TY - GEN
T1 - Graphical vs. Tabular Notations for Risk Models
T2 - 11th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement, ESEM 2017
AU - Labunets, K.
AU - Massacci, F.
AU - Tedeschi, A.
PY - 2017/12/7
Y1 - 2017/12/7
N2 - © 2017 IEEE.[Background] Security risk assessment methods in industry mostly use a tabular notation to represent the assessment results whilst academic works advocate graphical methods. Experiments with MSc students showed that the tabular notation is better than an iconic graphical notation for the comprehension of security risks. [Aim] We investigate whether the availability of textual labels and terse UML-style notation could improve comprehensibility. [Method] We report the results of an online comprehensibility experiment involving 61 professionals with an average of 9 years of working experience, in which we compared the ability to comprehend security risk assessments represented in tabular, UML-style with textual labels, and iconic graphical modeling notations. [Results] Tabular notation are still the most comprehensible notion in both recall and precision. However, the presence of textual labels does improve the precision and recall of participants over iconic graphical models. [Conclusion] Tabular representation better supports extraction of correct information of both simple and complex comprehensibility questions about security risks than the graphical notation but textual labels help.
AB - © 2017 IEEE.[Background] Security risk assessment methods in industry mostly use a tabular notation to represent the assessment results whilst academic works advocate graphical methods. Experiments with MSc students showed that the tabular notation is better than an iconic graphical notation for the comprehension of security risks. [Aim] We investigate whether the availability of textual labels and terse UML-style notation could improve comprehensibility. [Method] We report the results of an online comprehensibility experiment involving 61 professionals with an average of 9 years of working experience, in which we compared the ability to comprehend security risk assessments represented in tabular, UML-style with textual labels, and iconic graphical modeling notations. [Results] Tabular notation are still the most comprehensible notion in both recall and precision. However, the presence of textual labels does improve the precision and recall of participants over iconic graphical models. [Conclusion] Tabular representation better supports extraction of correct information of both simple and complex comprehensibility questions about security risks than the graphical notation but textual labels help.
U2 - 10.1109/ESEM.2017.40
DO - 10.1109/ESEM.2017.40
M3 - Conference contribution
SN - 9781509040391
T3 - International Symposium on Empirical Software Engineering and Measurement
SP - 267
EP - 276
BT - Proceedings - 11th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement, ESEM 2017
PB - IEEE Computer Society
Y2 - 9 November 2017 through 10 November 2017
ER -