{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2023,6,17]],"date-time":"2023-06-17T10:28:01Z","timestamp":1686997681256},"reference-count":31,"publisher":"IGI Global","issue":"1","content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2012,1]]},"abstract":"<jats:p>Developing a security modeling language is a complex activity. Particularly, it becomes very challenging for Security Requirements Engineering (SRE) languages where social\/organizational concepts are used to represent high-level business aspects, while security aspects are typically expressed in a technical jargon at a lower level of abstraction. In order to reduce this socio-technical mismatch and reach a high quality outcome, appropriate evaluation techniques need to be chosen and carried out throughout the development process of the modeling language. In this article, the authors present and discuss the formative user-centered evaluation approach, namely an evaluation technique that starts since the early design stages and actively involves end-users. The authors demonstrate the approach in a real case study presenting the results of the evaluation. From the gained empirical evidence, we may conclude that formative user-centered evaluation is highly recommended to investigate any security modeling language.<\/jats:p>","DOI":"10.4018\/jsse.2012010101","type":"journal-article","created":{"date-parts":[[2012,4,5]],"date-time":"2012-04-05T13:18:01Z","timestamp":1333631881000},"page":"1-19","source":"Crossref","is-referenced-by-count":9,"title":["Formative User-Centered Evaluation of Security Modeling"],"prefix":"10.4018","volume":"3","author":[{"given":"Sandra","family":"Tr\u00f6sterer","sequence":"first","affiliation":[{"name":"University of Salzburg, Austria"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Elke","family":"Beck","sequence":"additional","affiliation":[{"name":"University of Salzburg, Austria"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Fabiano","family":"Dalpiaz","sequence":"additional","affiliation":[{"name":"University of Trento, Italy"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Elda","family":"Paja","sequence":"additional","affiliation":[{"name":"University of Trento, Italy"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Paolo","family":"Giorgini","sequence":"additional","affiliation":[{"name":"University of Trento, Italy"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Manfred","family":"Tscheligi","sequence":"additional","affiliation":[{"name":"University of Salzburg, Austria"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"2432","reference":[{"key":"jsse.2012010101-0","unstructured":"Alves, A., Arkin, A., Askary, S., Barreto, C., Bloch, B., Curbera, F., et al. (Eds.). (2007). Web services business process execution language version 2.0. Retrieved from http:\/\/docs.oasis-open.org\/wsbpel\/2.0\/CS01\/wsbpel-v2.0-CS01.html"},{"key":"jsse.2012010101-1","doi-asserted-by":"publisher","DOI":"10.1023\/B:AGNT.0000018806.20944.ef"},{"key":"jsse.2012010101-2","doi-asserted-by":"crossref","unstructured":"Casati, F., Sayal, M., & Shan, M. (2001, June). Developing e-services for composing e-services. In K. Dittrich, A. Geppert, & M. Norrie (Eds.), Proceedings of the 13th International Conference on Advanced Information Systems Engineering, Interlaken, Switzerland (LNCS 2068, pp.171-186).","DOI":"10.1007\/3-540-45341-5_12"},{"key":"jsse.2012010101-3","doi-asserted-by":"crossref","unstructured":"Dalpiaz, F., Paja, E., & Giorgini, P. (in press). Security requirements engineering via commitments. In Proceedings of the First Workshop on Socio-Technical Aspects in Security and Trust.","DOI":"10.1109\/STAST.2011.6059249"},{"key":"jsse.2012010101-4","doi-asserted-by":"crossref","unstructured":"Devanbu, P. T., & Stubblebine, S. (2000). Software engineering for security: a roadmap. In Proceedings of the Conference on the Future of Software Engineering, Limerick, Ireland (pp. 227-239). New York, NY: ACM.","DOI":"10.1145\/336512.336559"},{"key":"jsse.2012010101-5","first-page":"1110","article-title":"Evaluation of software usability","author":"A.Dillon","year":"2001","journal-title":"Encyclopedia of human factors and ergonomics"},{"key":"jsse.2012010101-6","author":"A. J.Dix","year":"2003","journal-title":"Human-computer interaction"},{"key":"jsse.2012010101-7","unstructured":"Eclipse. (2010). Graphical modeling project (GMP). Retrieved from http:\/\/www.eclipse.org\/modeling\/gmp\/"},{"key":"jsse.2012010101-8","unstructured":"Eclipse. (2011). Rich client platform (RCP) applications. Retrieved from http:\/\/www.eclipse.org\/community\/rcp.php"},{"key":"jsse.2012010101-9","doi-asserted-by":"crossref","unstructured":"Giorgini, P., Massacci, F., & Mylopoulos, J. (2003, October 13-16). Requirement engineering meets security: A case study on modeling secure electronic transactions by VISA and Mastercard. In I. Song, S. W. Liddle, T. W. Ling, & P. Scheuermann (Eds.), Proceedings of the 22nd International Conference on Conceptual Modeling, Chicago, IL (LNCS 2813, pp. 263-276).","DOI":"10.1007\/978-3-540-39648-2_22"},{"key":"jsse.2012010101-10","doi-asserted-by":"crossref","unstructured":"Giorgini, P., Massacci, F., Mylopoulos, J., & Zannone, N. (2005, August 29-September 2). Modeling security requirements through ownership, permission and delegation. In Proceedings of the 13th IEEE International Conference on Requirements Engineering, Paris, France (pp. 167-176). Washington, DC: IEEE Computer Society.","DOI":"10.1109\/RE.2005.43"},{"issue":"4","key":"jsse.2012010101-11","first-page":"597","article-title":"Understanding reliability and validity in qualitative research.","volume":"8","author":"N.Golafshani","year":"2003","journal-title":"Qualitative Report"},{"key":"jsse.2012010101-12","author":"D.Hix","year":"1992","journal-title":"Formative evaluation: Ensuring usability in user interfaces (Tech. Rep.)"