Loading…
An experiment on comparing textual vs. visual industrial methods for security risk assessment
Many security risk assessment methods have been proposed both from academia and industry. However, little empirical evaluation has been done to investigate how these methods are effective in practice. In this paper we report a controlled experiment that we conducted to compare the effectiveness and...
Saved in:
| Main Authors: | , , , |
|---|---|
| Format: | Conference Proceeding |
| Language: | English |
| Subjects: | |
| Citations: | Items that cite this one |
| Online Access: | Request full text |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| cited_by | cdi_FETCH-LOGICAL-c225t-c5a08429383e8264a4c2c903ecdcff4697ca001ae8a9e283875404810b55a5253 |
|---|---|
| cites | |
| container_end_page | 35 |
| container_issue | |
| container_start_page | 28 |
| container_title | |
| container_volume | |
| creator | Labunets, Katsiaryna Paci, Federica Massacci, Fabio Ruprai, Raminder |
| description | Many security risk assessment methods have been proposed both from academia and industry. However, little empirical evaluation has been done to investigate how these methods are effective in practice. In this paper we report a controlled experiment that we conducted to compare the effectiveness and participants' perception of visual versus textual methods for security risk assessment used in industry. As instances of the methods we selected CORAS, a method by SINTEF used to provide security risk assessment consulting services, and SecRAM, a method by EUROCONTROL used to conduct security risk assessment within air traffic management. The experiment involved 29 MSc students who applied both methods to an application scenario from Smart Grid domain. The dependent variables were effectiveness of the methods measured as number of specific threats and security controls identified, and perception of the methods measured through post-task questionnaires based on the Technology Acceptance Model. The experiment shows that while there is no difference in the actual effectiveness of the two methods, the visual method is better perceived by the participants. |
| doi_str_mv | 10.1109/EmpiRE.2014.6890113 |
| format | conference_proceeding |
| fullrecord | <record><control><sourceid>ieee_CHZPO</sourceid><recordid>TN_cdi_ieee_primary_6890113</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>6890113</ieee_id><sourcerecordid>6890113</sourcerecordid><originalsourceid>FETCH-LOGICAL-c225t-c5a08429383e8264a4c2c903ecdcff4697ca001ae8a9e283875404810b55a5253</originalsourceid><addsrcrecordid>eNotkNtKw0AYhFdQsNQ8QW_2BRL3mOxelhIPUBBEL6Wsmz-62hzYf1PatzfFXs1cDB8zQ8iKs4JzZu_rbgyvdSEYV0VpLONcXpHMVoarytpSyspek4WQwualVOaWZIg_jDHJzZyWC_Kx7ikcR4ihgz7Road-6EYXQ_9FExzT5Pb0gAU9BDzb0DcTphhm20H6Hhqk7RApgp9iSCcaA_5ShwiIZ94duWndHiG76JK8P9Rvm6d8-_L4vFlvcy-ETrnXjhklrDQSjCiVU174uR74xretKm3lHWPcgXEWhJGm0oopw9mn1k4LLZdk9c8NALAb5zEunnaXQ-QfvL1WIA</addsrcrecordid><sourcetype>Publisher</sourcetype><iscdi>true</iscdi><recordtype>conference_proceeding</recordtype></control><display><type>conference_proceeding</type><title>An experiment on comparing textual vs. visual industrial methods for security risk assessment</title><source>IEEE Xplore All Conference Series</source><creator>Labunets, Katsiaryna ; Paci, Federica ; Massacci, Fabio ; Ruprai, Raminder</creator><creatorcontrib>Labunets, Katsiaryna ; Paci, Federica ; Massacci, Fabio ; Ruprai, Raminder</creatorcontrib><description>Many security risk assessment methods have been proposed both from academia and industry. However, little empirical evaluation has been done to investigate how these methods are effective in practice. In this paper we report a controlled experiment that we conducted to compare the effectiveness and participants' perception of visual versus textual methods for security risk assessment used in industry. As instances of the methods we selected CORAS, a method by SINTEF used to provide security risk assessment consulting services, and SecRAM, a method by EUROCONTROL used to conduct security risk assessment within air traffic management. The experiment involved 29 MSc students who applied both methods to an application scenario from Smart Grid domain. The dependent variables were effectiveness of the methods measured as number of specific threats and security controls identified, and perception of the methods measured through post-task questionnaires based on the Technology Acceptance Model. The experiment shows that while there is no difference in the actual effectiveness of the two methods, the visual method is better perceived by the participants.