User Tools
seceng-course-exp-2012
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
seceng-course-exp-2012 [2014/07/09 09:34] martina.degramatica@unitn.it [Results] |
seceng-course-exp-2012 [2021/01/29 10:58] (current) |
||
|---|---|---|---|
| Line 3: | Line 3: | ||
| An experiment by Katsyarina Labunets, Fabio Massacci, Federica Paci, Le Minh Sang Tran. | An experiment by Katsyarina Labunets, Fabio Massacci, Federica Paci, Le Minh Sang Tran. | ||
| - | This page provides additional resources that enable replication of our work published at {{:research_activities:experiments:2013-seceng:labunets-esem-2013-accepted.pdf|ESEM 2013}}. | + | This page provides additional resources that enable replication of our work published at {{:research_activities:experiments:2013-seceng:labunets-esem-2013-accepted.pdf|ESEM 2013}}. See the [[validation_of_risk_and_security_requirements_methodologies|main page]] for our work on empirical validation of security risk assessment methods and other experiments. |
| ===== Goals ===== | ===== Goals ===== | ||
| The goal of the experiment was to evaluate and compare two types of risk-driven methods, namely, visual methods (CORAS) and textual methods (SREP) with respect to their //effectiveness// in identifying threats and security requirements, and the //participants’ perception// of the two methods. | The goal of the experiment was to evaluate and compare two types of risk-driven methods, namely, visual methods (CORAS) and textual methods (SREP) with respect to their //effectiveness// in identifying threats and security requirements, and the //participants’ perception// of the two methods. | ||
| Line 36: | Line 36: | ||
| the visual one in identifying security requirements. | the visual one in identifying security requirements. | ||
| * //Methods' perception// | * //Methods' perception// | ||
| - | Participants’ //overall preference// is higher for visual than for textual method, while reagarding to the perceived easy of use and the usefulness no statistically significant difference is proven by the experiment. Moreover, in respect to the intention to use, the difference in participants’ perception is statistically significant in favour of the visual method. | + | Participants’ //overall preference// is higher for visual than for textual method, while regarding to the perceived ease of use and the usefulness no statistically significant difference is proven by the experiment. Moreover, in respect to the intention to use, the difference in participants’ perception is statistically significant in favour of the visual method. |
| * //Qualitative Explanation// | * //Qualitative Explanation// | ||
| The different number of threats and security requirements identified can be likely explained by the differences between the two methods indicated by the participants during the interviews. //Diagrams in visual method help brainstorming on the threats//, giving an overview of the possible threats, the threat scenarios and the assets, while the identification of threats in textual method is not facilitated by the use of tables as it is more difficult to link assets and threats. As suggested by the participants then, the identification of threats in textual method could be made easier if a catalog of common threats was available. | The different number of threats and security requirements identified can be likely explained by the differences between the two methods indicated by the participants during the interviews. //Diagrams in visual method help brainstorming on the threats//, giving an overview of the possible threats, the threat scenarios and the assets, while the identification of threats in textual method is not facilitated by the use of tables as it is more difficult to link assets and threats. As suggested by the participants then, the identification of threats in textual method could be made easier if a catalog of common threats was available. | ||
| Line 44: | Line 44: | ||
| * For privacy reasons, at the beginning of the experiment a {{:research_activities:experiments:2013-seceng:consent-form-security-engineering.docx|Consent Form}} was administered to participants. | * For privacy reasons, at the beginning of the experiment a {{:research_activities:experiments:2013-seceng:consent-form-security-engineering.docx|Consent Form}} was administered to participants. | ||
| * Participants' results have been assessed by methods and domain experts (see {{:research_activities:experiments:2013-seceng:evaluation_sheet.xlsx|Evaluation Score Sheet}}). | * Participants' results have been assessed by methods and domain experts (see {{:research_activities:experiments:2013-seceng:evaluation_sheet.xlsx|Evaluation Score Sheet}}). | ||
| + | * | ||
| + | |||
| + | |||
| + | **Data collected during the experiment are available upon request.** | ||
| | | ||
seceng-course-exp-2012.1404891285.txt.gz · Last modified: 2021/01/29 10:58 (external edit)
Page Tools
