iBet uBet web content aggregator. Adding the entire web to your favor.
iBet uBet web content aggregator. Adding the entire web to your favor.



Link to original content: https://api.crossref.org/works/10.1007/S10664-023-10321-Y
{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2024,7,17]],"date-time":"2024-07-17T13:56:05Z","timestamp":1721224565763},"reference-count":89,"publisher":"Springer Science and Business Media LLC","issue":"4","license":[{"start":{"date-parts":[[2023,5,25]],"date-time":"2023-05-25T00:00:00Z","timestamp":1684972800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2023,5,25]],"date-time":"2023-05-25T00:00:00Z","timestamp":1684972800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Empir Software Eng"],"published-print":{"date-parts":[[2023,7]]},"abstract":"Abstract<\/jats:title>Security risk analysis (SRA) is a key activity in software engineering but requires heavy manual effort. Community knowledge in the form of security patterns or security catalogs can be used to support the identification of threats and security controls. However, no evidence-based theory exists about the effectiveness of security catalogs when used for security risk analysis. We adopt a grounded theory approach to propose a conceptual, revised and refined theory of SRA knowledge reuse. The theory refinement is backed by evidence gathered from conducting interviews with experts (20) and controlled experiments with both experts (15) and novice analysts (18). We conclude the paper by providing insights into the use of catalogs and managerial implications.<\/jats:p>","DOI":"10.1007\/s10664-023-10321-y","type":"journal-article","created":{"date-parts":[[2023,5,25]],"date-time":"2023-05-25T11:02:25Z","timestamp":1685012545000},"update-policy":"http:\/\/dx.doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":1,"title":["A new, evidence-based, theory for knowledge reuse in security risk analysis"],"prefix":"10.1007","volume":"28","author":[{"given":"Katsiaryna","family":"Labunets","sequence":"first","affiliation":[]},{"given":"Fabio","family":"Massacci","sequence":"additional","affiliation":[]},{"given":"Federica","family":"Paci","sequence":"additional","affiliation":[]},{"ORCID":"http:\/\/orcid.org\/0000-0001-7189-2817","authenticated-orcid":false,"given":"Katja","family":"Tuma","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2023,5,25]]},"reference":[{"key":"10321_CR1","doi-asserted-by":"crossref","unstructured":"Abe T, Hayashi S, Saeki M (2013) Modeling security threat patterns to derive negative scenarios. In: Proc. of the 20th Asia-Pacific Software Eng. Conf., vol. 1. IEEE, p 58\u201366","DOI":"10.1109\/APSEC.2013.19"},{"key":"10321_CR2","unstructured":"Agency CIS (2023) Cisa security bulletins. https:\/\/www.cisa.gov\/uscert\/ncas\/bulletins"},{"key":"10321_CR3","doi-asserted-by":"crossref","unstructured":"Almorsy M, Grundy J, Ibrahim AS (2013) Automated software architecture security risk analysis using formalized signatures. In: Proc. of the 35th Int. Conf. on Software Eng., p 662\u2013671","DOI":"10.1109\/ICSE.2013.6606612"},{"key":"10321_CR4","unstructured":"Arce I, Clark-Fisher K, Daswani N, et\u00a0al (2014) Avoiding the top 10 software security design flaws. IEEE Comput Soc Cent Secure Des (CSD), Tech Rep"},{"key":"10321_CR5","unstructured":"Arora A, Belenzon S, Patacconi A (2015) Knowledge sharing in alliances and alliance portfolios. Available at SSRN 2719747"},{"key":"10321_CR6","unstructured":"Barnum S (2008) Common attack pattern enumeration and classification (CAPEC) schema. Department of Homeland Security"},{"issue":"2","key":"10321_CR7","doi-asserted-by":"publisher","first-page":"74","DOI":"10.1109\/MSP.2005.45","volume":"3","author":"S Barnum","year":"2005","unstructured":"Barnum S, McGraw G (2005) Knowledge for software security. IEEE Secur Priv 3(2):74\u201378","journal-title":"IEEE Secur Priv"},{"key":"10321_CR8","doi-asserted-by":"crossref","unstructured":"Berger BJ, Sohr K, Koschke R (2016) Automatically extracting threats from extended data flow diagrams. In: Proc. of the 8th Int. Symp. on Eng. Secure Software and Systems, pp. 56\u201371","DOI":"10.1007\/978-3-319-30806-7_4"},{"key":"10321_CR9","doi-asserted-by":"publisher","first-page":"169","DOI":"10.2307\/3250983","volume":"24","author":"AS Bharadwaj","year":"2000","unstructured":"Bharadwaj AS (2000) A resource-based perspective on information technology capability and firm performance: an empirical investigation. MIS Quart 24:169\u2013196","journal-title":"MIS Quart"},{"key":"10321_CR10","unstructured":"Bla\u017ei\u010d BJ (2021) Cybersecurity skills in eu: New educational concept for closing the missing workforce gap. In: Cybersecurity Threats with New Perspectives"},{"issue":"6","key":"10321_CR11","doi-asserted-by":"publisher","first-page":"365","DOI":"10.1016\/j.im.2008.06.001","volume":"45","author":"WF Boh","year":"2008","unstructured":"Boh WF (2008) Reuse of knowledge assets from repositories: A mixed methods study. Inform Manag 45(6):365\u2013375","journal-title":"Inform Manag"},{"issue":"2","key":"10321_CR12","doi-asserted-by":"publisher","first-page":"8","DOI":"10.1145\/2621906.2621908","volume":"45","author":"WF Boh","year":"2014","unstructured":"Boh WF (2014) Knowledge sharing in communities of practice: examining usefulness of knowledge from discussion forums versus repositories. Data Base Adv Inf Sy 45(2):8\u201331","journal-title":"Data Base Adv Inf Sy"},{"key":"10321_CR13","unstructured":"BSI G (2017) Bsi standards 100-1, 100-2, 100-3, 100-4. https:\/\/www.bsi.bund.de\/DE\/Themen\/Unternehmen-und-Organisationen\/Standards-und-Zertifizierung\/IT-Grundschutz\/it-grundschutz_node.html"},{"key":"10321_CR14","doi-asserted-by":"crossref","unstructured":"Caralli R, Stevens J, Young L, et\u00a0al (2007) Introducing octave allegro: Improving the information security risk assessment process. Tech. Rep. CMU\/SEI-2007-TR-012, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA, http:\/\/resources.sei.cmu.edu\/library\/asset-view.cfm?AssetID=8419","DOI":"10.21236\/ADA470450"},{"key":"10321_CR15","unstructured":"Center NCS (2021) 10 steps to cyber security. https:\/\/www.ncsc.gov.uk\/collection\/10-steps"},{"key":"10321_CR16","doi-asserted-by":"crossref","unstructured":"Cruzes DS, Jaatun MG, Bernsmed K, et\u00a0al (2018) Challenges and experiences with applying microsoft threat modeling in agile development projects. In: Proc. of the 25th Australasian Software Eng. Conf., IEEE, pp 111\u2013120","DOI":"10.1109\/ASWEC.2018.00023"},{"key":"10321_CR17","unstructured":"CyberSeek (2019) Cybersecurity Supply\/Demand Heat Map. https:\/\/www.cyberseek.org\/heatmap.html"},{"key":"10321_CR18","doi-asserted-by":"publisher","first-page":"319","DOI":"10.2307\/249008","volume":"13","author":"FD Davis","year":"1989","unstructured":"Davis FD (1989) Perceived usefulness, perceived ease of use, and user acceptance of information technology. MIS Quart 13:319\u2013340","journal-title":"MIS Quart"},{"issue":"1","key":"10321_CR19","doi-asserted-by":"publisher","first-page":"3","DOI":"10.1007\/s00766-010-0115-7","volume":"16","author":"M