Back to University of Twente portal
Extended eTVRA vs. Security Checklist: Experiences in a Value-Web
Morali, Ayse and Zambon, Emmanuele and Houmb, Siv Hilde and Sallhammar, Karin and Etalle, Sandro (2009) Extended eTVRA vs. Security Checklist: Experiences in a Value-Web. In: 31th IEEE International Conference on Software Engineering, ICSE 2009, 16-24 May 2009, Vancouver, Canada. (In Press)
![[img]](http://doc.utwente.nl/style/images/fileicons/application_pdf.png)
| PDF 659Kb |
| Abstract: | Security evaluation according to ISO 15408 (Common Criteria) is a resource and time demanding activity, as well as being costly. For this reason, only few companies take their products through a Common Criteria evaluation. To support security evaluation, the European Telecommunications Standards Institute (ETSI) has developed a threat, vulnerability, risk analysis (eTVRA) method for the Telecommunication (Telco) domain. eTVRA builds on the security risk management methodology CORAS and is structured in such a way that it provides output that can be directly fed into a Common Criteria security evaluation.
In this paper, we evaluate the time and resource efficiency of parts of eTVRA and the quality of the result produced by following eTVRA compared to a more pragmatic approach (Protection Profile-based checklists). We use both approaches to identify and analyze risks of a new SIM card currently under joint development by a small hardware company and a large Telco provider. |
| Item Type: | Conference or Workshop Item |
| Copyright: | © 2009 IEEE |
| Faculty: | Electrical Engineering, Mathematics and Computer Science (EEMCS) |
| Research Group: | |
| Link to this item: | http://purl.utwente.nl/publications/65344 |
| Official URL: | http://dx.doi.org/10.1109/ICSE-COMPANION.2009.5070971 |
| Export this item as: | BibTeX EndNote HTML Citation Reference Manager |
Show download statistics for this publication
Show download statistics for this publicationRepository Staff Only: item control page
Metis ID: 265738