The University of Southampton
×
Filter your search:
University of Southampton Institutional Repository

An experimental comparison of two risk-based security methods

An experimental comparison of two risk-based security methods
An experimental comparison of two risk-based security methods
A significant number of methods have been proposed to identify and analyze threats and security requirements, but there are few empirical evaluations that show these methods work in practice. This paper reports a controlled experiment conducted with 28 master students to compare two classes of risk-based methods, visual methods (CORAS) and textual methods (SREP). The aim of the experiment was to compare the effectiveness and perception of the two methods. The participants divided in groups solved four different tasks by applying the two methods using a randomized block design. The dependent variables were effectiveness of the methods measured as number of threats and security requirements identified, and perception of the methods measured through a post-task questionnaire based on the Technology Acceptance Model. The experiment was complemented with participants' interviews to determine which features of the methods influence their effectiveness. The main findings were that the visual method is more effective for identifying threats than the textual one, while the textual method is slightly more effective for eliciting security requirements. In addition, visual method overall perception and intention to use were higher than for the textual method.
Labunets, Katsyarina
ae7d70e7-6de6-4e1e-ab53-c9e9dc4e7874
Massacci, Fabio
ff2c9f40-8060-4fdc-b006-53b507897ac8
Paci, Federica
9fbf3e5b-ae03-40e8-a75a-3657cbc9216e
Tran, Le Minh Sang
145c951a-520c-4971-a457-1f375d2b1778
Labunets, Katsyarina
ae7d70e7-6de6-4e1e-ab53-c9e9dc4e7874
Massacci, Fabio
ff2c9f40-8060-4fdc-b006-53b507897ac8
Paci, Federica
9fbf3e5b-ae03-40e8-a75a-3657cbc9216e
Tran, Le Minh Sang
145c951a-520c-4971-a457-1f375d2b1778

Labunets, Katsyarina, Massacci, Fabio, Paci, Federica and Tran, Le Minh Sang (2013) An experimental comparison of two risk-based security methods. 2013 ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM), Baltimore, United States. 10 - 11 Oct 2013. 10 pp . (doi:10.1109/ESEM.2013.29).

Record type: Conference or Workshop Item (Paper)

Abstract

A significant number of methods have been proposed to identify and analyze threats and security requirements, but there are few empirical evaluations that show these methods work in practice. This paper reports a controlled experiment conducted with 28 master students to compare two classes of risk-based methods, visual methods (CORAS) and textual methods (SREP). The aim of the experiment was to compare the effectiveness and perception of the two methods. The participants divided in groups solved four different tasks by applying the two methods using a randomized block design. The dependent variables were effectiveness of the methods measured as number of threats and security requirements identified, and perception of the methods measured through a post-task questionnaire based on the Technology Acceptance Model. The experiment was complemented with participants' interviews to determine which features of the methods influence their effectiveness. The main findings were that the visual method is more effective for identifying threats than the textual one, while the textual method is slightly more effective for eliciting security requirements. In addition, visual method overall perception and intention to use were higher than for the textual method.

Text
labunets-esem-2013.pdf - Version of Record
Restricted to Repository staff only
Request a copy

More information

e-pub ahead of print date: October 2013
Venue - Dates: 2013 ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM), Baltimore, United States, 2013-10-10 - 2013-10-11
Organisations: Electronic & Software Systems
Learn more about Cyber Physical Systems research

Identifiers

Local EPrints ID: 403225
URI: http://eprints.soton.ac.uk/id/eprint/403225
DOI: doi:10.1109/ESEM.2013.29
PURE UUID: ac2eca8d-01f6-4059-836d-19cfe7b75b7e
ORCID for Federica Paci: ORCID iD orcid.org/0000-0003-3122-0236

Catalogue record

Date deposited: 02 Dec 2016 13:56
Last modified: 15 Mar 2024 03:38

Export record

Altmetrics

Contributors

Author: Katsyarina Labunets
Author: Fabio Massacci
Author: Federica Paci ORCID iD
Author: Le Minh Sang Tran

Download statistics

Downloads from ePrints over the past year. Other digital versions may also be available to download e.g. from the publisher's website.

View more statistics

Library staff additional information
Atom RSS 1.0 RSS 2.0

Contact ePrints Soton: eprints@soton.ac.uk

ePrints Soton supports OAI 2.0 with a base URL of http://eprints.soton.ac.uk/cgi/oai2

This repository has been built using EPrints software, developed at the University of Southampton, but available to everyone to use.

We use cookies to ensure that we give you the best experience on our website. If you continue without changing your settings, we will assume that you are happy to receive cookies on the University of Southampton website.

×