</description><identifier>ISSN: 2329-6348</identifier><identifier>EISBN: 9781479963379</identifier><identifier>EISBN: 1479963372</identifier><identifier>DOI: 10.1109/EmpiRE.2014.6890113</identifier><language>eng</language><publisher>IEEE</publisher><subject>Analysis of variance ; controlled experiment ; Educational institutions ; Interviews ; Risk management ; Security ; security risk assessment methods ; Smart grids ; technology acceptance model ; Visualization</subject><ispartof>2014 IEEE 4th International Workshop on Empirical Requirements Engineering (EmpiRE), 2014, p.28-35</ispartof><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c225t-c5a08429383e8264a4c2c903ecdcff4697ca001ae8a9e283875404810b55a5253</citedby></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/6890113$$EHTML$$P50$$Gieee$$H</linktohtml><link.rule.ids>309,310,780,784,789,790,27925,54555,54932</link.rule.ids><linktorsrc>$$Uhttps://ieeexplore.ieee.org/document/6890113$$EView_record_in_IEEE$$FView_record_in_$$GIEEE</linktorsrc></links><search><creatorcontrib>Labunets, Katsiaryna</creatorcontrib><creatorcontrib>Paci, Federica</creatorcontrib><creatorcontrib>Massacci, Fabio</creatorcontrib><creatorcontrib>Ruprai, Raminder</creatorcontrib><title>An experiment on comparing textual vs. visual industrial methods for security risk assessment</title><title>2014 IEEE 4th International Workshop on Empirical Requirements Engineering (EmpiRE)</title><addtitle>EmpiRE</addtitle><description>Many security risk assessment methods have been proposed both from academia and industry. However, little empirical evaluation has been done to investigate how these methods are effective in practice. In this paper we report a controlled experiment that we conducted to compare the effectiveness and participants' perception of visual versus textual methods for security risk assessment used in industry. As instances of the methods we selected CORAS, a method by SINTEF used to provide security risk assessment consulting services, and SecRAM, a method by EUROCONTROL used to conduct security risk assessment within air traffic management. The experiment involved 29 MSc students who applied both methods to an application scenario from Smart Grid domain. The dependent variables were effectiveness of the methods measured as number of specific threats and security controls identified, and perception of the methods measured through post-task questionnaires based on the Technology Acceptance Model. The experiment shows that while there is no difference in the actual effectiveness of the two methods, the visual method is better perceived by the participants.</description><subject>Analysis of variance</subject><subject>controlled experiment</subject><subject>Educational institutions</subject><subject>Interviews</subject><subject>Risk management</subject><subject>Security</subject><subject>security risk assessment methods</subject><subject>Smart grids</subject><subject>technology acceptance model</subject><subject>Visualization</subject><issn>2329-6348</issn><isbn>9781479963379</isbn><isbn>1479963372</isbn><fulltext>true</fulltext><rsrctype>conference_proceeding</rsrctype><creationdate>2014</creationdate><recordtype>conference_proceeding</recordtype><sourceid>6IE</sourceid><recordid>eNotkNtKw0AYhFdQsNQ8QW_2BRL3mOxelhIPUBBEL6Wsmz-62hzYf1PatzfFXs1cDB8zQ8iKs4JzZu_rbgyvdSEYV0VpLONcXpHMVoarytpSyspek4WQwualVOaWZIg_jDHJzZyWC_Kx7ikcR4ihgz7Road-6EYXQ_9FExzT5Pb0gAU9BDzb0DcTphhm20H6Hhqk7RApgp9iSCcaA_5ShwiIZ94duWndHiG76JK8P9Rvm6d8-_L4vFlvcy-ETrnXjhklrDQSjCiVU174uR74xretKm3lHWPcgXEWhJGm0oopw9mn1k4LLZdk9c8NALAb5zEunnaXQ-QfvL1WIA</recordid><startdate>201408</startdate><enddate>201408</enddate><creator>Labunets, Katsiaryna</creator><creator>Paci, Federica</creator><creator>Massacci, Fabio</creator><creator>Ruprai, Raminder</creator><general>IEEE</general><scope>6IE</scope><scope>6IL</scope><scope>CBEJK</scope><scope>RIE</scope><scope>RIL</scope></search><sort><creationdate>201408</creationdate><title>An experiment on comparing textual vs. visual industrial methods for security risk assessment</title><author>Labunets, Katsiaryna ; Paci, Federica ; Massacci, Fabio ; Ruprai, Raminder</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c225t-c5a08429383e8264a4c2c903ecdcff4697ca001ae8a9e283875404810b55a5253</frbrgroupid><rsrctype>conference_proceedings</rsrctype><prefilter>conference_proceedings</prefilter><language>eng</language><creationdate>2014</creationdate><topic>Analysis