Model comprehension for security risk assessment: an empirical comparison of tabular vs. graphical representations
| Autor: | Katsiaryna Labunets, Federica Paci, Flávio Moreira de Oliveira, Sabrina Marczak, Fabio Massacci |
|---|---|
| Rok vydání: | 2017 |
| Předmět: |
Empirical Study
controlled experiment Empirical comparison Computer science Vulnerability Cognitive Fit Context (language use) 02 engineering and technology computer.software_genre Body of knowledge comprehensibility Empirical research Simple (abstract algebra) 0202 electrical engineering electronic engineering information engineering Representation (mathematics) Security Risk Assessment Information retrieval Requirements engineering business.industry Risk Modeling Cognitive fit Information technology cognitive fit theory 020207 software engineering security risk assessment cognitive fit theory controlled experiment comprehensibility Comprehensibility Security controls Comprehension security risk assessment 020201 artificial intelligence & image processing Data mining Artificial intelligence Risk assessment business computer Software Natural language processing |
| Zdroj: | ICSE |
| ISSN: | 1573-7616 1382-3256 |
| DOI: | 10.1007/s10664-017-9502-8 |
| Popis: | Context: Tabular and graphical representations are used to communicate security risk assessments for IT systems. However, there is no consensus on which type of representation better supports the comprehension of risks (such as the relationships between threats, vulnerabilities and security controls). Vessey's cognitive fit theory predicts that graphs should be better because they capture spatial relationships. Method: We report the results of two studies performed in two countries with 69 and 83 participants respectively, in which we assessed the effectiveness of tabular and graphical representations concerning the extraction of correct information about security risks. Results: Participants who applied tabular risk models gave more precise and complete answers to the comprehension questions when requested to find simple and complex information about threats, vulnerabilities, or other elements of the risk models. Conclusions: Our findings can be explained by Vessey's cognitive fit theory as tabular models implicitly capture elementary linear spatial relationships. Interest for ICSE: It is almost taken for granted in Software Engineering that graphical-, diagram-based models are "the" way to go (e.g., the SE Body of Knowledge [3]). This paper provides some experimental-based doubts that this might not always be the case. It will provide an interesting debate that might ripple to traditional requirements and design notations outside security. |
| Databáze: | OpenAIRE |
| Externí odkaz: |
|
Full text from SpringerLink