Model comprehension and stakeholder appropriateness of security risk-oriented modelling languages

Abstract

Modelling and management of the security risks from the early stages of information systems development could help to envision early security threats, their consequences and potential countermeasures. However, the security modelling languages could bring benefit only if they are correctly applied and the stakeholders comprehend models and agree about their meaning. In this paper we analyse how humans comprehend the security risk-oriented/aware modelling (SRM) languages and models. Specifically, by applying the semiotic quality framework, we investigate (i) concepts of the security risk management, and (ii) participant and modeller appropriateness regarding the SRM languages. Our results indicate the best and worst perceived SRM constructs and highlight few challenges to improve the SRM languages. © Springer-Verlag Berlin Heidelberg 2014.