Deng","year":"2011","unstructured":"Deng M, Wuyts K, Scandariato R et al (2011) A privacy threat analysis framework: supporting the elicitation and fulfillment of privacy requirements. Req Eng 16(1):3\u201332","journal-title":"Req Eng"},{"key":"10321_CR20","first-page":"35","volume":"66","author":"N Dixon","year":"2002","unstructured":"Dixon N (2002) The neglected receiver of knowledge sharing. Ivey Businees J 66:35\u201340","journal-title":"Ivey Businees J"},{"key":"10321_CR21","unstructured":"Food and Drug Administration (2001) Guidance for industry: Statistical approaches to establishing bioequivalence"},{"key":"10321_CR22","doi-asserted-by":"crossref","unstructured":"Fredriksen R, Kristiansen M, Gran BA, et\u00a0al (2002) The coras framework for a model-based risk management process. In: Proc. of the 21st Int. Conf. on Computer Safety, Reliability, and Security, Springer, pp 94\u2013105","DOI":"10.1007\/3-540-45732-1_11"},{"key":"10321_CR23","volume-title":"Design Patterns: Elements of Reusable Object-oriented Software","author":"E Gamma","year":"1995","unstructured":"Gamma E, Helm R, Johnson R et al (1995) Design Patterns: Elements of Reusable Object-oriented Software. Addison Wesley, Boston"},{"issue":"5","key":"10321_CR24","doi-asserted-by":"publisher","first-page":"1382","DOI":"10.1287\/orsc.1110.0723","volume":"23","author":"L Garicano","year":"2012","unstructured":"Garicano L, Wu Y (2012) Knowledge, communication, and organizational capabilities. Organ Sci 23(5):1382\u20131397","journal-title":"Organ Sci"},{"issue":"6","key":"10321_CR25","first-page":"821","volume":"50","author":"PH Gray","year":"2004","unstructured":"Gray PH, Meister DB (2004) Knowledge sourcing effectiveness. Manag Sci 50(6):821\u2013834","journal-title":"Knowledge sourcing effectiveness. Manag Sci"},{"key":"10321_CR26","doi-asserted-by":"publisher","unstructured":"Gritzalis D, Iseppi G, Mylonas A, et\u00a0al (2018) Exiting the risk assessment maze: A meta-survey. ACM Comput Surv 51(1). https:\/\/doi.org\/10.1145\/3145905","DOI":"10.1145\/3145905"},{"key":"10321_CR27","unstructured":"Group SSI (2021) Building security in maturity model (bsimm12). https:\/\/www.bsimm.com"},{"key":"10321_CR28","volume-title":"Applied Thematic Analysis","author":"G Guest","year":"2011","unstructured":"Guest G, MacQueen KM, Namey EE (2011) Applied Thematic Analysis. Sage, Thousand Oaks"},{"issue":"2","key":"10321_CR29","first-page":"147","volume":"2","author":"H Hibshi","year":"2016","unstructured":"Hibshi H, Breaux TD, Riaz M et al (2016) A grounded analysis of experts\u2019 decision-making during security assessments. J Cybersecurity 2(2):147\u2013163","journal-title":"J Cybersecurity"},{"key":"10321_CR30","unstructured":"for Internet\u00a0Security C (2023) Cis critical security controls. https:\/\/www.cisecurity.org\/controls"},{"key":"10321_CR31","doi-asserted-by":"publisher","DOI":"10.1016\/j.cola.2019.100938","volume":"56","author":"AJ Jafari","year":"2020","unstructured":"Jafari AJ, Rasoolzadegan A (2020) Security patterns: A systematic mapping study. J Comput Lang 56:100938","journal-title":"J Comput Lang"},{"issue":"6","key":"10321_CR32","doi-asserted-by":"publisher","first-page":"1921","DOI":"10.1007\/s10664-013-9268-6","volume":"19","author":"A Jedlitschka","year":"2014","unstructured":"Jedlitschka A, Juristo N, Rombach D (2014) Reporting experiments to satisfy professionals\u2019 information needs. Empir Soft Eng 19(6):1921\u20131955","journal-title":"Empir Soft