{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,21]],"date-time":"2026-04-21T14:47:17Z","timestamp":1776782837646,"version":"3.51.2"},"publisher-location":"Cham","reference-count":30,"publisher":"Springer International Publishing","isbn-type":[{"value":"9783319161006","type":"print"},{"value":"9783319161013","type":"electronic"}],"license":[{"start":{"date-parts":[[2015,1,1]],"date-time":"2015-01-01T00:00:00Z","timestamp":1420070400000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"},{"start":{"date-parts":[[2015,1,1]],"date-time":"2015-01-01T00:00:00Z","timestamp":1420070400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2015]]},"DOI":"10.1007\/978-3-319-16101-3_7","type":"book-chapter","created":{"date-parts":[[2015,3,13]],"date-time":"2015-03-13T06:52:36Z","timestamp":1426229556000},"page":"98-114","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":24,"title":["The Role of Catalogues of Threats and Security Controls in Security Risk Assessment: An Empirical Study with ATM Professionals"],"prefix":"10.1007","author":[{"given":"Martina","family":"de Gramatica","sequence":"first","affiliation":[]},{"given":"Katsiaryna","family":"Labunets","sequence":"additional","affiliation":[]},{"given":"Fabio","family":"Massacci","sequence":"additional","affiliation":[]},{"given":"Federica","family":"Paci","sequence":"additional","affiliation":[]},{"given":"Alessandra","family":"Tedeschi","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2015,3,14]]},"reference":[{"key":"7_CR1","unstructured":"Information System Audit and Control Association: COBIT 5: A Business Framework for the Governance and Management of Enterprise IT (2012)"},{"issue":"2","key":"7_CR2","doi-asserted-by":"publisher","first-page":"74","DOI":"10.1109\/MSP.2005.45","volume":"3","author":"S Barnum","year":"2005","unstructured":"Barnum, S., McGraw, G.: Knowledge for software security. IEEE Security & Privacy 3(2), 74\u201378 (2005)","journal-title":"IEEE Security & Privacy"},{"key":"7_CR3","unstructured":"BSI: IT-Grundschutz Catalogues (2005)"},{"key":"7_CR4","unstructured":"COBIT: Control Practices: Guidance to Achieve Control Objective for Successful IT Governance, 2nd edn. IT Governance Institute (2007)"},{"key":"7_CR5","doi-asserted-by":"crossref","unstructured":"Cysneiros, L.M.: Evaluating the effectiveness of using catalogues to elicit non-functional requirements. In: WER, pp. 107\u2013115 (2007)","DOI":"10.1007\/978-1-4615-0465-8_6"},{"key":"7_CR6","unstructured":"EATM: Threats, pre-controls and post-controls catalogues. European Organisation for the Safety of Air Navigation (2009)"},{"key":"7_CR7","unstructured":"ISO: Iso\/iec 27005: Information technology security techniques - information security risk management (2012)"},{"key":"7_CR8","unstructured":"ISO: IEC 27002: 2013 (EN) Information technology-Security techniques-Code of practice for information security controls Switzerland. ISO\/IEC (2013)"},{"key":"7_CR9","doi-asserted-by":"crossref","unstructured":"Jung, J., Hoefig, K., Domis, D., Jedlitschka, A., Hiller, M.: Experimental comparison of two safety analysis methods and its replication. In: 2013 ACM\/IEEE International Symposium on Empirical Software Engineering and Measurement, pp. 223\u2013232. IEEE (2013)","DOI":"10.1109\/ESEM.2013.59"},{"key":"7_CR10","unstructured":"Juristo, N., Moreno, A.M.: Basics of software engineering experimentation. Springer Publishing Company, Incorporated (2010)"},{"issue":"3","key":"7_CR11","doi-asserted-by":"publisher","first-page":"294","DOI":"10.1016\/j.infsof.2013.10.004","volume":"56","author":"P Karpati","year":"2014","unstructured":"Karpati, P., Redda, Y., Opdahl, A.L., Sindre, G.: Comparing attack trees and misuse cases in an industrial setting. Inf. Soft. Technology 56(3), 294\u2013308 (2014)","journal-title":"Inf. Soft. Technology"},{"key":"7_CR12","doi-asserted-by":"crossref","unstructured":"Labunets, K., Massacci, F., Paci, F., Tran, L.M.: An experimental comparison of two risk-based security methods. In: Proc. of ESEM 2013, pp. 163\u2013172 (2013)","DOI":"10.1109\/ESEM.2013.29"},{"key":"7_CR13","doi-asserted-by":"crossref","unstructured":"Labunets, K., Paci, F., Massacci, F., Ruprai, R.: An experiment on comparing textual vs. visual industrial methods for security risk assessment. In: 2014 IEEE Fourth International Workshop on Empirical Requirements Engineering (EmpiRE), pp. 28\u201335. IEEE (2014)","DOI":"10.1109\/EmpiRE.2014.6890113"},{"key":"7_CR14","doi-asserted-by":"crossref","unstructured":"Maiden, N., Robertson, S.: Integrating creativity into requirements processes: experiences with an air traffic management system. In: Proceedings of the 13th IEEE International Conference on Requirements Engineering, pp. 105\u2013114. IEEE (2005)","DOI":"10.1109\/RE.2005.34"},{"key":"7_CR15","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"368","DOI":"10.1007\/978-3-540-25975-6_27","volume-title":"Advanced Information Systems Engineering","author":"NAM Maiden","year":"2004","unstructured":"Maiden, N.A.M., Jones, S.V., Manning, S., Greenwood, J., Renou, L.: Model-driven requirements engineering: synchronising models in an air traffic management case study. In: Persson, A., Stirna, J. (eds.) CAiSE 2004. LNCS, vol. 3084, pp. 368\u2013383. Springer, Heidelberg (2004)"},{"key":"7_CR16","doi-asserted-by":"crossref","unstructured":"Massacci, F., Paci, F., Tran, L.M.S., Tedeschi, A.: Assessing a requirements evolution approach: Empirical studies in the air traffic management domain. Journal of Systems and Software (2013)","DOI":"10.1109\/EmpiRE.2012.6347682"},{"key":"7_CR17","doi-asserted-by":"crossref","unstructured":"Mavin, A., Maiden, N.: Determining socio-technical systems requirements: experiences with generating and walking through scenarios. In: Proceedings of the 11th IEEE International on Requirements Engineering Conference, pp. 213\u2013222. IEEE (2003)","DOI":"10.1109\/ICRE.2003.1232752"},{"issue":"2","key":"7_CR18","doi-asserted-by":"publisher","first-page":"139","DOI":"10.1080\/00220973.2012.699904","volume":"81","author":"JP Meyer","year":"2013","unstructured":"Meyer, J.P., Seaman, M.A.: A comparison of the exact kruskal-wallis distribution to asymptotic approximations for all sample sizes up to 105. The Journal of Experimental Education 81(2), 139\u2013156 (2013)","journal-title":"The Journal of Experimental Education"},{"key":"7_CR19","unstructured":"Moody, D.L.: The method evaluation model: a theoretical model for validating information systems design methods. In: Proceedings of the 11th European Conference of Information Systems (ECIS), pp. 1327\u20131336 (2003)"},{"key":"7_CR20","unstructured":"NIST: SP. 800\u201353. Recommended Security Controls for Federal Information Systems, 800-53 (2013)"},{"issue":"5","key":"7_CR21","doi-asserted-by":"publisher","first-page":"916","DOI":"10.1016\/j.infsof.2008.05.013","volume":"51","author":"AL Opdahl","year":"2009","unstructured":"Opdahl, A.L., Sindre, G.: Experimental comparison of attack trees and misuse cases for security threat identification. Inf. Soft. Technology 51(5), 916\u2013932 (2009)","journal-title":"Inf. Soft. Technology"},{"key":"7_CR22","unstructured":"OWASP: The Ten Most Critical Web Application Security Risks 2013. The Open Web Application Security Project (2013)"},{"key":"7_CR23","unstructured":"PCI DSS: Payment Card Industry Data Security Standards. http:\/\/www.pcisecuritystandards.org"},{"key":"7_CR24","unstructured":"Scandariato, R., Wuyts, K., Joosen, W.: A descriptive study of microsoft\u2019s threat modeling technique. REJ, pp. 1\u201318 (2014)"},{"key":"7_CR25","unstructured":"SESAR: ATM Security Risk Assessment Methodology. SESAR WP16.02.03: ATM Security, February 2003"},{"key":"7_CR26","unstructured":"SESAR: Single Remote Tower Technical Specification Remotely Operated Tower Multiple Controlled Airports with Integrated Working Position - project P12.04.07 (2012)"},{"key":"7_CR27","unstructured":"SESAR: OSED for Remote Provision of ATS to Aerodromes - project P06.09.03 (2013)"},{"key":"7_CR28","doi-asserted-by":"crossref","unstructured":"Stoneburner, G., Goguen, A., Feringa, A.: Risk management guide for information technology systems. NIST special publication, 800-30 (2002)","DOI":"10.6028\/NIST.SP.800-30"},{"key":"7_CR29","unstructured":"Strauss, A., Corbin, J.M.: Basics of qualitative research: Grounded theory procedures and techniques. Sage Publications, Inc (1990)"},{"key":"7_CR30","doi-asserted-by":"crossref","unstructured":"Wohlin, C., Runeson, P., H\u00f6st, M., Ohlsson, M.C., Regnell, B., Wessl\u00e9n, A.: Experimentation in software engineering. Springer (2012)","DOI":"10.1007\/978-3-642-29044-2"}],"container-title":["Lecture Notes in Computer Science","Requirements Engineering: Foundation for Software Quality"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-319-16101-3_7","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,5,20]],"date-time":"2025-05-20T23:19:29Z","timestamp":1747783169000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-319-16101-3_7"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2015]]},"ISBN":["9783319161006","9783319161013"],"references-count":30,"URL":"https:\/\/doi.org\/10.1007\/978-3-319-16101-3_7","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"value":"0302-9743","type":"print"},{"value":"1611-3349","type":"electronic"}],"subject":[],"published":{"date-parts":[[2015]]},"assertion":[{"value":"14 March 2015","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}}]}}