This page provides additional resources that enable replication of our work published in Empirical Software Engineering journal and available at SSRN. See the main page for our work on empirical validation of security risk assessment methods and other experiments.
The goal of the experiment is to compare the effectiveness of tabular and graphical approaches for risk modeling in extracting information about security risks from the models. Additionally, we wanted to investigate if the complexity of comprehension task affects participation’ comprehension of risk models.
We have conducted two studies. The first study in 2014 included three experiments in Italy and Brazil. The first experiment was conducted at the University of Trento as part of the Security Engineering course and involved 35 MSc students in Computer Science. The two replicated experiment were executed at the PUCRS University in Porto Alegre (Brazil) and involved correspondingly 13 MSc students enrolled in the Computer Science program and 27 BSc students attending the Information Systems course taught at the Computer Science department.
The second study in 2015 consisted of two experiments with students and practitioners in Italy. The first experiment was conducted in Cosenza at Poste Italiane cyber-security lab (a large corporation) in September 2015. The participants were 52 MSc/MEng graduates attending a professional master course in Cybersecurity. The second experiment at the University of Trento in October 2015 as part of the Security Engineering course and involved 51 MSc students in Computer Science.
As application scenarios we had one proposed by IBM about the Healthcare Collaborative Network (HCN) and Online Banking scenario developed by Poste Italiane, describing online banking services provided by Poste Italiane’s division through
Here are the materials that we distributed among participants depending on the treatment to which they were assigned: