{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,2]],"date-time":"2026-06-02T22:10:57Z","timestamp":1780438257319,"version":"3.54.1"},"reference-count":23,"publisher":"Springer Science and Business Media LLC","issue":"3","license":[{"start":{"date-parts":[[2021,9,14]],"date-time":"2021-09-14T00:00:00Z","timestamp":1631577600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2021,9,14]],"date-time":"2021-09-14T00:00:00Z","timestamp":1631577600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"DOI":"10.13039\/501100003246","name":"Nederlandse Organisatie voor Wetenschappelijk Onderzoek","doi-asserted-by":"publisher","id":[{"id":"10.13039\/501100003246","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Int. J. Inf. Secur."],"published-print":{"date-parts":[[2022,6]]},"abstract":"<jats:title>Abstract<\/jats:title><jats:p>Security is a top concern in digital infrastructure and there is a basic need to assess the level of security ensured for any given application. To accommodate this requirement, we propose a new risk assessment system. Our system identifies threats of an application workflow, computes the severity weights with the modified Microsoft STRIDE\/DREAD model and estimates the final risk exposure after applying security countermeasures in the available digital infrastructures. This allows potential customers to rank these infrastructures in terms of security for their own specific use cases. We additionally present a method to validate the stability and resolution of our ranking system with respect to subjective choices of the DREAD model threat rating parameters. Our results show that our system is stable against unavoidable subjective choices of the DREAD model parameters for a specific use case, with a rank correlation higher than 0.93 and normalised mean square error lower than 0.05.<\/jats:p>","DOI":"10.1007\/s10207-021-00566-3","type":"journal-article","created":{"date-parts":[[2021,9,14]],"date-time":"2021-09-14T12:11:27Z","timestamp":1631621487000},"page":"509-525","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":20,"title":["A risk-level assessment system based on the STRIDE\/DREAD model for digital data marketplaces"],"prefix":"10.1007","volume":"21","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-8039-1800","authenticated-orcid":false,"given":"Lu","family":"Zhang","sequence":"first","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Arie","family":"Taal","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Reginald","family":"Cushing","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Cees","family":"de Laat","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Paola","family":"Grosso","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"297","published-online":{"date-parts":[[2021,9,14]]},"reference":[{"key":"566_CR1","doi-asserted-by":"crossref","unstructured":"Sagiroglu, S., Sinanc, D.: Big data: a review. In: 2013 International Conference on Collaboration Technologies and Systems (CTS), pp. 42\u201347. IEEE (2013)","DOI":"10.1109\/CTS.2013.6567202"},{"key":"566_CR2","doi-asserted-by":"publisher","first-page":"102689","DOI":"10.1109\/ACCESS.2019.2931762","volume":"7","author":"L Zhang","year":"2019","unstructured":"Zhang, L., Cushing, R., Gommans, L., De Laat, C., Grosso, P.: Modeling of collaboration archetypes in digital market places. IEEE Access 7, 102689\u2013102700 (2019)","journal-title":"IEEE Access"},{"key":"566_CR3","doi-asserted-by":"crossref","unstructured":"Luna, J., Ghani, H., Vateva, T., Suri, N.: Quantitative assessment of cloud security level agreements: a case study. In: Proc. of Security and Cryptography, pp. 64\u201373 (2012)","DOI":"10.5220\/0004019900640073"},{"key":"566_CR4","doi-asserted-by":"publisher","first-page":"380","DOI":"10.1016\/j.procs.2015.03.165","volume":"45","author":"R Shaikh","year":"2015","unstructured":"Shaikh, R., Sasikumar, M.: Trust model for measuring security strength of cloud computing service. Procedia Comput. Sci. 45, 380\u2013389 (2015)","journal-title":"Procedia Comput. Sci."},{"key":"566_CR5","doi-asserted-by":"crossref","unstructured":"Sen, A., Madria, S.: Off-line risk assessment of cloud service provider. In: 2014 IEEE World Congress on Services, pp. 58\u201365. IEEE (2014)","DOI":"10.1109\/SERVICES.2014.20"},{"key":"566_CR6","doi-asserted-by":"crossref","unstructured":"Shivraj, V., Rajan, M., Balamuralidhar, P.: A graph theory based generic risk assessment framework for internet of things (IoT). In: 2017 IEEE International Conference on Advanced Networks and Telecommunications Systems (ANTS), pp. 1\u20136. IEEE (2017)","DOI":"10.1109\/ANTS.2017.8384121"},{"key":"566_CR7","doi-asserted-by":"publisher","first-page":"67","DOI":"10.1016\/j.comcom.2018.07.024","volume":"129","author":"S Sicari","year":"2018","unstructured":"Sicari, S., Rizzardi, A., Miorandi, D., Coen-Porisini, A.: A risk assessment methodology for the Internet of Things. Comput. Commun. 129, 67\u201379 (2018)","journal-title":"Comput. Commun."