IRIS

Context: Many security risk assessment methods are proposed both in academia (typically with a graphical notation) and industry (typically with a tabular notation).Question: We compare methods based on those two notations with respect to their actual and perceived efficacy when both groups are equipped with a domain-specific security catalogue (as typically available in industry risk assessments). Results: Two controlled experiments with MSc students in computer science show that tabular and graphical methods are (statistically) equivalent in quality of identified threats and security controls. In the first experiment the perceived efficacy of tabular method was slightly better than the graphical one, and in the second experiment two methods are perceived as equivalent. Contribution: A graphical notation does not warrant by itself better (security) requirements elicitation than a tabular notation in terms of the quality of actually identified requirements.

On the equivalence between graphical and tabular representations for security risk assessment / Labunets, K.; Massacci, F.; Paci, F.. - STAMPA. - 10153 LNCS, 2017:(2017), pp. 191-208. ( 23rd International Working Conference on Requirements Engineering – Foundation for Software Quality, REFSQ 2017 Essen; Germany 27 February 2017 through 2 March 2017) [10.1007/978-3-319-54045-0_15].

On the equivalence between graphical and tabular representations for security risk assessment

Labunets K.;Massacci F.;Paci F.
2017-01-01

Abstract

Context: Many security risk assessment methods are proposed both in academia (typically with a graphical notation) and industry (typically with a tabular notation).Question: We compare methods based on those two notations with respect to their actual and perceived efficacy when both groups are equipped with a domain-specific security catalogue (as typically available in industry risk assessments). Results: Two controlled experiments with MSc students in computer science show that tabular and graphical methods are (statistically) equivalent in quality of identified threats and security controls. In the first experiment the perceived efficacy of tabular method was slightly better than the graphical one, and in the second experiment two methods are perceived as equivalent. Contribution: A graphical notation does not warrant by itself better (security) requirements elicitation than a tabular notation in terms of the quality of actually identified requirements.
2017
International Working Conference on Requirements Engineering: Foundation for Software Quality
Berlin
Springer
978-3-319-54044-3
2-s2.0-85013889638
WOS:000418400900015
Labunets, K.; Massacci, F.; Paci, F.
On the equivalence between graphical and tabular representations for security risk assessment / Labunets, K.; Massacci, F.; Paci, F.. - STAMPA. - 10153 LNCS, 2017:(2017), pp. 191-208. ( 23rd International Working Conference on Requirements Engineering – Foundation for Software Quality, REFSQ 2017 Essen; Germany 27 February 2017 through 2 March 2017) [10.1007/978-3-319-54045-0_15].
File in questo prodotto:
File Dimensione Formato  
Labunets.pdf

Solo gestori archivio

Tipologia: Versione editoriale (Publisher’s layout)
Licenza: Tutti i diritti riservati (All rights reserved)
Dimensione 304.92 kB
Formato Adobe PDF
  Visualizza/Apri
304.92 kB Adobe PDF   Visualizza/Apri

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11572/198520
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 14
  • ???jsp.display-item.citation.isi??? 13
  • OpenAlex ND
social impact