Skip to main content
SpringerLink
Log in

An Empirical Study on the Comprehensibility of Graphical Security Risk Models Based on Sequence Diagrams

  • Conference paper
  • First Online:
Risks and Security of Internet and Systems (CRiSIS 2018)

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 11391))

Included in the following conference series:

  • 810 Accesses

Abstract

We report on an empirical study in which we evaluate the comprehensibility of graphical versus textual risk annotations in threat models based on sequence diagrams. The experiment was carried out on two separate groups where each group solved tasks related to either graphical or textual annotations. We also examined the efficiency of using these two annotations in terms of the average time each group spent per task. Our study reports that threat models with textual risk annotations are equally comprehensible to corresponding threat models with graphical risk annotations. With respect to efficiency, however, we found out that participants solving tasks related to the graphical annotations spent on average \(23\%\) less time per task.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Basili, V.R., Caldiera, G., Rombach, H.D.: Experience Factory. Wiley, Hoboken (2002)

    Book  Google Scholar 

  2. CORAL Plugin for Eclipse Papyrus. https://bitbucket.org/vetlevo/no.uio.ifi.coral.profile/. Accessed 6 July 2018

  3. Dunning, D., Johnson, K., Ehrlinger, J., Kruger, J.: Why people fail to recognize their own incompetence. Curr. Dir. Psychol. Sci. 12(3), 83–87 (2003)

    Article  Google Scholar 

  4. Erdogan, G.: CORAL: a model-based approach to risk-driven security testing. Ph.D. thesis, University of Oslo (2016)

    Google Scholar 

  5. Erdogan, G., Li, Y., Runde, R.K., Seehusen, F., Stølen, K.: Approaches for the combined use of risk analysis and testing: a systematic literature review. Int. J. Softw. Tools Technol. Transfer 16(5), 627–642 (2014)

    Article  Google Scholar 

  6. Eval&Go. http://www.evalandgo.com/. Accessed 6 July 2018

  7. Everitt, B.S., Skrondal, A.: The Cambridge Dictionary of Statistics. Cambridge University Press, Cambridge (2010)

    Book  Google Scholar 

  8. Felderer, M., Schieferdecker, I.: A taxonomy of risk-based testing. Int. J. Softw. Tools Technol. Transfer 16(5), 559–568 (2014)

    Article  Google Scholar 

  9. Field, A.: Discovering Statistics Using IBM SPSS Statistics. SAGE Publications, Newcastle upon Tyne (2013)

    Google Scholar 

  10. Hadar, I., Reinhartz-Berger, I., Kuflik, T., Perini, A., Ricca, F., Susi, A.: Comparing the comprehensibility of requirements models expressed in use case and Tropos: results from a family of experiments. Inf. Softw. Technol. 55(10), 1823–1843 (2013)

    Article  Google Scholar 

  11. Halford, G.S., Baker, R., McCredden, J.E., Bain, J.D.: How many variables can humans process? Psychol. Sci. 16(1), 70–76 (2005)

    Article  Google Scholar 

  12. Halford, G.S., Wilson, W.H., Phillips, S.: Processing capacity defined by relational complexity: implications for comparative, developmental, and cognitive psychology. Behav. Brain Sci. 21(6), 803–831 (1998)

    Google Scholar 

  13. Hogganvik, I., Stølen, K.: Empirical investigations of the CORAS language for structured brainstorming. Technical report A05041, SINTEF Information and Communication Technology (2005)

    Google Scholar 

  14. Hogganvik, I., Stølen, K.: On the comprehension of security risk scenarios. In: Proceedings of the 13th International Workshop on Program Comprehension (IWPC 2005), pp. 115–124. IEEE (2005)

    Google Scholar 

  15. Labunets, K., Massacci, F., Paci, F., Marczak, S., de Oliveira, F.M.: Model comprehension for security risk assessment: an empirical comparison of tabular vs. graphical representations. Empir. Softw. Eng. 22(6), 3017–3056 (2017)

    Article  Google Scholar 

  16. Labunets, K., Massacci, F., Tedeschi, A.: Graphical vs. tabular notations for risk models: on the role of textual labels and complexity. In: Proceedings of the 11th International Symposium on Empirical Software Engineering and Measurement (ESEM 2017), pp. 267–276. IEEE (2017)

    Google Scholar 

  17. Lund, M.S., Solhaug, B., Stølen, K.: Model-Driven Risk Analysis: The CORAS Approach. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-12323-8

