[Background] Industry relies on the use of tabular notations to document the risk assessment results, while academia encourages to use graphical notations. Previous studies revealed that tabular and graphical notations with textual labels provide better support for extracting correct information about security risks in comparison to iconic graphical notation.
[Aim] In this study we examine how well tabular and graphical risk modeling notations support extraction and memorization of information about risks when models cannot be searched.
[Method] We present results of two experiments with 60 MSc and 31 BSc students where we compared their performance in extraction and memorization of security risk models in tabular, UML-style and iconic graphical modeling notations.
[Result] Once search is restricted, tabular notation demonstrates results similar to the iconic graphical notation in information extraction. In memorization task tabular and graphical notations showed equivalent results, but it is statistically significant only between two graphical notations.
[Conclusion] Three notations provide similar support to
decision-makers when they need to extract and remember correct
information about security risks.
|Title of host publication||International Symposium on Empirical Software Engineering and Measurement|
|Publisher||IEEE / ACM|
|Number of pages||10|
|Publication status||Published - 2018|
- Cyber security risk assesssment
- Cyber risk modeling
- Controlled experiment