@inproceedings{02325eaa1ee34e03899f7f1d7f23f987,
title = "On the equivalence between graphical and tabular representations for security risk assessment",
abstract = "{\textcopyright} Springer International Publishing AG 2017.Context: Many security risk assessment methods are proposed both in academia (typically with a graphical notation) and industry (typically with a tabular notation).Question: We compare methods based on those two notations with respect to their actual and perceived efficacy when both groups are equipped with a domain-specific security catalogue (as typically available in industry risk assessments). Results: Two controlled experiments with MSc students in computer science show that tabular and graphical methods are (statistically) equivalent in quality of identified threats and security controls. In the first experiment the perceived efficacy of tabular method was slightly better than the graphical one, and in the second experiment two methods are perceived as equivalent. Contribution: A graphical notation does not warrant by itself better (security) requirements elicitation than a tabular notation in terms of the quality of actually identified requirements.",
author = "K. Labunets and F. Massacci and F. Paci",
year = "2017",
doi = "10.1007/978-3-319-54045-0_15",
language = "English",
isbn = "9783319540443",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
publisher = "Springer Verlag",
pages = "191--208",
editor = "A. Perini and P. Gr{\"u}nbacher",
booktitle = "Requirements Engineering: Foundation for Software Quality - 23rd International Working Conference, REFSQ 2017, Proceedings",
note = "23rd International Working Conference on Requirements Engineering – Foundation for Software Quality, REFSQ 2017 ; Conference date: 27-02-2017 Through 02-03-2017",
}