Abstract
The search for security has always been one of the motivations of humankind. Nowadays data
systems are constantly threaten by risks. Security risk analyses have to be carried out in order
to identify and prevent these threats from initiating threat scenarios. In order to assure a good
cooperation between the enterprises and the analysts, SINTEF has developed a modelling
language called CORAS. The analysts understand the CORAS semantics, but how easy is it
for the clients to understand it?
The thesis evaluates empirically the semantics of the CORAS modelling langue. It presents
two investigations: a video analysis of a security risk analysis carried out in a company, and a
survey which was sent to mainly students.
The search for security has always been one of the motivations of humankind. Nowadays data
systems are constantly threaten by risks. Security risk analyses have to be carried out in order
to identify and prevent these threats from initiating threat scenarios. In order to assure a good
cooperation between the enterprises and the analysts, SINTEF has developed a modelling
language called CORAS. The analysts understand the CORAS semantics, but how easy is it
for the clients to understand it?
The thesis evaluates empirically the semantics of the CORAS modelling langue. It presents
two investigations: a video analysis of a security risk analysis carried out in a company, and a
survey which was sent to mainly students.