Eng"},{"issue":"2","key":"10321_CR33","doi-asserted-by":"publisher","first-page":"106","DOI":"10.1016\/j.im.2011.02.002","volume":"48","author":"A Kankanhalli","year":"2011","unstructured":"Kankanhalli A, Lee OKD, Lim KH (2011) Knowledge reuse through electronic repositories: A study in the context of customer service support. Inform Manag 48(2):106\u2013113","journal-title":"Inform Manag"},{"key":"10321_CR34","unstructured":"Karahasanovic A, Kleberger P, Almgren M (2017) Adapting threat modeling methods for the automotive industry. In: Proc. of the 15th European Conf. on Embedded Security in Cars, p 1\u201310"},{"issue":"3","key":"10321_CR35","doi-asserted-by":"publisher","first-page":"294","DOI":"10.1016\/j.infsof.2013.10.004","volume":"56","author":"P Karpati","year":"2014","unstructured":"Karpati P, Redda Y, Opdahl AL et al (2014) Comparing attack trees and misuse cases in an industrial setting. Inform Soft Tech 56(3):294\u2013308","journal-title":"Inform Soft Tech"},{"key":"10321_CR36","doi-asserted-by":"publisher","first-page":"90","DOI":"10.1016\/j.jss.2015.02.040","volume":"104","author":"P Karpati","year":"2015","unstructured":"Karpati P, Opdahl AL, Sindre G (2015) Investigating security threats in architectural context: Experimental evaluations of misuse case maps. J Syst Soft 104:90\u2013111","journal-title":"J Syst Soft"},{"key":"10321_CR37","unstructured":"Knowles MS (1970) The modern practice of adult education; andragogy versus pedagogy"},{"key":"10321_CR38","doi-asserted-by":"crossref","unstructured":"Labunets K, Massacci F, Paci F, et\u00a0al (2013) An experimental comparison of two risk-based security methods. In: Proc. of the 7th ACM\/IEEE Int. Symp. on Empirical Software Eng. and Measurement, p 163\u2013172","DOI":"10.1109\/ESEM.2013.29"},{"key":"10321_CR39","unstructured":"Labunets K, Paci F, Massacci F, et\u00a0al (2014a) A first empirical evaluation framework for security risk assessment methods in the atm domain. Proc. of the 4th SESAR Innovation Days"},{"key":"10321_CR40","doi-asserted-by":"crossref","unstructured":"Labunets K, Paci F, Massacci F, et\u00a0al (2014b) An experiment on comparing textual vs. visual industrial methods for security risk assessment. In: Proc. of the 4th IEEE Int. Workshop on Empirical Requirements Eng. at the 22nd IEEE Int. Requirements Eng. Conf., pp. 28\u201335","DOI":"10.1109\/EmpiRE.2014.6890113"},{"key":"10321_CR41","doi-asserted-by":"crossref","unstructured":"Labunets K, Massacci F, Paci F, et\u00a0al (2017a) Model comprehension for security risk assessment: an empirical comparison of tabular vs. graphical representations. Empir Soft Eng 22(6):3017\u20133056","DOI":"10.1007\/s10664-017-9502-8"},{"key":"10321_CR42","doi-asserted-by":"crossref","unstructured":"Labunets K, Massacci F, Tedeschi A (2017b) Graphical vs. tabular notations for risk models: on the role of textual labels and complexity. In: Proc. of the 12th ACM\/IEEE Int. Symp. on Empirical Software Eng. and Measurement, IEEE, pp 267\u2013276","DOI":"10.1109\/ESEM.2017.40"},{"issue":"5","key":"10321_CR43","doi-asserted-by":"publisher","first-page":"248","DOI":"10.1111\/j.1440-172X.2006.00587.x","volume":"12","author":"MJ Leach","year":"2006","unstructured":"Leach MJ (2006) Evidence-based practice: A framework for clinical practice and research design. Int J Nurs Pract 12(5):248\u2013251","journal-title":"Int J Nurs Pract"},{"key":"10321_CR44","doi-asserted-by":"crossref","unstructured":"Lund MS, Solhaug B, St\u00f8len K (2010) Model-driven risk analysis: the CORAS approach. Springer