Reducing the Effort to Comprehend Risk Models: Text Labels Are Often Preferred Over Graphical Means

Grøndahl, Ida Hogganvik; Lund, Mass Soldal; Stølen, Ketil

doi:10.1111/j.1539-6924.2011.01636.x

Cited by 9 publications

(8 citation statements)

References 32 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Previous studies (Grøndahl et al 2011;Hogganvik and Stølen 2005;Massacci and Paci 2012) give us some confidence that the selected notations are the best ones available at present.…”

Section: Discussionmentioning

confidence: 84%

“…To the best of our knowledge, there are few similar studies that empirically investigated modeling notations for security risk (Hogganvik and Stølen 2005;Grøndahl et al 2011) or compared graphical and tabular security methods in full scale application experiments (Massacci and Paci 2012;Labunets et al 2013Labunets et al , 2014. Abrahao et al (2013) conducted a large scale study consisted of 5 controlled experiments with 112 participants with different levels of experience to evaluate the effectiveness of dynamic modeling in requirements comprehension.…”

Section: Related Workmentioning

confidence: 99%

“…Further, the study tested at once correctness and execution time and might be therefore suffer from construct validity. A more recent work (Grøndahl et al 2011) studied the effect of textual labels and graphical icons (size, color, shape of elements) on the comprehension of risk models. The study with 57 IT professionals and students revealed that the participants preferred mixed models that combines textual and graphical representation over the pure graphical representation.…”

Section: Empirical Studies Of Security and Safety Modeling Notationsmentioning

confidence: 99%

See 2 more Smart Citations

Graphical vs. Tabular Notations for Risk Models: On the Role of Textual Labels and Complexity

Labunets

Massacci

Tedeschi

2017

2017 ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM)

View full text Add to dashboard Cite

Abstract[Background] Security risk assessment methods in industry mostly use a tabular notation to represent the assessment results whilst academic works advocate graphical methods. Experiments with MSc students showed that the tabular notation is better than an iconic graphical notation for the comprehension of security risks.[Aim] We investigate whether the availability of textual labels and terse UML-style notation could improve comprehensibility. [Method] We report the results of an online comprehensibility experiment involving 61 professionals with an average of 9 years of working experience, in which we compared the ability to comprehend security risk assessments represented in tabular, UML-style with textual labels, and iconic graphical modeling notations.[Results] Tabular notation are still the most comprehensible notion in both recall and precision. However, the presence of textual labels does improve the precision and recall of participants over iconic graphical models.[Conclusion] Tabular representation better supports extraction of correct information of both simple and complex comprehensibility questions about security risks than the graphical notation but textual labels help.

show abstract

“…Previous studies (Grøndahl et al 2011;Hogganvik and Stølen 2005;Massacci and Paci 2012) give us some confidence that the selected notations are the best ones available at present.…”

Section: Discussionmentioning

confidence: 84%

Section: Related Workmentioning

confidence: 99%

Section: Empirical Studies Of Security and Safety Modeling Notationsmentioning

confidence: 99%

See 1 more Smart Citation

Graphical vs. Tabular Notations for Risk Models: On the Role of Textual Labels and Complexity

Labunets

Massacci

Tedeschi

2017

2017 ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM)

View full text Add to dashboard Cite

show abstract

“…Several empirical studies have compared graphical and textual representations for requirements (Sharafi et al 2013;Stålhane and Sindre 2008;Stålhane et al 2010;Stålhane and Sindre 2014), software architectures (Heijstek et al 2011), and business processes (Ottensooser et al 2012). Studies that focus on comparing textual and visual notations for security risk models are less frequent (Hogganvik and Stolen 2005;Grondahl et al 2011) or compared the effectiveness of tabular or graphical methodologies as whole (Massacci and Paci 2012;Labunets et al 2013Labunets et al , 2014b as opposed to the specific aspect of comprehensibility.…”

Section: Related Workmentioning

confidence: 99%

“…The only difference between the two type of risk models was the presence of graphical CORAS-specific icons. The second work, Grondahl et al (2011) investigated the effect of textual labels and graphical means (size, color, shape of elements) on the comprehension of risk models. The study involved 57 IT professionals and students and shows that some textual information in graphical models is preferred over purely graphical representation.…”

Section: Empirical Comparisons Of Security Modeling Notationsmentioning

confidence: 99%

Model Comprehension for Security Risk Assessment: An Empirical Comparison of Tabular vs. Graphical Representations

et al. 2017

View full text Add to dashboard Cite

Tabular and graphical representations are used to communicate security risk assessments for IT systems. However, there is no consensus on which type of representation better supports the comprehension of risks (such as the relationships between threats, vulnerabilities and security controls). Cognitive fit theory predicts that spatial relationships should be better captured by graphs. In this paper we report the results of two studies performed in two countries with 69 and 83 participants respectively, in which we assessed the effectiveness of tabular and graphical representations with respect to extraction correct information about security risks. The experimental results show that tabular risk models are more effective than the graphical ones with respect to simple comprehension tasks and in some cases are more effective for complex comprehension tasks. We explain our findings by proposing a simple extension of Vessey's cognitive fit theory as some linear spatial relationships could be also captured by tabular models.

show abstract

Design Decisions in the Development of a Graphical Language for Risk-Driven Security Testing

Erdogan

Stølen

2017

Risk Assessment and Risk-Driven Quality Assurance

Self Cite

View full text Add to dashboard Cite

show abstract

Reducing the Effort to Comprehend Risk Models: Text Labels Are Often Preferred Over Graphical Means

Cited by 9 publications

References 32 publications

Graphical vs. Tabular Notations for Risk Models: On the Role of Textual Labels and Complexity

Graphical vs. Tabular Notations for Risk Models: On the Role of Textual Labels and Complexity

Model Comprehension for Security Risk Assessment: An Empirical Comparison of Tabular vs. Graphical Representations

Design Decisions in the Development of a Graphical Language for Risk-Driven Security Testing

Contact Info

Product

Resources

About