},{"key":"jsse.2012010101-13","doi-asserted-by":"crossref","unstructured":"Hommes, B. J., & van Reijswoud, V. (2000). Assessing the quality of business process modeling techniques. In Proceedings of the 33rd Annual Hawaii International Conference on System Sciences (pp. 4-7). Washington, DC: IEEE Computer Society.","DOI":"10.1109\/HICSS.2000.926591"},{"key":"jsse.2012010101-14","unstructured":"International Organization for Standardization. (1998). ISO 9241-11:1998: Ergonomic requirements for office work with visual display terminals (VDTs) \u2013 Part 11: Guidance on usability. Retrieved December 8, 2011, from http:\/\/www.iso.org\/iso\/catalogue_detail.htm?csnumber=16883"},{"key":"jsse.2012010101-15","unstructured":"International Organization for Standardization. (2010). ISO 9241-210:2010: Ergonomics of human-system interaction \u2013 Part 210: Human-centred design for interactive systems. Retrieved December 8, 2011, from http:\/\/www.iso.org\/iso\/catalogue_detail.htm?csnumber=52075"},{"key":"jsse.2012010101-16","doi-asserted-by":"crossref","unstructured":"J\u00fcrjens, J. (2002). UMLsec: Extending UML for secure systems development. In Proceedings of the 5th International Conference on The Unified Modeling Language (pp. 1-9).","DOI":"10.1007\/3-540-45800-X_32"},{"issue":"1","key":"jsse.2012010101-17","first-page":"43","article-title":"DSML success factors and their assessment criteria.","volume":"13","author":"A.Kahlaoui","year":"2008","journal-title":"Software Measurement News"},{"key":"jsse.2012010101-18","doi-asserted-by":"crossref","unstructured":"Kamandi, A., & Habibi, J. (2008). Modeling languages study and evaluation techniques. In Proceedings of the Second Asia International Conference on Modeling & Simulation (pp.553-558). Washington, DC: IEEE Computer Society.","DOI":"10.1109\/AMS.2008.121"},{"key":"jsse.2012010101-19","unstructured":"K\u00e4rn\u00e4, J., Tolvanen, J. P., & Kelly, S. (2009). Evaluating the use of domain-specific modeling in practice. In Proceedings of the 9th OOPSLA Workshop on Domain-Specific Modeling (pp. 14-20)."},{"key":"jsse.2012010101-20","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-05183-8_6"},{"key":"jsse.2012010101-21","doi-asserted-by":"crossref","unstructured":"McDermott, J., & Fox, C. (1999). Using abuse case models for security requirements analysis. In Proceedings of the 15th Annual Computer Security Applications Conference (pp. 55-64). Washington, DC: IEEE Computer Society.","DOI":"10.1109\/CSAC.1999.816013"},{"key":"jsse.2012010101-22","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-00434-6_3"},{"key":"jsse.2012010101-23","doi-asserted-by":"publisher","DOI":"10.4018\/978-1-59140-935-9.ch005"},{"key":"jsse.2012010101-24","doi-asserted-by":"publisher","DOI":"10.1016\/j.infsof.2008.05.013"},{"key":"jsse.2012010101-25","doi-asserted-by":"publisher","DOI":"10.1016\/S0950-5849(00)00109-9"},{"key":"jsse.2012010101-26","unstructured":"Recker, J. C., zur Muehlen, M., Siau, K., Erickson, J., & Indulska, M. (2009). Measuring method complexity: UML versus BPMN. In Proceedings of the Americas Conference on Information Systems (p. 541). Retrieved December 8, 2011, from http:\/\/aisel.aisnet.org\/amcis2009\/541"},{"key":"jsse.2012010101-27","author":"M. B.Rosson","year":"2001","journal-title":"Usability engineering: Scenario-based development of human-computer interaction"},{"key":"jsse.2012010101-28","first-page":"39","article-title":"The methodology of evaluation","author":"M.Scriven","year":"1967","journal-title":"Perspectives of curriculum evaluation"},{"key":"jsse.2012010101-29","doi-asserted-by":"publisher","DOI":"10.1007\/s00766-004-0194-4"},{"key":"jsse.2012010101-30","doi-asserted-by":"crossref","unstructured":"Wilson, C. E. (2006). Triangulation: the explicit use of multiple methods, measures, and approaches for determining core issues in product development. Interactions, 13(6), 46ff.","DOI":"10.1145\/1167948.1167980"}],"container-title":["International Journal of Secure Software Engineering"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.igi-global.com\/viewtitle.aspx?TitleId=64192","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2019,6,26]],"date-time":"2019-06-26T23:50:18Z","timestamp":1561593018000},"score":1,"resource":{"primary":{"URL":"http:\/\/services.igi-global.com\/resolvedoi\/resolve.aspx?doi=10.4018\/jsse.2012010101"}},"subtitle":["Results from a Case Study"],"short-title":[],"issued":{"date-parts":[[2012,1]]},"references-count":31,"journal-issue":{"issue":"1"},"URL":"https:\/\/doi.org\/10.4018\/jsse.2012010101","relation":{},"ISSN":["1947-3036","1947-3044"],"issn-type":[{"value":"1947-3036","type":"print"},{"value":"1947-3044","type":"electronic"}],"subject":[],"published":{"date-parts":[[2012,1]]}}}