On the equivalence between graphical and tabular representations for security risk assessment

K. Labunets, F. Massacci, F. Paci

Research output: Chapter in Book / Report / Conference proceedingConference contributionAcademicpeer-review

Abstract

© Springer International Publishing AG 2017.Context: Many security risk assessment methods are proposed both in academia (typically with a graphical notation) and industry (typically with a tabular notation).Question: We compare methods based on those two notations with respect to their actual and perceived efficacy when both groups are equipped with a domain-specific security catalogue (as typically available in industry risk assessments). Results: Two controlled experiments with MSc students in computer science show that tabular and graphical methods are (statistically) equivalent in quality of identified threats and security controls. In the first experiment the perceived efficacy of tabular method was slightly better than the graphical one, and in the second experiment two methods are perceived as equivalent. Contribution: A graphical notation does not warrant by itself better (security) requirements elicitation than a tabular notation in terms of the quality of actually identified requirements.
Original languageEnglish
Title of host publicationRequirements Engineering: Foundation for Software Quality - 23rd International Working Conference, REFSQ 2017, Proceedings
EditorsA. Perini, P. Grünbacher
PublisherSpringer Verlag
Pages191-208
ISBN (Print)9783319540443
DOIs
Publication statusPublished - 2017
Externally publishedYes
Event23rd International Working Conference on Requirements Engineering – Foundation for Software Quality, REFSQ 2017 - Essen, Germany
Duration: 27 Feb 20172 Mar 2017

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Conference

Conference23rd International Working Conference on Requirements Engineering – Foundation for Software Quality, REFSQ 2017
Country/TerritoryGermany
CityEssen
Period27/02/172/03/17

Funding

This work has been partly supported by the SESAR JU WPE under contract 12-120610-C12 (EMFASE).

FundersFunder number
SESAR JU WPE12-120610-C12

    Fingerprint

    Dive into the research topics of 'On the equivalence between graphical and tabular representations for security risk assessment'. Together they form a unique fingerprint.

    Cite this