26
  start-page: 231
  issue: 2
  year: 2012
  ident: 10321_CR48
  publication-title: Food quality and preference
  doi: 10.1016/j.foodqual.2012.05.003
– ident: 10321_CR37
– ident: 10321_CR57
  doi: 10.1109/RCIS.2011.6006849
– volume-title: Qualitative Research from Start to Finish
  year: 2010
  ident: 10321_CR87
– volume: 26
  start-page: 213
  year: 2002
  ident: 10321_CR68
  publication-title: MIS Quart
  doi: 10.2307/4132331
– volume: 13
  start-page: 319
  year: 1989
  ident: 10321_CR18
  publication-title: MIS Quart
  doi: 10.2307/249008
– ident: 10321_CR14
  doi: 10.21236/ADA470450
– volume: 22
  start-page: 2127
  issue: 4
  year: 2017
  ident: 10321_CR61
  publication-title: Empir Softw Eng
  doi: 10.1007/s10664-016-9481-1
– volume: 19
  start-page: 78
  issue: 5
  year: 2021
  ident: 10321_CR81
  publication-title: IEEE Secur Priv
  doi: 10.1109/MSEC.2021.3093137
– ident: 10321_CR56
– ident: 10321_CR10
– ident: 10321_CR6
– volume: 24
  start-page: 169
  year: 2000
  ident: 10321_CR9
  publication-title: MIS Quart
  doi: 10.2307/3250983
– ident: 10321_CR22
  doi: 10.1007/3-540-45732-1_11
– volume: 2
  start-page: 147
  issue: 2
  year: 2016
  ident: 10321_CR29
  publication-title: J Cybersecurity
– volume: 20
  start-page: 163
  issue: 2
  year: 2015
  ident: 10321_CR66
  publication-title: Req Eng
  doi: 10.1007/s00766-013-0195-2
– ident: 10321_CR17
– volume: 18
  start-page: 57
  issue: 1
  year: 2001
  ident: 10321_CR45
  publication-title: J Manag Inform Syst
  doi: 10.1080/07421222.2001.11045671
– ident: 10321_CR2
– ident: 10321_CR60
  doi: 10.1145/2961111.2962599
– ident: 10321_CR65
– ident: 10321_CR88
  doi: 10.1109/ICSE.2015.49
– ident: 10321_CR71
– volume: 3
  start-page: 74
  issue: 2
  year: 2005
  ident: 10321_CR7
  publication-title: IEEE Secur Priv
  doi: 10.1109/MSP.2005.45
– volume: 40
  start-page: 154
  issue: 3
  year: 1998
  ident: 10321_CR54
  publication-title: Calif Manag Rev
  doi: 10.2307/41165948
– volume-title: Security Patterns: Integrating Security and Systems Engineering
  year: 2006
  ident: 10321_CR70
– ident: 10321_CR16
  doi: 10.1109/ASWEC.2018.00023
– ident: 10321_CR41
  doi: 10.1007/s10664-017-9502-8
– ident: 10321_CR30
– ident: 10321_CR26
  doi: 10.1145/3145905
– ident: 10321_CR40
  doi: 10.1109/EmpiRE.2014.6890113
– volume: 18
  start-page: 87
  issue: 1
  year: 1982
  ident: 10321_CR53
  publication-title: Artif Intell
  doi: 10.1016/0004-3702(82)90012-1
– ident: 10321_CR64
  doi: 10.1109/ICSAW.2017.25
– ident: 10321_CR76
– ident: 10321_CR51
– volume: 56
  start-page: 294
  issue: 3
  year: 2014
  ident: 10321_CR35
  publication-title: Inform Soft Tech
  doi: 10.1016/j.infsof.2013.10.004
– volume-title: Design Patterns: Elements of Reusable Object-oriented Software
  year: 1995
  ident: 10321_CR23
– ident: 10321_CR34
– ident: 10321_CR59
  doi: 10.2139/ssrn.1907412
– volume: 10
  start-page: 34
  issue: 1
  year: 2005
  ident: 10321_CR74
  publication-title: Req Eng
  doi: 10.1007/s00766-004-0194-4
– ident: 10321_CR27
– ident: 10321_CR75
  doi: 10.1007/s00766-015-0220-8
– volume: 104
  start-page: 90
  year: 2015
  ident: 10321_CR36
  publication-title: J Syst Soft
  doi: 10.1016/j.jss.2015.02.040
– ident: 10321_CR8
  doi: 10.1007/978-3-319-30806-7_4
– ident: 10321_CR13
– volume: 16
  start-page: 3
  issue: 1
  year: 2011
  ident: 10321_CR19
  publication-title: Req Eng
  doi: 10.1007/s00766-010-0115-7
– ident: 10321_CR52
  doi: 10.1145/2601248.2601255
– volume: 179
  year: 2021
