Case Study Role Play for Risk Analysis Research and Training

Lisa Rajbhandari, Einar Arthur Snekkenes


Typically, a risk analysis may identify and document sensitive and confidential information regarding threats, vulnerabilities, assets and their valuation, etc. The intrusive nature of the risk analysis process makes it difficult for researchers (or students) to gain access to scenarios from operational organizations for evaluating (or training on) risk analysis methods. In order to resolve these issues, we propose Case Study Role Play (CSRP).We elaborate the use of CSRP in combination with the Conflicting Incentives Risk Analysis (CIRA) method to analyze privacy risks to an end-user from using the eGovernment service. This paper contributes by demonstrating how CSRP helps to establish a platform for doing risk management related research and training in a ‘reasonably’ realistic environment, where confidentiality, sensitivity issues, red tape and the need for permissions do not create roadblocks. Furthermore, CSRP ensures that the time and resources needed to set up the required environment is low and predictable.


  1. C. Alberts and A. Dorofee. Managing information security risks, The OCTAVE approach. Addison Wesley, 2002. ISBN 0-321-11886-3.
  2. AS/NZS 4360. Risk management. AS/NZS, 2004.
  3. A. Atzeni, C. Cameroni, S. Faily, J. Lyle, and I. Flechais. Here's Johnny: a Methodology for Developing Attacker Personas. ARES, pages 722-727, 2011.
  4. A. Chulef, S. Read, and D. Walsh. A Hierarchical Taxonomy of Human Goals. Motivation and Emotion, 25(3):191-232(42), September 2001.
  5. A. Cooper. The Inmates Are Running the Asylum. Macmillan Publishing Co., Inc., Indianapolis, IN, USA, 1999.
  6. ETSI TS 102 165-1 V4.2.3 (2011-03). Method and proforma for Threat, Risk, Vulnerability Analysis. ESTI, 2011.
  7. B. Flyvbjerg. Five Misunderstandings About Case-Study Research. Qualitative Inquiry, 12(2):219-245, 2006.
  8. J. Greenberg and D. E. Eskew. The role of role playing in organizational research. Journal of Management, 19(2):221-241, 1993.
  9. R. Gudjonsdottir. Personas and Scenarios in Use. PhD thesis, KTH, Human - Computer Interaction, MDI, 2010. QC20100629.
  10. ISACA. The Risk IT Framework, 2009.
  11. ISO 31000. Risk Management - Principles and Guidelines. ISO, 2009.
  12. ISO/IEC 27005. Information technology -Security techniques -Information security risk management, 1st edition, 2008.
  13. A. Kotulic and J. Clark. Why there aren't more information security research studies. Information & Management, 41(5):597-607, 2004.
  14. M. S. Lund, B. Solhaug, and K. Stølen. Model-Driven Risk Analysis: The CORAS Approach. Springer, Heidelberg, 2011.
  15. L. Nielsen. From user to character: an investigation into user-descriptions in scenarios. In Proceedings of the 4th conference on Designing interactive systems: processes, practices, methods, and techniques, DIS 7802, pages 99-104, New York, NY, USA, 2002. ACM.
  16. NIST. NIST SP 800-39, Managing Information Security Risk - Organization, Mission, and Information System View, 2011.
  17. NIST and U.S. Department of Commerce. NIST SP 800-30 Revision 1, Guide for Conducting Risk Assessments, September 2012.
  18. J. Pruitt and J. Grudin. Personas: practice and theory. DUX 2003, ACM Press, 2003.
  19. L. Rajbhandari and E. Snekkenes. Intended Actions: Risk Is Conflicting Incentives. In D. Gollmann and F. Freiling, editors, Information Security, volume 7483 of Lecture Notes in Computer Science, pages 370-386. Springer Berlin / Heidelberg, 2012.
  20. L. Rajbhandari and E. Snekkenes. Using the Conflicting Incentives Risk Analysis Method. In L. Janczewski, H. Wolf, and S. Shenoi, editors, 28th IFIP TC-11 International Information Security and Privacy Conference SEC. Springer, 2013. (accepted for publication).
  21. G. Stoneburner, A. Goguen, and A. Feringa. NIST SP 800-30, Risk Management Guide for Information Technology. NIST, July 2002.
  22. K. M. Yardley-Matwiejczuk. Role play: theory and practice. Sage Publications Limited, 1997.
  23. R. K. Yin. Case Study Research: Design and Methods, volume 5 of Applied Social Research Method Series. Sage, 4th edition, 2009.

Paper Citation

in Harvard Style

Rajbhandari L. and Arthur Snekkenes E. (2013). Case Study Role Play for Risk Analysis Research and Training . In Proceedings of the 10th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2013) ISBN 978-989-8565-64-8, pages 12-23. DOI: 10.5220/0004599500120023

in Bibtex Style

author={Lisa Rajbhandari and Einar Arthur Snekkenes},
title={Case Study Role Play for Risk Analysis Research and Training},
booktitle={Proceedings of the 10th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2013)},

in EndNote Style

JO - Proceedings of the 10th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2013)
TI - Case Study Role Play for Risk Analysis Research and Training
SN - 978-989-8565-64-8
AU - Rajbhandari L.
AU - Arthur Snekkenes E.
PY - 2013
SP - 12
EP - 23
DO - 10.5220/0004599500120023