Empirical study on risk analysis in security testing

Testing is the process of detecting errors present in a system with the given sample input. Risk is the vulnerability associated with the system and the type of testing which uncovers it is called security testing. Risk analysis is the process of determining the level of risk with the available information. Risk-based testing comprises of risk analysis, which is a part of model based testing and involves risk assessment. Risk analysis and security testing can be combined in two ways namely: Risk-driven Security Testing (RST) and Test-driven Security Risk (TSR) analysis. In RST, security testing is supported by risk analysis to make it more effective. The testing is focused on the most important parts of the system which is identified by the risk analysis results. In TSR, security testing develops or validates risk analysis. TSR focuses to strengthen the correctness of risk analysis models. The gap between high-level security risk analysis models and low-level security test cases can be easily addressed by both TSR and RST approaches.