Context: Tabular and graphical representations are used to communicate security risk assessments for IT systems. However, there is no consensus on which type of representation better supports the comprehension of risks (such as the relationships between threats, vulnerabilities and security controls). Cognitive fit theory predicts that spatial relationships should be better captured by graphs.
Method: We report the results of two studies performed in two countries with 69 and 83 participants respectively, in which we assessed the effectiveness of tabular and graphical representations with respect to extraction of correct information about security risks.
Results: Tabular risk models are more e ective than graphi- cal ones with respect to simple comprehension tasks and often more e ective also for complex comprehension tasks.
Conclusions: We explain our findings by proposing a simple extension of Vessey’s cognitive fit theory as some linear spatial relationships could be also captured by tabular models.
Interest for ICSE: It is almost taken for granted in Software Engineering that graphical-, diagram- based models are “the” way to go (e.g. the SE Body of Knowledge [3]). This paper provides some experimental-based doubts that this might not always be the case. It will provide a definitely interesting debate that might ripple to traditional requirements and design notations outside security