Designing Visually Effective and Intuitive Modelling Notations for Security Risk Management

Oleksandr Cherednychenko
Security risk management is a set of activities, aimed at identifying and mitigating security risks starting from the early stages of software development. A set of security risk-oriented modelling languages could be used by both end users and security analysts to perform modelling activities. However, existing languages lack semantical transparency, which re-sults in additional grasping barriers and steepness of learning curve. Moreover, presently available modelling languages were developed with no explicit design rationale in mind and perform poorly in terms of effectiveness and intuitiveness. Since the vital characteris-tic of modelling language is cognitive effectiveness, this research is focused on improving visual perception of the available security risk-oriented modelling languages (Secure BPMN, Secure Tropos, Misuse Cases, Mal-activity Diagrams). This goal is fulfilled by proposing a set of icons, which could be incorporated into existing modelling languages. Unified set of icons would enhance the recognizability of domain-specific concepts, out-lined in Information Systems Security Risk Management Domain Model, as well as reduce the learning curve and improve the overall cognitive efficiency of available notations. Pro-posed icon set is composed based on the outcomes of several empirical studies, performed in 3 distinct locations, belonging to various geographical areas and exhibiting a variety of cultural backgrounds. Improved cognitive effectiveness of notations, augmented with pro-posed icon set, is validated by the conducted evaluation study, which demonstrated in-creased level of comprehension as compared with existing notations.
Graduation Thesis language
Graduation Thesis type
Master - Software Engineering
Raimundas Matulevičius
Defence year