    Book  MATH  Google Scholar 

  18. Madsen, B.S.: Statistics for Non-Statisticians. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49349-6

    Book  MATH  Google Scholar 

  19. Meliá, S., Cachero, C., Hermida, J.M., Aparicio, E.: Comparison of a textual versus a graphical notation for the maintainability of MDE domain models: an empirical pilot study. Softw. Qual. J. 24(3), 709–735 (2016)

    Article  Google Scholar 

  20. Moody, D.L.: The “physics” of notations: toward a scientific basis for constructing visual notations in software engineering. Trans. Softw. Eng. IEEE 35(6), 756–779 (2009)

    Article  Google Scholar 

  21. Nilsson, E.G., Stølen, K.: The FLUIDE framework for specifying emergency response user interfaces employed to a search and rescue case. Technical report A27575, SINTEF Information and Communication Technology (2016)

    Google Scholar 

  22. Object Management Group. Unified Modeling Language (UML), Version 2.5.1, 2017. OMG Document Number: formal/2017-12-05

    Google Scholar 

  23. Papyrus Modeling Environment. https://www.eclipse.org/papyrus/. Accessed 6 July 2018

  24. Schalles, C.: Usability Evaluation of Modeling Languages. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-658-00051-6

    Book  Google Scholar 

  25. Schieferdecker, I., Großmann, J., Schneider, M.: Model-based security testing. In: Proceedings of the 7th Workshop on Model-Based Testing (MBT 2012). Electronic Proceedings in Theoretical Computer Science (EPTCS ), vol. 80, pp. 1–12 (2012)

    Article  Google Scholar 

  26. Shull, F., Singer, J., Sjøberg, D.I.K.: Guide to Advanced Empirical Software Engineering. Springer, London (2007). https://doi.org/10.1007/978-1-84800-044-5

    Book  Google Scholar 

  27. Singh, K.: Quantitative Social Research Methods. SAGE Publications, Newcastle upon Tyne (2007)

    Book  Google Scholar 

  28. Staron, M., Kuzniarz, L., Wohlin, C.: Empirical assessment of using stereotypes to improve comprehension of UML models: a set of experiments. J. Syst. Softw. 79(5), 727–742 (2006)

    Article  Google Scholar 

  29. Volden-Freberg, V.: Development of tool support within the domain of risk-driven security testing. Master’s thesis, University of Oslo (2017)

    Google Scholar 

  30. Wohlin, C., Höst, M., Henningsson, K.: Empirical research methods in software engineering. In: Conradi, R., Wang, A.I. (eds.) Empirical Methods and Studies in Software Engineering. LNCS, vol. 2765, pp. 7–23. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45143-3_2

    Chapter  Google Scholar 

  31. Wohlin, C., Runeson, P., Höst, M., Ohlsson, M.C., Regnell, B., Wesslén, A.: Experimentation in Software Engineering. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29044-2

    Book  MATH  Google Scholar 

  32. Cross-Site Scripting (XSS). https://www.owasp.org/index.php/Cross-site_Scripting_(XSS). Accessed 6 July 2018

Download references

Acknowledgments

This work has been conducted within the AGRA project (236657) funded by the Research Council of Norway.

Author information

Authors and Affiliations

  1. SINTEF Digital, Oslo, Norway

    Vetle Volden-Freberg & Gencer Erdogan

Authors
  1. Vetle Volden-Freberg
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Gencer Erdogan
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Vetle Volden-Freberg .

Editor information

Editors and Affiliations

  1. University of Bordeaux, Talence, France

    Akka Zemmari

  2. University of Bordeaux, Talence, France

    Mohamed Mosbah

  3. IMT Atlantique, Brest, France

    Nora Cuppens-Boulahia

  4. IMT Atlantique, Brest, France

    Frédéric Cuppens

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Volden-Freberg, V., Erdogan, G. (2019). An Empirical Study on the Comprehensibility of Graphical Security Risk Models Based on Sequence Diagrams. In: Zemmari, A., Mosbah, M., Cuppens-Boulahia, N., Cuppens, F. (eds) Risks and Security of Internet and Systems. CRiSIS 2018. Lecture Notes in Computer Science(), vol 11391. Springer, Cham. https://doi.org/10.1007/978-3-030-12143-3_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-12143-3_1

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-12142-6

  • Online ISBN: 978-3-030-12143-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation