Model comprehension for security risk assessment: an empirical comparison of tabular vs. graphical representations

  • Katsiaryna Labunets
  • Fabio Massacci
  • Federica Paci
  • Sabrina Marczak
  • Flávio Moreira de Oliveira
Article

DOI: 10.1007/s10664-017-9502-8

Cite this article as:
Labunets, K., Massacci, F., Paci, F. et al. Empir Software Eng (2017). doi:10.1007/s10664-017-9502-8
  • 55 Downloads

Abstract

Tabular and graphical representations are used to communicate security risk assessments for IT systems. However, there is no consensus on which type of representation better supports the comprehension of risks (such as the relationships between threats, vulnerabilities and security controls). Cognitive fit theory predicts that spatial relationships should be better captured by graphs. In this paper we report the results of two studies performed in two countries with 69 and 83 participants respectively, in which we assessed the effectiveness of tabular and graphical representations with respect to extraction correct information about security risks. The experimental results show that tabular risk models are more effective than the graphical ones with respect to simple comprehension tasks and in some cases are more effective for complex comprehension tasks. We explain our findings by proposing a simple extension of Vessey’s cognitive fit theory as some linear spatial relationships could be also captured by tabular models.

Keywords

Empirical study Security risk assessment Risk modeling Comprehensibility Cognitive fit 

Copyright information

© Springer Science+Business Media New York 2017

Authors and Affiliations

  • Katsiaryna Labunets
    • 1
  • Fabio Massacci
    • 1
  • Federica Paci
    • 2
  • Sabrina Marczak
    • 3
  • Flávio Moreira de Oliveira
    • 3
  1. 1.University of TrentoTrentoItaly
  2. 2.University of SouthamptonSouthamptonUK
  3. 3.Pontifícia Universidade Catòlica do Rio Grande do Sul (PUCRS) UniversityPorto AlegreBrazil

Personalised recommendations