Evaluation of the Cognitive Effectiveness of the CORAS Modelling Language

  • Eloïse Zehnder
  • Nicolas MayerEmail author
  • Guillaume Gronier
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11158)


Nowadays, Information System (IS) security and Risk Management (RM) are required for every organization that wishes to survive in this networked and open world. Thus, more and more organizations tend to implement a security strategy based on an ISSRM (IS security RM) approach. However, the difficulty of dealing efficiently with ISSRM is currently growing, because of the complexity of current IS coming with the increasing number of risks organizations need to face. To use conceptual models to deal with RM issues, especially in the information security domain, is today an active research topic, and many modelling languages have been proposed in this way. However, a current challenge remains the cognitive effectiveness of the visual syntax of these languages, i.e. the effectiveness to convey information. Security risk managers are indeed not used to use modelling languages in their daily work, making this aspect of cognitive effectiveness a must-have for these modelling languages. Instead of starting defining a new cognitive effective modelling language, our objective is rather to assess and benchmark existing ones from the literature. The aim of this paper is thus to assess the cognitive effectiveness of CORAS, a modelling language focused on ISSRM.


Security Risk management Visual syntax Physics of notations 



Supported by the National Research Fund, Luxembourg, and financed by the ENTRI project (C14/IS/8329158).


  1. 1.
    Kordy, B., Mauw, S., Radomirović, S., Schweitzer, P.: Foundations of attack–defense trees. In: Degano, P., Etalle, S., Guttman, J. (eds.) FAST 2010. LNCS, vol. 6561, pp. 80–95. Springer, Heidelberg (2011). Scholar
  2. 2.
    Band, I., Engelsman, W., Feltus, C., Paredes, S.G., Hietala, J., Jonkers, H., Massart, S.: Modeling Enterprise Risk Management and Security with the ArchiMate® Language. The Open Group (2015)Google Scholar
  3. 3.
    Mayer, N., Grandry, E., Feltus, C., Goettelmann, E.: Towards the ENTRI framework: security risk management enhanced by the use of enterprise architectures. In: Persson, A., Stirna, J. (eds.) CAiSE 2015. LNBIP, vol. 215, pp. 459–469. Springer, Cham (2015). Scholar
  4. 4.
    Mayer, N., Feltus, C.: Evaluation of the risk and security overlay of archimate to model information system security risks. In: IEEE 21st International Enterprise Distributed Object Computing Conference Workshops (EDOCW), pp. 106–116. IEEE (2017)Google Scholar
  5. 5.
    Lund, M.S., Solhaug, B., Stolen, K.: Model-Driven Risk Analysis: The CORAS Approach. Springer, Heidelberg (2010). Scholar
  6. 6.
    Hitchman, S.: Practitioner perceptions on the use of some semantic concepts in the entity–relationship model. Eur. J. Inf. Syst. 4, 31–40 (1995)CrossRefGoogle Scholar
  7. 7.
    Hitchman, S.: The details of conceptual modelling notations are important - a comparison of relationship normative language. Commun. Assoc. Inf. Syst. 9, 167–179 (2002)Google Scholar
  8. 8.
    Nordbotten, J.C., Crosby, M.E.: The effect of graphic style on data model interpretation. Inf. Syst. J. 9, 139–155 (2001)CrossRefGoogle Scholar
  9. 9.
    Shanks, G.: The challenges of strategic data planning in practice: an interpretive case study. J. Strateg. Inf. Syst. 6, 69–90 (1997)CrossRefGoogle Scholar
  10. 10.
    Figl, K., Derntl, M., Rodriguez, M.C., Botturi, L.: Cognitive effectiveness of visual instructional design languages. J. Vis. Lang. Comput. 21, 359–373 (2010)CrossRefGoogle Scholar
  11. 11.
    Green, T.R.G., Petre, M.: Usability analysis of visual programming environments: a ‘Cognitive Dimensions’ framework. J. Vis. Lang. Comput. 7, 131–174 (1996)CrossRefGoogle Scholar
  12. 12.
    Moody, D.: The “Physics” of notations: toward a scientific basis for constructing visual notations in software engineering. IEEE Trans. Softw. Eng. 35, 756–779 (2009)CrossRefGoogle Scholar
  13. 13.
