On the comprehension of security risk scenarios

Methods for security risk analysis are often based on structured brainstorming (e.g. what [F. Redmill et al., (1999)] calls HazOp). A structured brainstorming gathers a group of different system experts and the idea is that they will find more risks as a team than one-by-one. The CORAS modelling language [M. S. Lund et al., (2003)] has been designed to support the brainstorming process and to document security risk scenarios identified during these sessions. The language is graphical, based upon the Unified Modelling Language (UML) [R. E. Walpole et al., (1998)], and is recommended by OMG. This paper reports the results from two empirical experiments concerning the CORAS language. Our results show (1) many security risk analysis terms are used in the daily language and therefore well understood, but the more abstract or less frequently used terms can be a possible source for misunderstandings in a security analysis, and (2) the language\´s graphical icons make diagram "navigation" faster, but the diagrams are not necessarily understood more correctly than those without graphical icons.