},{"key":"566_CR8","doi-asserted-by":"crossref","unstructured":"Anand, P., Ryoo, J., Kim, H., Kim, E.: Threat assessment in the cloud environment: a quantitative approach for security pattern selection. In: Proceedings of the 10th International Conference on Ubiquitous Information Management and Communication, pp. 1\u20138 (2016)","DOI":"10.1145\/2857546.2857552"},{"key":"566_CR9","unstructured":"Miscosoft: Microsoft security development lifecycle (SDL). https:\/\/www.microsoft.com\/en-us\/securityengineering\/sdl\/ (2020)"},{"issue":"15","key":"566_CR10","doi-asserted-by":"publisher","first-page":"2427","DOI":"10.1016\/0960-1686(93)90410-Z","volume":"27","author":"AA Poli","year":"1993","unstructured":"Poli, A.A., Cirillo, M.C.: On the use of the normalized mean square error in evaluating dispersion model performance. Atmos. Environ. A. Gen. Top. 27(15), 2427\u20132434 (1993)","journal-title":"Atmos. Environ. A. Gen. Top."},{"key":"566_CR11","doi-asserted-by":"crossref","unstructured":"Lindskog, F., McNeil, A., Schmock, U.: Kendall\u2019s tau for elliptical distributions. In: Credit Risk, pp. 149\u2013156. Springer, Berlin (2003)","DOI":"10.1007\/978-3-642-59365-9_8"},{"key":"566_CR12","doi-asserted-by":"crossref","unstructured":"Zhang, X., Wuwong, N., Li, H., Zhang, X.: Information security risk management framework for the cloud computing environments. In: 2010 10th IEEE International Conference on Computer and Information Technology, pp. 1328\u20131334. IEEE (2010)","DOI":"10.1109\/CIT.2010.501"},{"key":"566_CR13","unstructured":"Disterer, G.: ISO\/IEC 27000, 27001 and 27002 for information security management"},{"issue":"1","key":"566_CR14","doi-asserted-by":"publisher","first-page":"tyaa005","DOI":"10.1093\/cybsec\/tyaa005","volume":"6","author":"LA Gordon","year":"2020","unstructured":"Gordon, L.A., Loeb, M.P., Zhou, L.: Integrating cost\u2013benefit analysis into the NIST Cybersecurity Framework via the Gordon\u2013Loeb Model. J. Cybersecur. 6(1), tyaa005 (2020)","journal-title":"J. Cybersecur."},{"key":"566_CR15","doi-asserted-by":"crossref","unstructured":"Alberts, C., Dorofee, A., Stevens, J., Woody, C.: Introduction to the OCTAVE Approach. Carnegie-Mellon Univ Pittsburgh Pa Software Engineering Inst, Tech. Rep (2003)","DOI":"10.21236\/ADA634134"},{"issue":"1","key":"566_CR16","doi-asserted-by":"publisher","first-page":"101","DOI":"10.1007\/s10550-007-0013-9","volume":"25","author":"F Den Braber","year":"2007","unstructured":"Den Braber, F., Hogganvik, I., Lund, M.S., St\u00f8len, K., Vraalsen, F.: Model-based security analysis in seven steps-a guided tour to the CORAS method. BT Technol. J. 25(1), 101\u2013117 (2007)","journal-title":"BT Technol. J."},{"issue":"4","key":"566_CR17","doi-asserted-by":"publisher","first-page":"27","DOI":"10.3390\/computers5040027","volume":"5","author":"D Seifert","year":"2016","unstructured":"Seifert, D., Reza, H.: A security analysis of cyber-physical systems architecture for healthcare. Computers 5(4), 27 (2016)","journal-title":"Computers"},{"key":"566_CR18","doi-asserted-by":"crossref","unstructured":"Cagnazzo, M., Hertlein, M., Holz, T., Pohlmann, N.: Threat modeling for mobile health systems. In: IEEE Wireless Communications and Networking Conference Workshops (WCNCW), pp. 314\u2013319. IEEE (2018)","DOI":"10.1109\/WCNCW.2018.8369033"},{"issue":"2","key":"566_CR19","doi-asserted-by":"publisher","first-page":"419","DOI":"10.1007\/s11948-017-9992-1","volume":"25","author":"B Lundgren","year":"2019","unstructured":"Lundgren, B., M\u00f6ller, N.: Defining information security. Sci. Eng. Ethics 25(2), 419\u2013441 (2019)","journal-title":"Sci. Eng. Ethics"},{"key":"566_CR20","doi-asserted-by":"crossref","unstructured":"Gao, X., Gu, Z., Kayaalp, M., Pendarakis, D., Wang, H.: ContainerLeaks: emerging security threats of information leakages in container clouds. In: 2017 47th Annual IEEE\/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 237\u2013248. IEEE (2017)","DOI":"10.1109\/DSN.2017.49"},{"key":"566_CR21","unstructured":"STRIDE\/DREAD, The DREAD approach to threat assessment. https:\/\/docs.microsoft.com\/en-us\/windows-hardware\/drivers\/driversecurity\/threat-modeling-for-drivers (2020)"},{"key":"566_CR22","unstructured":"CAPEC: Common Attack Pattern Enumeration and Classification. https:\/\/capec.mitre.org\/ (2020)"},{"key":"566_CR23","unstructured":"DL4LD: Data Logistics for Logistic Data. https:\/\/www.dl4ld.nl (2020)"}],"container-title":["International Journal of Information Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-021-00566-3.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s10207-021-00566-3\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-021-00566-3.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,9,8]],"date-time":"2024-09-08T09:48:12Z","timestamp":1725788892000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s10207-021-00566-3"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,9,14]]},"references-count":23,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2022,6]]}},"alternative-id":["566"],"URL":"https:\/\/doi.org\/10.1007\/s10207-021-00566-3","relation":{},"ISSN":["1615-5262","1615-5270"],"issn-type":[{"value":"1615-5262","type":"print"},{"value":"1615-5270","type":"electronic"}],"subject":[],"published":{"date-parts":[[2021,9,14]]},"assertion":[{"value":"14 September 2021","order":1,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"This article does not contain any studies with animals performed by any of the authors. This article does not contain any studies with human participants or animals performed by any of the authors.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Ethical approval"}}]}}