User Tools

Site Tools


unitn-comprehensibility-exp-2015

Risk Models Comprehension: An Empirical Comparison of Tabular vs. Graphical Representations

This page provides additional resources that enable replication of our work published in Empirical Software Engineering journal and available at SSRN. See the main page for our work on empirical validation of security risk assessment methods and other experiments.

Goal

The goal of the experiment is to compare the effectiveness of tabular and graphical approaches for risk modeling in extracting information about security risks from the models. Additionally, we wanted to investigate if the complexity of comprehension task affects participation’ comprehension of risk models.

Context of the Experiment

Subjects

We have conducted two studies. The first study in 2014 included three experiments in Italy and Brazil. The first experiment was conducted at the University of Trento as part of the Security Engineering course and involved 35 MSc students in Computer Science. The two replicated experiment were executed at the PUCRS University in Porto Alegre (Brazil) and involved correspondingly 13 MSc students enrolled in the Computer Science program and 27 BSc students attending the Information Systems course taught at the Computer Science department.

The second study in 2015 consisted of two experiments with students and practitioners in Italy. The first experiment was conducted in Cosenza at Poste Italiane cyber-security lab (a large corporation) in September 2015. The participants were 52 MSc/MEng graduates attending a professional master course in Cybersecurity. The second experiment at the University of Trento in October 2015 as part of the Security Engineering course and involved 51 MSc students in Computer Science.

Application Scenarios

As application scenarios we had one proposed by IBM about the Healthcare Collaborative Network (HCN) and Online Banking scenario developed by Poste Italiane, describing online banking services provided by Poste Italiane’s division through

Supplement Materials

Here are the materials that we distributed among participants depending on the treatment to which they were assigned:

2014

  • Tutorial on the risk modeling notations and application scenarios PDF.
  • HCN tabular risk model XLSX.
  • HCN graphical risk model PDF.

2015

  • Tutorial on the risk modeling notations and application scenarios PDF.
  • Online Banking scenario description PDF.
  • Online Banking tabular risk model PDF.
  • Online Banking graphical risk model PDF.
  • HCN scenario description PDF.
  • HCN tabular risk model PDF.
  • HCN graphical risk model PDF.
unitn-comprehensibility-exp-2015.txt · Last modified: 2021/01/29 10:58 (external edit)