  ident: 10321_CR84
  publication-title: J Syst Soft
  doi: 10.1016/j.jss.2021.111003
– ident: 10321_CR3
  doi: 10.1109/ICSE.2013.6606612
– volume: 48
  start-page: 106
  issue: 2
  year: 2011
  ident: 10321_CR33
  publication-title: Inform Manag
  doi: 10.1016/j.im.2011.02.002
– volume: 37
  start-page: 617
  issue: 3
  year: 1981
  ident: 10321_CR67
  publication-title: Biometrics
– volume: 56
  year: 2020
  ident: 10321_CR31
  publication-title: J Comput Lang
  doi: 10.1016/j.cola.2019.100938
– volume-title: Applied Thematic Analysis
  year: 2011
  ident: 10321_CR28
– ident: 10321_CR39
– ident: 10321_CR83
  doi: 10.1145/3365438.3410954
– ident: 10321_CR58
– ident: 10321_CR42
  doi: 10.1109/ESEM.2017.40
– ident: 10321_CR46
  doi: 10.1007/978-3-642-34210-3_7
– volume: 12
  start-page: 248
  issue: 5
  year: 2006
  ident: 10321_CR43
  publication-title: Int J Nurs Pract
  doi: 10.1111/j.1440-172X.2006.00587.x
– volume: 19
  start-page: 26
  issue: 3
  year: 2002
  ident: 10321_CR62
  publication-title: IEEE Soft
  doi: 10.1109/MS.2002.1003450
– ident: 10321_CR77
– volume: 5
  start-page: 1
  issue: 1
  year: 2014
  ident: 10321_CR79
  publication-title: Int J Inform Syst Model Design
  doi: 10.4018/ijismd.2014010101
– ident: 10321_CR50
– volume: 45
  start-page: 365
  issue: 6
  year: 2008
  ident: 10321_CR11
  publication-title: Inform Manag
  doi: 10.1016/j.im.2008.06.001
– ident: 10321_CR1
  doi: 10.1109/APSEC.2013.19
– volume-title: Threat modeling: Designing for security
  year: 2014
  ident: 10321_CR72
– ident: 10321_CR49
– ident: 10321_CR4
– volume: 51
  start-page: 916
  issue: 5
  year: 2009
  ident: 10321_CR55
  publication-title: Inform Soft Tech
  doi: 10.1016/j.infsof.2008.05.013
– volume: 23
  start-page: 1382
  issue: 5
  year: 2012
  ident: 10321_CR24
  publication-title: Organ Sci
  doi: 10.1287/orsc.1110.0723
– volume: 19
  start-page: 1921
  issue: 6
  year: 2014
  ident: 10321_CR32
  publication-title: Empir Soft Eng
  doi: 10.1007/s10664-013-9268-6
– ident: 10321_CR38
  doi: 10.1109/ESEM.2013.29
– ident: 10321_CR21
– ident: 10321_CR63
– ident: 10321_CR15
– volume: 50
  start-page: 821
  issue: 6
  year: 2004
  ident: 10321_CR25
  publication-title: Knowledge sourcing effectiveness. Manag Sci
– volume: 38
  start-page: 1213
  issue: 5
  year: 2012
  ident: 10321_CR89
  publication-title: IEEE Trans Soft Eng
  doi: 10.1109/TSE.2011.79
– volume: 9
  start-page: 155
  issue: 2
  year: 2000
  ident: 10321_CR85
  publication-title: J Strat Inf Syst
  doi: 10.1016/S0963-8687(00)00045-7
– volume: 96
  start-page: 122
  year: 2014
  ident: 10321_CR86
  publication-title: J Syst Soft
  doi: 10.1016/j.jss.2014.05.075
– volume: 41
  start-page: 549
  issue: 4
  year: 2004
  ident: 10321_CR69
  publication-title: J Manag Stud
  doi: 10.1111/j.1467-6486.2004.00444.x
– ident: 10321_CR78
– ident: 10321_CR73
  doi: 10.1109/ICSAW.2017.25
– volume: 66
  start-page: 35
  year: 2002
  ident: 10321_CR20
  publication-title: Ivey Businees J
– ident: 10321_CR5
– volume: 45
  start-page: 8
  issue: 2
  year: 2014
  ident: 10321_CR12
  publication-title: Data Base Adv Inf Sy
  doi: 10.1145/2621906.2621908
– volume: 81
  start-page: 139
  issue: 2
  year: 2013
  ident: 10321_CR47
  publication-title: J Exp Educ
  doi: 10.1080/00220973.2012.699904
SSID ssj0009745
Score 2.336617
Snippet Security risk analysis (SRA) is a key activity in software engineering but requires heavy manual effort. Community knowledge in the form of security patterns...
