Sciweavers

ICSE
2009
IEEE-ACM

Extended eTVRA vs. security checklist: Experiences in a value-web

13 years 10 months ago
Extended eTVRA vs. security checklist: Experiences in a value-web
Abstract--Security evaluation according to ISO 15408 (Common Criteria) is a resource and time demanding activity, as well as being costly. For this reason, only few companies take their products through a Common Criteria evaluation. To support security evaluation, the European Telecommunications Standards Institute (ETSI) has developed a threat, vulnerability, risk analysis (eTVRA) method for the Telecommunication (Telco) domain. eTVRA builds on the security risk management methodology CORAS and is structured in such a way that it provides output that can be directly fed into a Common Criteria security evaluation. In this paper, we evaluate the time and resource efficiency of parts of eTVRA and the quality of the result produced by following eTVRA compared to a more pragmatic approach (Protection Profile-based checklists). We use both approaches to identify and analyze risks of a new SIM card currently under joint development by a small hardware company and a large Telco provider. The ...
Ayse Morali, Emmanuele Zambon, Siv Hilde Houmb, Ka
Added 19 Feb 2011
Updated 19 Feb 2011
Type Journal
Year 2009
Where ICSE
Authors Ayse Morali, Emmanuele Zambon, Siv Hilde Houmb, Karin Sallhammar, Sandro Etalle
Comments (0)