Information assurance techniques: Perceived cost effectiveness

Such, José M.; Gouglidis, Antonios; Knowles, William; Misra, Gaurav; Rashid, Awais

doi:10.1016/j.cose.2016.03.009

Cited by 32 publications

(22 citation statements)

References 18 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…To conduct the vulnerability assessment and assess the effectiveness of the 5 cyber essentials security controls, and due to the nature of SMEs that do not have the resources to separate testing from operational systems, we sought to avoid "active" security testing techniques like penetration testing, which may have an operational impact on this already resource-constrained type of businesses. Instead, we used a less aggressive approach, particularly using: architectural reviews, configuration reviews, and interviews, which are, however, known to be some of the most costeffective security testing techniques in practice [19]. As part of the assessment, we firstly mapped between the selected SME's characteristics (see below) and network features on the one hand and the 200 randomly selected vulnerabilities on the other hand.…”

Section: Cyber Essentialsmentioning

confidence: 99%

Basic Cyber Hygiene: Does It Work?

et al. 2019

Self Cite

View full text Add to dashboard Cite

The resources required to establish and maintain cyber security often results in Small and Medium Enterprises (SMEs) being left unprotected, risking not just their own but also the supply chain of other larger organisations. A number of security certifications for SMEs have been proposed, but how effective are these schemes? We conducted the first effectiveness evaluation of one such scheme, Cyber Essentials, and found that its security controls seem to work well to mitigate the threats they were designed for, i.e., those threats exploiting vulnerabilities remotely with commodity-level tools. The results may also be applicable to other schemes for SMEs around the globe that share/include the same security controls.

show abstract

Section: Cyber Essentialsmentioning

confidence: 99%

Basic Cyber Hygiene: Does It Work?

et al. 2019

Self Cite

View full text Add to dashboard Cite

show abstract

“…The coding process generated a set of intervention techniques, as shown in Table 1. The majority of these are already well known and documented; for these we have used the terminology defined by Such et al [4]. However, three of the practices-On-the-job Training, Incentivization Session, and Product Negotiation-are new in the context of security assurance techniques.…”

Section: Intervention Practicesmentioning

confidence: 99%

“…Existing research has identified a range of well-understood assurance techniques [4] used by security professionals to help improve the security of a system. Yet if we are to improve software security in a wide range of teams, we need approaches that work where resources may be limited and security expertise unavailable.…”

Section: Introductionmentioning

confidence: 99%

Interventions for Software Security: Creating a Lightweight Program of Assurance Techniques for Developers

Weir

Becker

Noble

et al. 2019

2019 IEEE/ACM 41st International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP)

Self Cite

View full text Add to dashboard Cite

Summary Though some software development teams are highly effective at delivering security, others either do not care or do not have access to security experts to teach them how. Unfortunately, these latter teams are still responsible for the security of the systems they build: systems that are ever more important to ever more people. We propose that a series of lightweight interventions, six hours of facilitated workshops delivered over three months, can improve a team's motivation to consider security and awareness of assurance techniques, changing its security culture even when no security experts are involved. The interventions were developed after an Appreciative Inquiry and Grounded Theory survey of security professionals to find out what approaches work best. We tested the interventions in a participatory action research field study where we delivered the workshops to three software development organizations and evaluated their effectiveness through interviews beforehand, immediately afterwards, and after twelve months. We found that the interventions can be effective with teams with limited or no security experience and that improvement is long‐lasting. This approach and the learning points arising from the work here have the potential to be applied in many development teams, improving the security of software worldwide.

show abstract

“…Existing research has identified a range of well‐understood assurance techniques used by security professionals to help improve the security of a system. However, if we are to improve software security in a wide range of teams, we need approaches that work where resources may be limited and security expertise unavailable.…”

Section: Introductionmentioning

confidence: 99%

“…Taking a different approach, Such et al investigated the economics of software security, surveying 150 security specialists to analyze the economics of different assurance techniques . The survey generated a taxonomy of twenty assurance techniques and found wide variations in the perceived cost effectiveness of each.…”

Section: Introductionmentioning

confidence: 99%

Interventions for long‐term software security: Creating a lightweight program of assurance techniques for developers

et al. 2019

Self Cite

View full text Add to dashboard Cite

Though some software development teams are highly effective at delivering security, others either do not care or do not have access to security experts to teach them how. Unfortunately, these latter teams are still responsible for the security of the systems they build: systems that are ever more important to ever more people. We propose that a series of lightweight interventions, six hours of facilitated workshops delivered over three months, can improve a team's motivation to consider security and awareness of assurance techniques, changing its security culture even when no security experts are involved. The interventions were developed after an Appreciative Inquiry and Grounded Theory survey of security professionals to find out what approaches work best. We tested the interventions in a participatory action research field study where we delivered the workshops to three software development organizations and evaluated their effectiveness through interviews beforehand, immediately afterwards, and after twelve months. We found that the interventions can be effective with teams with limited or no security experience and that improvement is long-lasting. This approach and the learning points arising from the work here have the potential to be applied in many development teams, improving the security of software worldwide.

show abstract

Information assurance techniques: Perceived cost effectiveness

Cited by 32 publications

References 18 publications

Basic Cyber Hygiene: Does It Work?

Basic Cyber Hygiene: Does It Work?

Interventions for Software Security: Creating a Lightweight Program of Assurance Techniques for Developers

Interventions for long‐term software security: Creating a lightweight program of assurance techniques for developers

Contact Info

Product

Resources

About