The main research questions of the experiment are the following:

* RQ1: Does the use of a catalog of security requirements lead to identify more security requirements?

* RQ2 Is participants' perception of using a catalog of security requirements in security requirements elicitation better than not using it?

RQ1 concerns the effectiveness of security requirements elicitation. To answer the research question we will measure effectiveness by counting the number of security requirements identified by the participants. The data analysis for RQ1 will be done using the Mann-Whitney test. Only security requirements specific for the scenario analyzed by the participants will be considered for statistical analysis.

RQ2 is related to the participants' perception of using the catalog of security requirements in eliciting security requirements. Participants' perception will be measured through a post-task questionnaire inspired to the Technology Acceptance Model (TAM). The data analysis for RQ2 will be done using the Mann-Whitney test.

The null hypotheses coming from the research questions are the following:

H1_0 There will be no difference in the number of security requirements found with a catalog of security requirements and the one found without.

H2_0 There will be no difference in the participants' perception of eliciting security requirement with a catalog of security requirements and without.