This page provides additional resources that enable replication of our experiment with professionals. See the main page for our work on empirical validation of security risk assessment methods and other experiments.

The goal of our study is to investigate the effect of task complexity and notation on the level of comprehension of information about security risks w.r.t. extracting information about security risks from the models

In January-February 2016 we conducted online experiment with 61 professionals with an average 9 years of working experience. The participants were recruited through the mailing lists.

As application scenarios we had Online Banking scenario developed by our industrial partner, a large Italian corporation offering integrated services in finance, logistics, and mobile communication with a turnaround of around 24 billion Euro. The scenario describes the online banking services provided by the company through a home banking portal, a mobile application and prepaid cards.

Here are the materials that our participants received depending on the assigned treatment:

• Tutorial on the tabular risk modeling notations and application scenario PDF.
• Tutorial on the UML risk modeling notations and application scenario PDF.
• Tutorial on the CORAS risk modeling notations and application scenario PDF.
• Online Banking tabular risk model XLSX.
• Online Banking UML risk model PDF.
• Online Banking CORAS risk model PDF.