On the equivalence between graphical and tabular representations for security risk assessment
On the equivalence between graphical and tabular representations for security risk assessment
[Context] Many security risk assessment methods are proposed both in academia typically with a graphical notation) and industry (typically with a tabular notation).
[Question] We compare methods based on those two notations with respect to their actual and perceived efficacy when both groups are equipped with a domain-specific security catalogue (as typically available in industry risk assessments).
[Results] Two controlled experiments with MSc students in computer science show that tabular and graphical methods are (statistically) equivalent in quality of identified threats and security controls. In the first experiment the perceived efficacy of tabular method was slightly better than the graphical one, and in the second experiment two methods are perceived as equivalent.
[Contribution] A graphical notation does not warrant by itself better (security) requirements elicitation than a tabular notation in terms of the quality of actually identified requirements.
191-208
Labunets, Katsyarina
ae7d70e7-6de6-4e1e-ab53-c9e9dc4e7874
Massacci, Fabio
ff2c9f40-8060-4fdc-b006-53b507897ac8
Paci, Federica
9fbf3e5b-ae03-40e8-a75a-3657cbc9216e
2017
Labunets, Katsyarina
ae7d70e7-6de6-4e1e-ab53-c9e9dc4e7874
Massacci, Fabio
ff2c9f40-8060-4fdc-b006-53b507897ac8
Paci, Federica
9fbf3e5b-ae03-40e8-a75a-3657cbc9216e
Labunets, Katsyarina, Massacci, Fabio and Paci, Federica
(2017)
On the equivalence between graphical and tabular representations for security risk assessment.
Grünbacher, Paul and Perini, Anna
(eds.)
In Requirements Engineering: Foundation for Software Quality: 23rd International Working Conference, REFSQ 2017, Essen, Germany, February 27 – March 2, 2017, Proceedings.
vol. 10153,
Springer.
.
(doi:10.1007/978-3-319-54045-0_15).
Record type:
Conference or Workshop Item
(Paper)
Abstract
[Context] Many security risk assessment methods are proposed both in academia typically with a graphical notation) and industry (typically with a tabular notation).
[Question] We compare methods based on those two notations with respect to their actual and perceived efficacy when both groups are equipped with a domain-specific security catalogue (as typically available in industry risk assessments).
[Results] Two controlled experiments with MSc students in computer science show that tabular and graphical methods are (statistically) equivalent in quality of identified threats and security controls. In the first experiment the perceived efficacy of tabular method was slightly better than the graphical one, and in the second experiment two methods are perceived as equivalent.
[Contribution] A graphical notation does not warrant by itself better (security) requirements elicitation than a tabular notation in terms of the quality of actually identified requirements.
Text
REFSQ17_paper_77.pdf
- Accepted Manuscript
More information
Submitted date: 7 December 2016
Accepted/In Press date: 12 December 2016
e-pub ahead of print date: 21 February 2017
Published date: 2017
Venue - Dates:
23rd Internationational Working Conference on Requirements Engineering: Foundations of Software Quality, Essen, Germany, 2017-02-02 - 2017-02-03
Organisations:
Electronic & Software Systems
Identifiers
Local EPrints ID: 405519
URI: http://eprints.soton.ac.uk/id/eprint/405519
PURE UUID: 555c6a60-456a-4341-9dff-d27cd1d2c18f
Catalogue record
Date deposited: 06 Feb 2017 14:13
Last modified: 15 Mar 2024 20:08
Export record
Altmetrics
Contributors
Author:
Katsyarina Labunets
Author:
Fabio Massacci
Author:
Federica Paci
Editor:
Paul Grünbacher
Editor:
Anna Perini
Download statistics
Downloads from ePrints over the past year. Other digital versions may also be available to download e.g. from the publisher's website.
View more statistics