Tabular and graphical representations are used to communicate security risk assessments for IT systems. However, there is no consensus on which type of representation better supports the comprehension of risks (such as the relationships between threats, vulnerabilities and security controls). Cognitive fit theory predicts that spatial relationships should be better captured by graphs. In this paper we report the results of two studies performed in two countries with 69 and 83 participants respectively, in which we assessed the effectiveness of tabular and graphical representations with respect to extraction correct information about security risks. The experimental results show that tabular risk models are more effective than the graphical ones with respect to simple comprehension tasks and in some cases are more effective for complex comprehension tasks. We explain our findings by proposing a simple extension of Vessey's cognitive fit theory as some linear spatial relationships could be also captured by tabular models.

Model Comprehension for Security Risk Assessment: An Empirical Comparison of Tabular vs. Graphical Representations / Labunets, Katsiaryna; Massacci, Fabio; Paci, F.; Marczak, S.; Moreira de Oliveira, F.. - In: EMPIRICAL SOFTWARE ENGINEERING. - ISSN 1382-3256. - STAMPA. - 2017, 22:6(2017), pp. 3017-3056. [10.1007/s10664-017-9502-8]

Model Comprehension for Security Risk Assessment: An Empirical Comparison of Tabular vs. Graphical Representations

Labunets, Katsiaryna;Massacci, Fabio;
2017

Abstract

Tabular and graphical representations are used to communicate security risk assessments for IT systems. However, there is no consensus on which type of representation better supports the comprehension of risks (such as the relationships between threats, vulnerabilities and security controls). Cognitive fit theory predicts that spatial relationships should be better captured by graphs. In this paper we report the results of two studies performed in two countries with 69 and 83 participants respectively, in which we assessed the effectiveness of tabular and graphical representations with respect to extraction correct information about security risks. The experimental results show that tabular risk models are more effective than the graphical ones with respect to simple comprehension tasks and in some cases are more effective for complex comprehension tasks. We explain our findings by proposing a simple extension of Vessey's cognitive fit theory as some linear spatial relationships could be also captured by tabular models.
6
Labunets, Katsiaryna; Massacci, Fabio; Paci, F.; Marczak, S.; Moreira de Oliveira, F.
Model Comprehension for Security Risk Assessment: An Empirical Comparison of Tabular vs. Graphical Representations / Labunets, Katsiaryna; Massacci, Fabio; Paci, F.; Marczak, S.; Moreira de Oliveira, F.. - In: EMPIRICAL SOFTWARE ENGINEERING. - ISSN 1382-3256. - STAMPA. - 2017, 22:6(2017), pp. 3017-3056. [10.1007/s10664-017-9502-8]
File in questo prodotto:
File Dimensione Formato  
SSRN-id2906745.pdf

embargo fino al 31/12/2018

Tipologia: Post-print referato (Refereed author’s manuscript)
Licenza: Tutti i diritti riservati (All rights reserved)
Dimensione 1.14 MB
Formato Adobe PDF
1.14 MB Adobe PDF Visualizza/Apri

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione

Utilizza questo identificativo per citare o creare un link a questo documento: http://hdl.handle.net/11572/169302
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 14
  • ???jsp.display-item.citation.isi??? 8
social impact