The University of Southampton
University of Southampton Institutional Repository

On the equivalence between graphical and tabular representations for security risk assessment

On the equivalence between graphical and tabular representations for security risk assessment
On the equivalence between graphical and tabular representations for security risk assessment
[Context] Many security risk assessment methods are proposed both in academia typically with a graphical notation) and industry (typically with a tabular notation).

[Question] We compare methods based on those two notations with respect to their actual and perceived efficacy when both groups are equipped with a domain-specific security catalogue (as typically available in industry risk assessments).

[Results] Two controlled experiments with MSc students in computer science show that tabular and graphical methods are (statistically) equivalent in quality of identified threats and security controls. In the first experiment the perceived efficacy of tabular method was slightly better than the graphical one, and in the second experiment two methods are perceived as equivalent.

[Contribution] A graphical notation does not warrant by itself better (security) requirements elicitation than a tabular notation in terms of the quality of actually identified requirements.
191-208
Springer
Labunets, Katsyarina
ae7d70e7-6de6-4e1e-ab53-c9e9dc4e7874
Massacci, Fabio
ff2c9f40-8060-4fdc-b006-53b507897ac8
Paci, Federica
9fbf3e5b-ae03-40e8-a75a-3657cbc9216e
Grünbacher, Paul
Perini, Anna
Labunets, Katsyarina
ae7d70e7-6de6-4e1e-ab53-c9e9dc4e7874
Massacci, Fabio
ff2c9f40-8060-4fdc-b006-53b507897ac8
Paci, Federica
9fbf3e5b-ae03-40e8-a75a-3657cbc9216e
Grünbacher, Paul
Perini, Anna

Labunets, Katsyarina, Massacci, Fabio and Paci, Federica (2017) On the equivalence between graphical and tabular representations for security risk assessment. Grünbacher, Paul and Perini, Anna (eds.) In Requirements Engineering: Foundation for Software Quality: 23rd International Working Conference, REFSQ 2017, Essen, Germany, February 27 – March 2, 2017, Proceedings. vol. 10153, Springer. pp. 191-208.

Record type: Conference or Workshop Item (Paper)

Abstract

[Context] Many security risk assessment methods are proposed both in academia typically with a graphical notation) and industry (typically with a tabular notation).

[Question] We compare methods based on those two notations with respect to their actual and perceived efficacy when both groups are equipped with a domain-specific security catalogue (as typically available in industry risk assessments).

[Results] Two controlled experiments with MSc students in computer science show that tabular and graphical methods are (statistically) equivalent in quality of identified threats and security controls. In the first experiment the perceived efficacy of tabular method was slightly better than the graphical one, and in the second experiment two methods are perceived as equivalent.

[Contribution] A graphical notation does not warrant by itself better (security) requirements elicitation than a tabular notation in terms of the quality of actually identified requirements.

Text REFSQ17_paper_77.pdf - Accepted Manuscript
Download (317kB)

More information

Submitted date: 7 December 2016
Accepted/In Press date: 12 December 2016
e-pub ahead of print date: 21 February 2017
Venue - Dates: 23rd Internationational Working Conference on Requirements Engineering: Foundations of Software Quality, Germany, 2017-02-02 - 2017-02-03
Organisations: Electronic & Software Systems

Identifiers

Local EPrints ID: 405519
URI: https://eprints.soton.ac.uk/id/eprint/405519
PURE UUID: 555c6a60-456a-4341-9dff-d27cd1d2c18f

Catalogue record

Date deposited: 06 Feb 2017 14:13
Last modified: 09 Oct 2018 16:30

Export record

Download statistics

Downloads from ePrints over the past year. Other digital versions may also be available to download e.g. from the publisher's website.

View more statistics

Atom RSS 1.0 RSS 2.0

Contact ePrints Soton: eprints@soton.ac.uk

ePrints Soton supports OAI 2.0 with a base URL of https://eprints.soton.ac.uk/cgi/oai2

This repository has been built using EPrints software, developed at the University of Southampton, but available to everyone to use.

We use cookies to ensure that we give you the best experience on our website. If you continue without changing your settings, we will assume that you are happy to receive cookies on the University of Southampton website.

×