Science & Business Media","DOI":"10.1007\/978-3-642-12323-8"},{"issue":"1","key":"10321_CR45","doi-asserted-by":"publisher","first-page":"57","DOI":"10.1080\/07421222.2001.11045671","volume":"18","author":"LM Markus","year":"2001","unstructured":"Markus LM (2001) Toward a theory of knowledge reuse: Types of knowledge reuse situations and factors in reuse success. J Manag Inform Syst 18(1):57\u201393","journal-title":"J Manag Inform Syst"},{"key":"10321_CR46","doi-asserted-by":"crossref","unstructured":"Massacci F, Paci F (2012) How to select a security requirements method? a comparative study with students and practitioners. In: Proc. of the 17th Nordic Conf. on Secure IT Systems, Karlskrona, Sweden, Springer, Karlskrona, pp 89\u2013104","DOI":"10.1007\/978-3-642-34210-3_7"},{"issue":"2","key":"10321_CR47","doi-asserted-by":"publisher","first-page":"139","DOI":"10.1080\/00220973.2012.699904","volume":"81","author":"JP Meyer","year":"2013","unstructured":"Meyer JP, Seaman MA (2013) A comparison of the exact Kruskal-Wallis distribution to asymptotic approximations for all sample sizes up to 105. J Exp Educ 81(2):139\u2013156","journal-title":"J Exp Educ"},{"issue":"2","key":"10321_CR48","doi-asserted-by":"publisher","first-page":"231","DOI":"10.1016\/j.foodqual.2012.05.003","volume":"26","author":"M Meyners","year":"2012","unstructured":"Meyners M (2012) Equivalence tests-a review. Food quality and preference 26(2):231\u2013245","journal-title":"Food quality and preference"},{"key":"10321_CR49","unstructured":"MITRE (2022) Mitre att &ck enterprise matrix. https:\/\/attack.mitre.org\/matrices\/enterprise\/"},{"key":"10321_CR50","unstructured":"MITRE (2020a) CVE - Common Vulnerabilities and Exposures. https:\/\/cve.mitre.org"},{"key":"10321_CR51","unstructured":"MITRE (2020b) CWE - Common Weakness Enumeration. https:\/\/cwe.mitre.org"},{"key":"10321_CR52","doi-asserted-by":"crossref","unstructured":"Mouaffo A, Taibi D, Jamboti K (2014) Controlled experiments comparing fault-tree-based safety analysis techniques. In: Proc. of the 18th Int. Conf. on Evaluation and Assessment in Software Eng., ACM, p 46:1\u201346:10","DOI":"10.1145\/2601248.2601255"},{"issue":"1","key":"10321_CR53","doi-asserted-by":"publisher","first-page":"87","DOI":"10.1016\/0004-3702(82)90012-1","volume":"18","author":"A Newell","year":"1982","unstructured":"Newell A (1982) The knowledge level. Artif Intell 18(1):87\u2013127","journal-title":"Artif Intell"},{"issue":"3","key":"10321_CR54","doi-asserted-by":"publisher","first-page":"154","DOI":"10.2307\/41165948","volume":"40","author":"C O\u2019Dell","year":"1998","unstructured":"O\u2019Dell C, Grayson CJ (1998) If only we knew what we know: Identification and transfer of internal best practices. Calif Manag Rev 40(3):154\u2013174","journal-title":"Calif Manag Rev"},{"issue":"5","key":"10321_CR55","doi-asserted-by":"publisher","first-page":"916","DOI":"10.1016\/j.infsof.2008.05.013","volume":"51","author":"AL Opdahl","year":"2009","unstructured":"Opdahl AL, Sindre G (2009) Experimental comparison of attack trees and misuse cases for security threat identification. Inform Soft Tech 51(5):916\u2013932","journal-title":"Inform Soft Tech"},{"key":"10321_CR56","unstructured":"OWASP (2021) Owasp top 10. https:\/\/owasp.org\/www-project-top-ten\/"},{"key":"10321_CR57","doi-asserted-by":"crossref","unstructured":"Pilat L, Kaindl H (2011) A knowledge management perspective of requirements engineering. In: Proc. of the 5th IEEE Int. Conf. on Research Challenges in Information