    Moody, D., van Hillegersberg, J.: Evaluating the visual syntax of UML: an analysis of the cognitive effectiveness of the UML family of diagrams. In: Gašević, D., Lämmel, R., Van Wyk, E. (eds.) SLE 2008. LNCS, vol. 5452, pp. 16–34. Springer, Heidelberg (2009). Scholar
  14. 14.
    Moody, D.L., Heymans, P., Matulevičius, R.: Visual syntax does matter: improving the cognitive effectiveness of the i* visual notation. Requir. Eng. 15, 141–175 (2010)CrossRefGoogle Scholar
  15. 15.
    Genon, N., Heymans, P., Amyot, D.: Analysing the cognitive effectiveness of the BPMN 2.0 visual notation. In: Malloy, B., Staab, S., van den Brand, M. (eds.) SLE 2010. LNCS, vol. 6563, pp. 377–396. Springer, Heidelberg (2011). Scholar
  16. 16.
    Moody, D.L.: Review of ArchiMate: The Road to International Standardisation. ArchiMate Foundation and BiZZDesign B.V. (2007)Google Scholar
  17. 17.
    Beckers, K., Heisel, M., Solhaug, B., Stølen, K.: ISMS-CORAS: a structured method for establishing an ISO 27001 compliant information security management system. In: Heisel, M., Joosen, W., Lopez, J., Martinelli, F. (eds.) Engineering Secure Future Internet Services and Systems. LNCS, vol. 8431, pp. 315–344. Springer, Cham (2014). Scholar
  18. 18.
    van der Linden, D., Hadar, I.: A systematic literature review of applications of the physics of notation. IEEE Trans. Softw. Eng. PP, 1 (2018)Google Scholar
  19. 19.
    Störrle, H., Fish, A.: Towards an operationalization of the “Physics of Notations” for the analysis of visual languages. In: Moreira, A., Schätz, B., Gray, J., Vallecillo, A., Clarke, P. (eds.) MODELS 2013. LNCS, vol. 8107, pp. 104–120. Springer, Heidelberg (2013). Scholar
  20. 20.
    van der Linden, D., Zamansky, A., Hadar, I.: How cognitively effective is a visual notation? On the inherent difficulty of operationalizing the physics of notations. In: Schmidt, R., Guédria, W., Bider, I., Guerreiro, S. (eds.) BPMDS/EMMSAD -2016. LNBIP, vol. 248, pp. 448–462. Springer, Cham (2016). Scholar
  21. 21.
    Krogstie, J.: Using a semiotic framework to evaluate UML for the development of models of high quality. In: Unified Modeling Language: Systems Analysis, Design and Development Issues, pp. 89–106. IGI Global (2001)Google Scholar
  22. 22.
    Genon, N.: Unlocking Diagram Understanding: Empowering End-Users for Semantically Transparent Visual Symbols (2016)Google Scholar
  23. 23.
    Frank, U.: Domain-specific modeling languages: requirements analysis and design guidelines. In: Reinhartz-Berger, I., Sturm, A., Clark, T., Cohen, S., Bettin, J. (eds.) Domain Engineering, pp. 133–157. Springer, Heidelberg (2013). Scholar
  24. 24.
    Guizzardi, G., Pires, L.F., van Sinderen, M.: Ontology-based evaluation and design of domain-specific visual modeling languages. In: Nilsson, A.G., Gustas, R., Wojtkowski, W., Wojtkowski, W.G., Wrycza, S., Zupančič, J. (eds.) Advances in Information Systems Development, pp. 217–228. Springer, Boston (2006). Scholar
  25. 25.
    Kleppe, A.: Software Language Engineering: Creating Domain-Specific Languages Using Metamodels. Addison-Wesley Professional (2008)Google Scholar
  26. 26.
    Nielsen, J., Molich, R.: Heuristic evaluation of user interfaces. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 249–256. ACM, New York (1990)Google Scholar
  27. 27.
    Zender, M., Mejía, G.M.: Improving icon design: through focus on the role of individual symbols in the construction of meaning. Vis. Lang. 47, 66–89 (2013)Google Scholar
  28. 28.
    Miller, G.A.: The magical number seven, plus or minus 2: some limits on our capacity for processing information. Psychol. Rev. 63, 81–97 (1956)CrossRefGoogle Scholar
  29. 29.
    Lauesen, S., Pave Musgrove, M.: Heuristic evaluation of user interfaces versus usability testing. In: User Interface Design - A Software Engineering Perspective, pp. 443–463 (2005)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  • Eloïse Zehnder
    • 1
  • Nicolas Mayer
    • 1
    Email author
  • Guillaume Gronier
    • 1
  1. 1.Luxembourg Institute of Science and TechnologyEsch-sur-AlzetteLuxembourg

Personalised recommendations