TY - GEN
T1 - An experiment on comparing textual vs. visual industrial methods for security risk assessment
AU - Labunets, K.
AU - Paci, F.
AU - Massacci, F.
AU - Ruprai, R.
PY - 2014/9/3
Y1 - 2014/9/3
N2 - © 2014 IEEE.Many security risk assessment methods have been proposed both from academia and industry. However, little empirical evaluation has been done to investigate how these methods are effective in practice. In this paper we report a controlled experiment that we conducted to compare the effectiveness and participants' perception of visual versus textual methods for security risk assessment used in industry. As instances of the methods we selected CORAS, a method by SINTEF used to provide security risk assessment consulting services, and SecRAM, a method by EUROCONTROL used to conduct security risk assessment within air traffic management. The experiment involved 29 MSc students who applied both methods to an application scenario from Smart Grid domain. The dependent variables were effectiveness of the methods measured as number of specific threats and security controls identified, and perception of the methods measured through post-task questionnaires based on the Technology Acceptance Model. The experiment shows that while there is no difference in the actual effectiveness of the two methods, the visual method is better perceived by the participants.
AB - © 2014 IEEE.Many security risk assessment methods have been proposed both from academia and industry. However, little empirical evaluation has been done to investigate how these methods are effective in practice. In this paper we report a controlled experiment that we conducted to compare the effectiveness and participants' perception of visual versus textual methods for security risk assessment used in industry. As instances of the methods we selected CORAS, a method by SINTEF used to provide security risk assessment consulting services, and SecRAM, a method by EUROCONTROL used to conduct security risk assessment within air traffic management. The experiment involved 29 MSc students who applied both methods to an application scenario from Smart Grid domain. The dependent variables were effectiveness of the methods measured as number of specific threats and security controls identified, and perception of the methods measured through post-task questionnaires based on the Technology Acceptance Model. The experiment shows that while there is no difference in the actual effectiveness of the two methods, the visual method is better perceived by the participants.
UR - https://www.scopus.com/pages/publications/84928137931
UR - https://www.scopus.com/pages/publications/84928137931#tab=citedBy
U2 - 10.1109/EmpiRE.2014.6890113
DO - 10.1109/EmpiRE.2014.6890113
M3 - Conference contribution
SN - 9781479963379
T3 - 2014 IEEE 4th International Workshop on Empirical Requirements Engineering, EmpiRE 2014 - Proceedings
SP - 28
EP - 35
BT - 2014 IEEE 4th International Workshop on Empirical Requirements Engineering, EmpiRE 2014 - Proceedings
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 2014 IEEE 4th International Workshop on Empirical Requirements Engineering, EmpiRE 2014
Y2 - 25 August 2014
ER -