This is an old revision of the document!
An experiment by Katsyarina Labunets, Fabio Massacci, Federica Paci, Le Minh Sang Tran.
This page provides additional resources that enable replication of our work published at ESEM 2013.
The goal of the experiment was to evaluate and compare two types of risk-driven methods, namely, visual methods (CORAS) and textual methods (SREP) with respect to their effectiveness in identifying threats and security requirements, and the participants’ perception of the two methods.
The experiment involved 28 participants: 16 students of the master in Computer Science and 12 students of the EIT ICT LAB master in Security and Privacy. They were divided into 16 groups using a randomized block design.
The participants applied the methods to a Smart Grid application scenario.
The experiment was conducted as part of the Security Engineering course. Here, you can find the summary of the Tasks to be accomplished in the experiment.
Results show that visual method is more effective in identifying threats than textual method. This is confirmed if we consider the number of threats identified with visual and textual methods across the task assigned to the groups. Instead, with respect to number of security requirements, textual method is slightly more effective than the visual one in identifying security requirements.