of variance</topic><topic>controlled experiment</topic><topic>Educational institutions</topic><topic>Interviews</topic><topic>Risk management</topic><topic>Security</topic><topic>security risk assessment methods</topic><topic>Smart grids</topic><topic>technology acceptance model</topic><topic>Visualization</topic><toplevel>online_resources</toplevel><creatorcontrib>Labunets, Katsiaryna</creatorcontrib><creatorcontrib>Paci, Federica</creatorcontrib><creatorcontrib>Massacci, Fabio</creatorcontrib><creatorcontrib>Ruprai, Raminder</creatorcontrib><collection>IEEE Electronic Library (IEL) Conference Proceedings</collection><collection>IEEE Proceedings Order Plan All Online (POP All Online) 1998-present by volume</collection><collection>IEEE Xplore All Conference Proceedings</collection><collection>IEEE/IET Electronic Library</collection><collection>IEEE Proceedings Order Plans (POP All) 1998-Present</collection></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Labunets, Katsiaryna</au><au>Paci, Federica</au><au>Massacci, Fabio</au><au>Ruprai, Raminder</au><format>book</format><genre>proceeding</genre><ristype>CONF</ristype><atitle>An experiment on comparing textual vs. visual industrial methods for security risk assessment</atitle><btitle>2014 IEEE 4th International Workshop on Empirical Requirements Engineering (EmpiRE)</btitle><stitle>EmpiRE</stitle><date>2014-08</date><risdate>2014</risdate><spage>28</spage><epage>35</epage><pages>28-35</pages><issn>2329-6348</issn><eisbn>9781479963379</eisbn><eisbn>1479963372</eisbn><abstract>Many security risk assessment methods have been proposed both from academia and industry. However, little empirical evaluation has been done to investigate how these methods are effective in practice. In this paper we report a controlled experiment that we conducted to compare the effectiveness and participants' perception of visual versus textual methods for security risk assessment used in industry. As instances of the methods we selected CORAS, a method by SINTEF used to provide security risk assessment consulting services, and SecRAM, a method by EUROCONTROL used to conduct security risk assessment within air traffic management. The experiment involved 29 MSc students who applied both methods to an application scenario from Smart Grid domain. The dependent variables were effectiveness of the methods measured as number of specific threats and security controls identified, and perception of the methods measured through post-task questionnaires based on the Technology Acceptance Model. The experiment shows that while there is no difference in the actual effectiveness of the two methods, the visual method is better perceived by the participants.</abstract><pub>IEEE</pub><doi>10.1109/EmpiRE.2014.6890113</doi><tpages>8</tpages></addata></record> |
| fulltext | fulltext_linktorsrc |
| identifier | ISSN: 2329-6348 |
| ispartof | 2014 IEEE 4th International Workshop on Empirical Requirements Engineering (EmpiRE), 2014, p.28-35 |
| issn | 2329-6348 |
| language | eng |
| recordid | cdi_ieee_primary_6890113 |
| source | IEEE Xplore All Conference Series |
| subjects | Analysis of variance controlled experiment Educational institutions Interviews Risk management Security security risk assessment methods Smart grids technology acceptance model Visualization |
| title | An experiment on comparing textual vs. visual industrial methods for security risk assessment |
| url | http://sfxeu10.hosted.exlibrisgroup.com/loughborough?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-01T20%3A30%3A33IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-ieee_CHZPO&rft_val_fmt=info:ofi/fmt:kev:mtx:book&rft.genre=proceeding&rft.atitle=An%20experiment%20on%20comparing%20textual%20vs.%20visual%20industrial%20methods%20for%20security%20risk%20assessment&rft.btitle=2014%20IEEE%204th%20International%20Workshop%20on%20Empirical%20Requirements%20Engineering%20(EmpiRE)&rft.au=Labunets,%20Katsiaryna&rft.date=2014-08&rft.spage=28&rft.epage=35&rft.pages=28-35&rft.issn=2329-6348&rft_id=info:doi/10.1109/EmpiRE.2014.6890113&rft.eisbn=9781479963379&rft.eisbn_list=1479963372&rft_dat=%3Cieee_CHZPO%3E6890113%3C/ieee_CHZPO%3E%3Cgrp_id%3Ecdi_FETCH-LOGICAL-c225t-c5a08429383e8264a4c2c903ecdcff4697ca001ae8a9e283875404810b55a5253%3C/grp_id%3E%3Coa%3E%3C/oa%3E%3Curl%3E%3C/url%3E&rft_id=info:oai/&rft_id=info:pmid/&rft_ieee_id=6890113&rfr_iscdi=true |