Graphical vs. Tabular Notations for Risk Models: On the Role of Textual Labels and Complexity

Labunets, Katsiaryna; Massacci, Fabio; Tedeschi, Alessandra

doi:10.1109/esem.2017.40

Cited by 5 publications

(13 citation statements)

References 33 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…There are few significant difference and some similarities between this study and our previous works [23,25] which we summarize in Table 1. The main contribution of this work is studying how well tabular and graphical risk modeling notations support memorization of information about security risks.…”

Section: Related Worksupporting

confidence: 66%

“…This study showed that supplementing a textual description of security decision problem with graphical representation improves risk perception and participants' confidence in decisions, but does not contribute to the comprehension of the problem or security investment decision. In our prior study [25] we also found that participants achieved better or equal comprehension of described risk scenarios with tabular and UML-based notations.…”

Section: Related Workmentioning

confidence: 66%

“…The last one contains empirical studies comparing graphical and textual representations for, e.g., business processes [36], software architectures [17], safety and system requirements [9, 42, 44ś46]. Recently, there were published a few empirical studies examining representations for security risks [15,19,25,50] or comparing graphical and tabular methods for security risk assessment in full scale application [22,24,27,30].…”

Section: Related Workmentioning

confidence: 99%

“…We introduced the memorization task and added UML-like risk modeling notation that combines textual labels with graphical representation. Labunets et al [25] (ESEM'17)…”

Section: Experimental Designmentioning

confidence: 99%

“…Previous studies with students and professionals showed that tabular notation supports better extraction of correct information about security risk over the iconic graphical notation [23,25]. However, those finding might not give a full picture and have some limitations of construct validity: the comprehension task could potentially be biased in favor of tabular notations and did not reveal comprehensibility potential of graphical representation.…”

Section: Introductionmentioning

confidence: 97%

See 4 more Smart Citations

No search allowed

Labunets

2018

Proceedings of the 12th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement

Self Cite

View full text Add to dashboard Cite

Background] Industry relies on the use of tabular notations to document the risk assessment results, while academia encourages to use graphical notations. Previous studies revealed that tabular and graphical notations with textual labels provide better support for extracting correct information about security risks in comparison to iconic graphical notation.[Aim] In this study we examine how well tabular and graphical risk modeling notations support extraction and memorization of information about risks when models cannot be searched. [Method] We present results of two experiments with 60 MSc and 31 BSc students where we compared their performance in extraction and memorization of security risk models in tabular, UML-style and iconic graphical modeling notations.[Result] Once search is restricted, tabular notation demonstrates results similar to the iconic graphical notation in information extraction. In memorization task tabular and graphical notations showed equivalent results, but it is statistically significant only between two graphical notations.[Conclusion] Three notations provide similar support to decision-makers when they need to extract and remember correct information about security risks.

show abstract

Section: Related Worksupporting

confidence: 66%

Section: Related Workmentioning

confidence: 66%

Section: Related Workmentioning

confidence: 99%

“…We introduced the memorization task and added UML-like risk modeling notation that combines textual labels with graphical representation. Labunets et al [25] (ESEM'17)…”

Section: Experimental Designmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 97%

See 3 more Smart Citations

No search allowed

Labunets

2018

Proceedings of the 12th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement

Self Cite

View full text Add to dashboard Cite

show abstract

An Empirical Study on the Comprehensibility of Graphical Security Risk Models Based on Sequence Diagrams

Volden-Freberg

Erdogan

2019

Lecture Notes in Computer Science

View full text Add to dashboard Cite

We report on an empirical study in which we evaluate the comprehensibility of graphical versus textual risk annotations in threat models based on sequence diagrams. The experiment was carried out on two separate groups where each group solved tasks related to either graphical or textual annotations. We also examined the efficiency of using these two annotations in terms of the average time each group spent per task. Our study reports that threat models with textual risk annotations are equally comprehensible to corresponding threat models with graphical risk annotations. With respect to efficiency, however, we found out that participants solving tasks related to the graphical annotations spent on average 23% less time per task.

show abstract

A new, evidence-based, theory for knowledge reuse in security risk analysis

et al. 2023

View full text Add to dashboard Cite

Security risk analysis (SRA) is a key activity in software engineering but requires heavy manual effort. Community knowledge in the form of security patterns or security catalogs can be used to support the identification of threats and security controls. However, no evidence-based theory exists about the effectiveness of security catalogs when used for security risk analysis. We adopt a grounded theory approach to propose a conceptual, revised and refined theory of SRA knowledge reuse. The theory refinement is backed by evidence gathered from conducting interviews with experts (20) and controlled experiments with both experts (15) and novice analysts (18). We conclude the paper by providing insights into the use of catalogs and managerial implications.

show abstract

Graphical vs. Tabular Notations for Risk Models: On the Role of Textual Labels and Complexity

Cited by 5 publications

References 33 publications

No search allowed

No search allowed

An Empirical Study on the Comprehensibility of Graphical Security Risk Models Based on Sequence Diagrams

A new, evidence-based, theory for knowledge reuse in security risk analysis

Contact Info

Product

Resources

About