On the Equivalence Between Graphical and Tabular Representations for Security Risk Assessment

Labunets, Katsiaryna; Massacci, Fabio; Paci, Federica

doi:10.1007/978-3-319-54045-0_15

Cited by 15 publications

(6 citation statements)

References 29 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In their original study, Labunets et al [20], compared two risk assessment methods, a visual and a textual method and reported that the visual method was more effective for identifying threats than the textual one. The same study was replicated in [19], applying similar procedures. In contrast to the original study, the replication reported that the two methods being investigated were (statistically) equivalent with regards to the quality of identified threats and security controls.…”

Section: Related Workmentioning

confidence: 99%

Human Aspect of Threat Analysis: A Replication

Tuma¹,

Mbaka²

2022

Preprint

View full text Add to dashboard Cite

Background: Organizations are experiencing an increasing demand for security-by-design activities (e.g., STRIDE analyses) which require a high manual effort. This situation is worsened by the current lack of diverse (and sufficient) security workforce and inconclusive results from past studies. To date, the deciding human factors (e.g., diversity dimensions) that play a role in threat analysis have not been sufficiently explored.Objective: To address this issue, we plan to conduct a series of exploratory controlled experiments. The main objective is to empirically measure the human-aspects that play a role in threat analysis alongside the more well-known measures of analysis performance. Method: We design the experiments as a differentiated replication of past experiments with STRIDE. The replication design is aimed at capturing some similar measures (e.g., of outcome quality) and additional measures (e.g., diversity dimensions). We plan to conduct the experiments in an academic setting. Limitations: Obtaining a balanced population (e.g., wrt gender) in advanced computer science courses is not realistic. The experiments we plan to conduct with MSc level students will certainly suffer this limitation.

show abstract

Section: Related Workmentioning

confidence: 99%

Human Aspect of Threat Analysis: A Replication

Tuma¹,

Mbaka²

2022

Preprint

View full text Add to dashboard Cite

show abstract

“…Labunets et al [25] conducted a controlled experiment that was replicated in [24] using student participants to compare two risk assessment methods, a visual method (CORAS) and a textual method (SREP). The first study found that the visual method was more effective for identifying threats than the textual one.…”

Section: Replicationsmentioning

confidence: 99%

A replication of a controlled experiment with two STRIDE variants

Mbaka¹,

Tuma²

2022

Preprint

View full text Add to dashboard Cite

To avoid costly security patching after software deployment, securityby-design techniques (e.g., STRIDE threat analysis) are adopted in organizations to root out security issues before the system is ever implemented. Despite the global gap in cybersecurity workforce and the high manual effort required for performing threat analysis, organizations are ramping up threat analysis activities. However, past experimental results were inconclusive regarding some performance indicators of threat analysis techniques thus practitioners have little evidence for choosing the technique to adopt. To address this issue, we replicated a controlled experiment with STRIDE. Our study was aimed at measuring and comparing the performance indicators (productivity and precision) of two STRIDE variants (element and interaction). We conclude the paper by comparing our results to the original study. CCS CONCEPTS• Software and its engineering; • General and reference → Empirical studies;

show abstract

“…The last one contains empirical studies comparing graphical and textual representations for, e.g., business processes [36], software architectures [17], safety and system requirements [9, 42, 44ś46]. Recently, there were published a few empirical studies examining representations for security risks [15,19,25,50] or comparing graphical and tabular methods for security risk assessment in full scale application [22,24,27,30].…”

Section: Related Workmentioning

confidence: 99%

No search allowed

Labunets

2018

Proceedings of the 12th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement

Self Cite

View full text Add to dashboard Cite

Background] Industry relies on the use of tabular notations to document the risk assessment results, while academia encourages to use graphical notations. Previous studies revealed that tabular and graphical notations with textual labels provide better support for extracting correct information about security risks in comparison to iconic graphical notation.[Aim] In this study we examine how well tabular and graphical risk modeling notations support extraction and memorization of information about risks when models cannot be searched. [Method] We present results of two experiments with 60 MSc and 31 BSc students where we compared their performance in extraction and memorization of security risk models in tabular, UML-style and iconic graphical modeling notations.[Result] Once search is restricted, tabular notation demonstrates results similar to the iconic graphical notation in information extraction. In memorization task tabular and graphical notations showed equivalent results, but it is statistically significant only between two graphical notations.[Conclusion] Three notations provide similar support to decision-makers when they need to extract and remember correct information about security risks.

show abstract

On the Equivalence Between Graphical and Tabular Representations for Security Risk Assessment

Cited by 15 publications

References 29 publications

Human Aspect of Threat Analysis: A Replication

Human Aspect of Threat Analysis: A Replication

A replication of a controlled experiment with two STRIDE variants

No search allowed

Contact Info

Product

Resources

About