An experimental comparison of two risk-based security methods

K. Labunets, F. Massacci, F. Paci, L.M.S. Tran

Research output: Chapter in Book / Report / Conference proceedingConference contributionAcademicpeer-review

Abstract

A significant number of methods have been proposed to identify and analyze threats and security requirements, but there are few empirical evaluations that show these methods work in practice. This paper reports a controlled experiment conducted with 28 master students to compare two classes of risk-based methods, visual methods (CORAS) and textual methods (SREP). The aim of the experiment was to compare the effectiveness and perception of the two methods. The participants divided in groups solved four different tasks by applying the two methods using a randomized block design. The dependent variables were effectiveness of the methods measured as number of threats and security requirements identified, and perception of the methods measured through a post-task questionnaire based on the Technology Acceptance Model. The experiment was complemented with participants' interviews to determine which features of the methods influence their effectiveness. The main findings were that the visual method is more effective for identifying threats than the textual one, while the textual method is slightly more effective for eliciting security requirements. In addition, visual method overall perception and intention to use were higher than for the textual method. © 2013 IEEE.
Original languageEnglish
Title of host publicationProceedings - 2013 ACM / IEEE International Symposium on Empirical Software Engineering and Measurement, ESEM 2013
Pages163-172
DOIs
Publication statusPublished - 2013
Externally publishedYes
Event2013 ACM / IEEE International Symposium on Empirical Software Engineering and Measurement, ESEM 2013 - , United States
Duration: 10 Oct 201311 Oct 2013

Publication series

NameInternational Symposium on Empirical Software Engineering and Measurement
ISSN (Print)1949-3770
ISSN (Electronic)1949-3789

Conference

Conference2013 ACM / IEEE International Symposium on Empirical Software Engineering and Measurement, ESEM 2013
Country/TerritoryUnited States
Period10/10/1311/10/13

Fingerprint

Dive into the research topics of 'An experimental comparison of two risk-based security methods'. Together they form a unique fingerprint.

Cite this