Model Comprehension for Security Risk Assessment: An Empirical Comparison of Tabular vs. Graphical Representations

Labunets, K., Massacci, F., Paci, F., Marczak, S. and de Oliveira, F.M., 2017. Model comprehension for security risk assessment: an empirical comparison of tabular vs. graphical representations. Empirical Software Engineering, pp.1-40.

48 Pages Posted: 27 Jan 2017 Last revised: 23 Aug 2017

See all articles by Katsiaryna Labunets

Katsiaryna Labunets

Delft University of Technology

Fabio Massacci

DISI - University of Trento

Federica Paci

University of Southampton

Sabrina Marczak

Pontificia Universidade Catolica do Rio Grande do Sul (PUCRS)

Flávio Moreira de Oliveira

Pontificia Universidade Catolica do Rio Grande do Sul (PUCRS)

Date Written: January 27, 2017

Abstract

Tabular and graphical representations are used to communicate security risk assessments for IT systems. However, there is no consensus on which type of representation better supports the comprehension of risks (such as the relationships between threats, vulnerabilities and security controls). Cognitive fit theory predicts that spatial relationships should be better captured by graphs. In this paper we report the results of two studies performed in two countries with 69 and 83 participants respectively, in which we assessed the effectiveness of tabular and graphical representations with respect to extraction correct information about security risks. The experimental results show that tabular risk models are more effective than the graphical ones with respect to simple comprehension tasks and in some cases are more effective for complex comprehension tasks. We explain our findings by proposing a simple extension of Vessey's cognitive fit theory as some linear spatial relationships could be also captured by tabular models.

Keywords: Empirical Study, Security Risk Assessment, Risk Modeling, Comprehensibility, Cognitive Fit

Suggested Citation

Labunets, Katsiaryna and Massacci, Fabio and Paci, Federica and Marczak, Sabrina and de Oliveira, Flávio Moreira, Model Comprehension for Security Risk Assessment: An Empirical Comparison of Tabular vs. Graphical Representations (January 27, 2017). Labunets, K., Massacci, F., Paci, F., Marczak, S. and de Oliveira, F.M., 2017. Model comprehension for security risk assessment: an empirical comparison of tabular vs. graphical representations. Empirical Software Engineering, pp.1-40.. Available at SSRN: https://ssrn.com/abstract=2906745 or http://dx.doi.org/10.2139/ssrn.2906745

Katsiaryna Labunets (Contact Author)

Delft University of Technology ( email )

P.O. Box 5015
2600 GB Delft
Netherlands

Fabio Massacci

DISI - University of Trento ( email )

Via Sommarive 9
Trento, Trento 38123
Italy

HOME PAGE: http://www.massacci.org

Federica Paci

University of Southampton ( email )

University Rd.
Southampton SO17 1BJ, Hampshire SO17 1LP
United Kingdom

Sabrina Marczak

Pontificia Universidade Catolica do Rio Grande do Sul (PUCRS) ( email )

Av. Ipiranga, 668
Porto Alegre, 90619-900
Brazil

Flávio Moreira De Oliveira

Pontificia Universidade Catolica do Rio Grande do Sul (PUCRS) ( email )

Av. Ipiranga, 668
Porto Alegre, 90619-900
Brazil

Register to save articles to
your library

Register

Paper statistics

Downloads
76
rank
295,674
Abstract Views
296
PlumX