SourceID proquest
crossref
springer
SourceType Aggregation Database
Index Database
Publisher
StartPage 90
SubjectTerms Automation
Compilers
Computer Science
Design
Grounded theory
Interpreters
Knowledge
Performance evaluation
Programming Languages
Risk analysis
Risk assessment
Security
Software engineering
Software Engineering/Programming and Operating Systems
Subject specialists
Success factors
Threats
SummonAdditionalLinks – databaseName: SpringerLink Journals (ICM)
  dbid: U2A
  link: http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwlV09T8MwED1BWVj4RhQK8sBGLcXxVzxWiKoCwUSlbpYdOxJLQE0Z-u-xU4cAgoE5kYcXO_fOd_cewLVkpuSGhSSnKCxmnJfYBCKMVWWVJ9Yp6eLVwOOTmM3Z_YIv0lBY03W7dyXJ9k_9ZdhNCIZDjMFRBI7g9Tbs8Ji7h108zye91K5srYmjuB6mIaKnUZnf1_gejnqO-aMs2kab6QHsJZqIJpvveghbvj6C_c6CAaUTeQwPExR48Rj5ZA6KY1RyY9TOJ65RYKTo89YMLf1749FLjZpkWodiYzkySZfkBObTu-fbGU7-CLikhK0wJ1XFS2qEiGmItV7RwgoXFdGIlESVuTLeURk4SGF9bjKrKiOkVM4a6jyhpzCoX2t_BkhRw5zwkjGXsVJWRVUYRWOVLme0yrIh3HQw6beNDIbuBY8jqDqAqltQ9XoIow5JnY5Eo2PFLtBNSsUQxh26_eO_Vzv_3-sXsBst4TcttSMYrJbv_jIQh5W9avfJBwVIuUY
  priority: 102
  providerName: Springer Nature
Title A new, evidence-based, theory for knowledge reuse in security risk analysis
URI https://link.springer.com/article/10.1007/s10664-023-10321-y
https://www.proquest.com/docview/2819139336
Volume 28
hasFullText 1
inHoldings 1
isFullTextHit
isPrint
link http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwfV09T8MwED1Bu7DwjSiUygMbtUhqx44nVKp-iIoKISqVKbJjR2JpS9MO_ffYqUMEEiwZEsnDOb57d-d7D-CWU5lGktokJ44VplGUYmmBMBaZEiZUWnDtSgPPEzaa0qdZNPMFt9xfqyx9YuGo9SJ1NfJ71_CxaIUQ9rD8xE41ynVXvYTGPtStC45t8lV_7E9eXivaXV7IFDuiPUxsdPdjM354jjGKbczCjlQuxNufoanCm79apEXkGRzDoYeMqLvb4xPYM_NTOCrlGJA_nWcw7iKLkdvIeKFQ7CKUbqNiVnGLLDpF3xU0tDKb3KCPOcq9gB1yl8yR9Bwl5zAd9N96I-y1EnBKQrrGUZhlUUokYy4lUcoIEiumHTtayHko0o6QRhNu8UisTEcGSmSScS60kkSbkFxAbb6Ym0tAgkiqmeGU6oCmPIuzWAriOnYdSrIgaMBdaaZkuaPESCryY2fUxBo1KYyabBvQLC2Z-OORJ9VmNqBdWrf6_PdqV_-vdg0HTg5-d522CbX1amNuLGhYqxbsx4NhC-rd4fu43_L_iX3bYz37nHa6X70bwZU
linkProvider ProQuest
