Model Comprehension for Security Risk Assessment: An Empirical Comparison of Tabular vs. Graphical Representations
Context: Tabular and graphical representations are used to communicate security risk assessments for IT systems. However, there is no consensus on which type of representation better supports the comprehension of risks (such as the relationships between threats, vulnerabilities and security controls). Cognitive fit theory predicts that spatial relationships should be better captured by graphs.
Method: We report the results of two studies performed in two countries with 69 and 83 participants respectively, in which we assessed the effectiveness of tabular and graphical representations with respect to extraction of correct information about security risks.
Results: Tabular risk models are more e ective than graphi- cal ones with respect to simple comprehension tasks and often more e ective also for complex comprehension tasks.
Conclusions: We explain our findings by proposing a simple extension of Vessey’s cognitive fit theory as some linear spatial relationships could be also captured by tabular models.
Interest for ICSE: It is almost taken for granted in Software Engineering that graphical-, diagram- based models are “the” way to go (e.g. the SE Body of Knowledge ). This paper provides some experimental-based doubts that this might not always be the case. It will provide a definitely interesting debate that might ripple to traditional requirements and design notations outside security
|Spoiler for the Talk (Full Deck after the actual Talk) (Massacci-ICSE2018-preview.pdf)||1.14MiB|
Wed 30 May Times are displayed in time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change
|16:00 - 16:20|
|Secure Coding Practices in Java: Challenges and Vulnerabilities|
|16:20 - 16:40|
|EnMobile: Entity-based Characterization and Analysis of Mobile Malware|
|16:40 - 17:00|
|Model Comprehension for Security Risk Assessment: An Empirical Comparison of Tabular vs. Graphical Representations|
Journal first papers
Katsiaryna Labunets, Fabio MassacciUniversity of Trento, Federica Paci, Sabrina Marczak, Flávio Moreira de OliveiraLink to publication DOI Pre-print File Attached
|17:00 - 17:20|
|Privacy by Designers: Software Developers’ Privacy Mindset|
Journal first papers
|17:20 - 17:30|
|Q&A in groups|