Science, IEEE, p 1\u201312","DOI":"10.1109\/RCIS.2011.6006849"},{"key":"10321_CR58","unstructured":"Publicas MDA (2012) Magerit - methodology for information systems risk analysis and management. https:\/\/administracionelectronica.gob.es\/pae_Home\/pae_Documentacion\/pae_Metodolog\/pae_Magerit.html"},{"key":"10321_CR59","doi-asserted-by":"crossref","unstructured":"Raman R, Bharadwaj A (2010) Knowledge and agency based performative deviations in practice transfer routines: The case of evidence-based medicine. Available at SSRN 1907412","DOI":"10.2139\/ssrn.1907412"},{"key":"10321_CR60","doi-asserted-by":"publisher","unstructured":"Riaz M, Stallings J, Singh MP, et\u00a0al (2016) Digs: A framework for discovering goals for security requirements engineering. In: Proceedings of the 10th ACM\/IEEE International Symposium on Empirical Software Engineering and Measurement. Association for Computing Machinery, New York, NY, USA, ESEM \u201916. https:\/\/doi.org\/10.1145\/2961111.2962599","DOI":"10.1145\/2961111.2962599"},{"issue":"4","key":"10321_CR61","doi-asserted-by":"publisher","first-page":"2127","DOI":"10.1007\/s10664-016-9481-1","volume":"22","author":"M Riaz","year":"2017","unstructured":"Riaz M, King J, Slankas J et al (2017) Identifying the implied: Findings from three differentiated replications on the use of security requirements templates. Empir Softw Eng 22(4):2127\u20132178","journal-title":"Empir Softw Eng"},{"issue":"3","key":"10321_CR62","doi-asserted-by":"publisher","first-page":"26","DOI":"10.1109\/MS.2002.1003450","volume":"19","author":"I Rus","year":"2002","unstructured":"Rus I, Lindvall M (2002) Knowledge management in software engineering. IEEE Soft 19(3):26\u201338","journal-title":"IEEE Soft"},{"key":"10321_CR63","unstructured":"SANS (2011) SANS Top 25 Software Errors. https:\/\/www.sans.org\/top25-software-errors\/"},{"key":"10321_CR64","doi-asserted-by":"crossref","unstructured":"Santos JC, Tarrit K, Mirakhorli M (2017) A catalog of security architecture weaknesses. In: Proc. of the Int. Conf. on Software Architecture Workshops, p 220\u2013223","DOI":"10.1109\/ICSAW.2017.25"},{"key":"10321_CR65","unstructured":"Scandariato R, Wuyts K, Joosen W (2014) A descriptive study of microsoft\u2019s threat modeling technique. Req Eng 1\u201318"},{"issue":"2","key":"10321_CR66","doi-asserted-by":"publisher","first-page":"163","DOI":"10.1007\/s00766-013-0195-2","volume":"20","author":"R Scandariato","year":"2015","unstructured":"Scandariato R, Wuyts K, Joosen W (2015) A descriptive study of microsoft\u2019s threat modeling technique. Req Eng 20(2):163\u2013180","journal-title":"Req Eng"},{"issue":"3","key":"10321_CR67","first-page":"617","volume":"37","author":"D Schuirmann","year":"1981","unstructured":"Schuirmann D (1981) On hypothesis-testing to determine if the mean of a normal-distribution is contained in a known interval. Biometrics 37(3):617","journal-title":"Biometrics"},{"key":"10321_CR68","doi-asserted-by":"publisher","first-page":"213","DOI":"10.2307\/4132331","volume":"26","author":"U Schultze","year":"2002","unstructured":"Schultze U, Leidner DE (2002) Studying knowledge management in information systems research: discourses and theoretical assumptions. MIS Quart 26:213\u2013242","journal-title":"MIS Quart"},{"issue":"4","key":"10321_CR69","doi-asserted-by":"publisher","first-page":"549","DOI":"10.1111\/j.1467-6486.2004.00444.x","volume":"41","author":"U Schultze","year":"2004","unstructured":"Schultze U, Stabell C (2004) Knowing what you don\u2019t know? discourses