linkToHtml http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwtV09T8MwED1BGWDhG1Eo4AEmatHEjh0PCFVAKbQwgdQt2LEjsbSFFqH8KX4jduoQgQRb50g3vJx9zz7fewDHnMo0ktQecuJYYRpFKZaWCGORKWECpQXX7mrg_oF1n-jdIBoswGc5C-OeVZZ7YrFR61Hq7sjPXMPHshVC2MX4FTvXKNddLS00ZmnRM_mHPbJNzm-v7P89CcPO9eNlF3tXAZySgE5xFGRZlBLJmCPvShlBYsW00xELOA9EGgppNOG2csfKhLKlRCYZ50IrSbQJiI27CEuUEOFWVNy5qUR-eWGK7GT9MLFcwg_p-FE9xii2FRI7CbsA5z8LYcVufzVkizrXWYdVT1BRe5ZRG7BghpuwVpo_IL8XbEGvjSwjbyLjbUmxq4e6iYrJyBxZLoy-7-vQm3mfGPQyRBNvl4fck3YkvSLKNjzNBcMdqA1HQ7MLSBBJNTOcUt2iKc_iLJaCuP5gSEnWatXhtIQpGc8EOJJKatmBmlhQkwLUJK9Do0Qy8YtxklSpU4dmiW71-e9oe_9HO4Ll7uN9P-nfPvT2YcUZ0c8e8jagNn17NweWrkzVYZEjCJ7nnZRfXSf4yw
linkToPdf http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwtV1NSwMxEB20gnjxW6yfOejJBnc32WRzEPGjpVotIgre1mSTBS9tbSvSv-avM9lmXRT05nkhh5fZzEtm5j2AA05lFktqLzlJojCN4wxLS4SxyJUwodKCa_c0cNtl7Ud6_RQ_zcBHOQvj2irLM7E4qHU_c2_kx67gY9kKIew4920Rd5et08Erdg5SrtJa2mlMQ6RjJu_2-jY6ubq0e30YRa3mw0Ube4cBnJGQjnEc5nmcEcmYI_JKGUESxbTTFAs5D0UWCWk04TaLJ8pEMlAil4xzoZUk2oTErjsLc9zeioIazJ03u3f3leQvLyySncgfJpZZ-JEdP7jHGMU2X2InaBfiyfe0WHHdH-XZIuu1lmHR01V0No2vFZgxvVVYKq0gkD8Z1qBzhiw_byDjTUqxy466gYo5yQmyzBh9vd6hoXkbGfTSQyNvnodcgzuSXh9lHR7_BcUNqPX6PbMJSBBJNTOcUh3QjOdJnkhBXLUwoiQPgjoclTClg6kcR1oJLztQUwtqWoCaTuqwUyKZ-l9zlFaBVIdGiW71-ffVtv5ebR_mbUCmN1fdzjYsOFf6aVfvDtTGwzeza7nLWO35IEHw_N9x-QkrTv5d
openUrl ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=A+new%2C+evidence-based%2C+theory+for+knowledge+reuse+in+security+risk+analysis&rft.jtitle=Empirical+software+engineering+%3A+an+international+journal&rft.au=Labunets%2C+Katsiaryna&rft.au=Massacci%2C+Fabio&rft.au=Paci%2C+Federica&rft.au=Tuma%2C+Katja&rft.date=2023-07-01&rft.issn=1382-3256&rft.eissn=1573-7616&rft.volume=28&rft.issue=4&rft_id=info:doi/10.1007%2Fs10664-023-10321-y&rft.externalDBID=n%2Fa&rft.externalDocID=10_1007_s10664_023_10321_y
thumbnail_l http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/lc.gif&issn=1382-3256&client=summon
thumbnail_m http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/mc.gif&issn=1382-3256&client=summon
thumbnail_s http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/sc.gif&issn=1382-3256&client=summon