Which security catalogue is better for novices?

Several catalogues of security threats and controls have been proposed to help organizations in identifying critical risks and improve their risk posture against real world threats. But the role that these catalogues play in a security risk assessment has not yet been investigated. In this paper we report an experiment with 18 MSc students conducted to compare the effect of using domain-specific and domain-general catalogues of threats and security controls on the actual efficacy and perception of a security risk assessment method. The experimental results show that there is no difference in the actual efficacy of the method when applied with the two types of catalogues. In contrast, the perceived usefulness of the method is higher for the participants who have used the domain-specific catalogues. In addition, the domain-specific catalogues are perceived as easier to use by the participants.