and contradictions in knowledge management research. J Manag Stud 41(4):549\u2013573","journal-title":"J Manag Stud"},{"key":"10321_CR70","volume-title":"Security Patterns: Integrating Security and Systems Engineering","author":"M Schumacher","year":"2006","unstructured":"Schumacher M, Fernandez-Buglioni E, Hybertson D et al (2006) Security Patterns: Integrating Security and Systems Engineering. John Wiley & Sons, Chichester"},{"key":"10321_CR71","unstructured":"la\u00a0S\u00e9curit\u00e9 Des Syst\u00e8mes D\u2019information\u00a0(ANSSI) AND (2019) Ebios risk manager. https:\/\/www.ssi.gouv.fr\/uploads\/2019\/11\/anssi-guide-ebios_risk_manager-en-v1.0.pdf"},{"key":"10321_CR72","volume-title":"Threat modeling: Designing for security","author":"A Shostack","year":"2014","unstructured":"Shostack A (2014) Threat modeling: Designing for security. John Wiley & Sons, Indianapolis"},{"key":"10321_CR73","doi-asserted-by":"crossref","unstructured":"da\u00a0Silva\u00a0Santos JC (2016) Toward establishing a catalog of security architecture weaknesses. https:\/\/scholarworks.rit.edu\/theses\/9004","DOI":"10.1109\/ICSAW.2017.25"},{"issue":"1","key":"10321_CR74","doi-asserted-by":"publisher","first-page":"34","DOI":"10.1007\/s00766-004-0194-4","volume":"10","author":"G Sindre","year":"2005","unstructured":"Sindre G, Opdahl AL (2005) Eliciting security requirements with misuse cases. Req Eng 10(1):34\u201344","journal-title":"Req Eng"},{"key":"10321_CR75","doi-asserted-by":"crossref","unstructured":"Souag A, Mazo R, Salinesi C, et\u00a0al (2015) Reusable knowledge in security requirements engineering: a systematic mapping study. Req Eng 1\u201333","DOI":"10.1007\/s00766-015-0220-8"},{"key":"10321_CR76","unstructured":"of\u00a0Standards NI, Technologies (2023) Cyber security framework v1.1. https:\/\/www.nist.gov\/cyberframework"},{"key":"10321_CR77","unstructured":"of\u00a0Standards NI, Technology (2012) Nist special publication 800-30 - revision 1 - guide for conducting risk assessment. https:\/\/www.nist.gov\/privacy-framework\/nist-sp-800-30"},{"key":"10321_CR78","unstructured":"of\u00a0Standards NI, Technology (2020) Nist special publication 800-53 - revision 5 - security and privacy controls for information systems and organizations. https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-53\/rev-5\/final"},{"issue":"1","key":"10321_CR79","doi-asserted-by":"publisher","first-page":"1","DOI":"10.4018\/ijismd.2014010101","volume":"5","author":"T St\u00e5lhane","year":"2014","unstructured":"St\u00e5lhane T, Sindre G (2014) An experimental comparison of system diagrams and textual use cases for the identification of safety hazards. Int J Inform Syst Model Design 5(1):1\u201324","journal-title":"Int J Inform Syst Model Design"},{"key":"10321_CR80","doi-asserted-by":"crossref","unstructured":"Tuma K, Scandariato R (2018) Two architectural threat analysis techniques compared. In: Proc. of the 12th European Conf. on Software Architecture, Springer, pp 347\u2013363","DOI":"10.1007\/978-3-030-00761-4_23"},{"issue":"5","key":"10321_CR81","doi-asserted-by":"publisher","first-page":"78","DOI":"10.1109\/MSEC.2021.3093137","volume":"19","author":"K Tuma","year":"2021","unstructured":"Tuma K, Widman M (2021) Seven pain points of threat analysis and risk assessment in the automotive domain. IEEE Secur Priv 19(5):78\u201382","journal-title":"IEEE Secur Priv"},{"key":"10321_CR82","doi-asserted-by":"publisher","first-page":"275","DOI":"10.1016\/j.jss.2018.06.073","volume":"144","author":"K Tuma","year":"2018","unstructured":"Tuma K, Calikli G, Scandariato R (2018) Threat analysis of software systems: A systematic literature review. J Syst Softw 144:275\u2013294","journal-title":"J Syst Softw"},{"key":"10321_CR83","doi-asserted-by":"crossref","unstructured":"Tuma K, Sion L, Scandariato R, et\u00a0al (2020) Automating the early detection of security design flaws. In: Proc. of the 23rd ACM\/IEEE Int. Conf. on Model Driven Eng. Languages and Systems, p 332\u2013342","DOI":"10.1145\/3365438.3410954"},{"key":"10321_CR84","doi-asserted-by":"publisher","DOI":"10.1016\/j.jss.2021.111003","volume":"179","author":"K Tuma","year":"2021","unstructured":"Tuma K, Sandberg C, Thorsson U et al (2021) Finding security threats that matter: Two industrial case studies. J Syst Soft 179:111003","journal-title":"J Syst Soft"},{"issue":"2","key":"10321_CR85","doi-asserted-by":"publisher","first-page":"155","DOI":"10.1016\/S0963-8687(00)00045-7","volume":"9","author":"MM Wasko","year":"2000","unstructured":"Wasko MM, Faraj S (2000) \u201cIt is what one does\": why people participate and help others in electronic communities of practice. J Strat Inf Syst 9(2):155\u2013173","journal-title":"J Strat Inf Syst"},{"key":"10321_CR86","doi-asserted-by":"publisher","first-page":"122","DOI":"10.1016\/j.jss.2014.05.075","volume":"96","author":"K Wuyts","year":"2014","unstructured":"Wuyts K, Scandariato R, Joosen W (2014) Empirical evaluation of a privacy-focused threat modeling methodology. J Syst Soft 96:122\u2013138","journal-title":"J Syst Soft"},{"key":"10321_CR87","volume-title":"Qualitative Research from Start to Finish","author":"RK Yin","year":"2010","unstructured":"Yin RK (2010) Qualitative Research from Start to Finish. Guilford Press, New York"},{"key":"10321_CR88","doi-asserted-by":"crossref","unstructured":"Yskout K, Scandariato R, Joosen W (2015) Do security patterns really help designers? In: Proc. of the 37th Int. Conf. on Software Eng., IEEE, p 292\u2013302","DOI":"10.1109\/ICSE.2015.49"},{"issue":"5","key":"10321_CR89","doi-asserted-by":"publisher","first-page":"1213","DOI":"10.1109\/TSE.2011.79","volume":"38","author":"C Zhang","year":"2012","unstructured":"Zhang C, Budgen D (2012) What do we know about the effectiveness of software design patterns? IEEE Trans Soft Eng 38(5):1213\u20131231","journal-title":"IEEE Trans Soft Eng"}],"container-title":["Empirical Software Engineering"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10664-023-10321-y.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s10664-023-10321-y\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10664-023-10321-y.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2023,9,27]],"date-time":"2023-09-27T09:18:35Z","timestamp":1695806315000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s10664-023-10321-y"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,5,25]]},"references-count":89,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2023,7]]}},"alternative-id":["10321"],"URL":"https:\/\/doi.org\/10.1007\/s10664-023-10321-y","relation":{},"ISSN":["1382-3256","1573-7616"],"issn-type":[{"value":"1382-3256","type":"print"},{"value":"1573-7616","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,5,25]]},"assertion":[{"value":"15 March 2023","order":1,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"25 May 2023","order":2,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors declare that they have no conflict of interest.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Conflicts of interest"}}],"article-number":"90"}}