Springer Nature is making SARS-CoV-2 and COVID-19 research free. View research | View latest news | Sign up for updates

Security requirement derivation by noun–verb analysis of use–misuse case relationships: a case study using positive train control

  • 321 Accesses


Use cases and misuse cases, respectively, state the interactions that an actor can have and a mal-actor be prevented from having with a system. The cases do not specify either the security requirements or the associated attributes that a system must possess to operate in a secure manner. We present an algorithmic, domain-independent approach rooted in verb–noun analysis of use cases and misuse cases to generate system requirements and the associated security attributes. We illustrate the utility of this general five-step method using Positive train control (PTC) (a command and control system used to navigate trains in a railway grid) as a case study. This approach allows the designer to protect against the effect of wireless vulnerabilities on the safety of PTC systems.

This is a preview of subscription content, log in to check access.

Fig. 1
Fig. 2


  1. 1.

    Checkland P, Scholes J (1990) Soft system methodology in action. Wiley, New York

  2. 2.

    QFD Institute (2005) Frequently asked questions about QFD

  3. 3.

    Systems designers (1986) Scientific core-the method: user manual. SD-Scicon

  4. 4.

    Mullery G (1979) Core: a method for controlled requirements specification. In: Proceedings 4th international conference on software engineering (ICSE-4), Munich, Germany, pp 17–19

  5. 5.

    Kunz W, Rittel H Issues as elements of information systems, working paper. In: Berkeley institute of urban and regional development, University of California

  6. 6.

    Wood J, Silver D (1995) Joint application development, 2nd edn. Wiley, New York

  7. 7.

    Kang K, Cohen S, Hess J, Novack W, Peterson A (1990) Feature-oriented domain analysis feasibility study (CMU/SEI-90-TR-021, ADA235785). Software Engineering Institute, Carnegie Mellon University, Pittsburgh

  8. 8.

    Hubbard R, Mead N, Schroeder C (2000) An assessment of the relative efficiency of a facilitator-driven requirements collection process with respect to the conventional interview method. In: International Conference on Requirements Engineering, Los Alamitos

  9. 9.

    Sindre G, Opdahl A (2001) Capturing security requirements through misuse cases, proceedings, NorskInformatikkonferanse. Universiteteti Troms, Norway

  10. 10.

    Sindre G, Opdahl A (2000) Eliciting security requirements by misuse cases. In: Proceedings 37th international conference on technology of object-oriented languages (Tools 37-Pacific 2000) Sydney, Australia

  11. 11.

    Larman C (1998) Applying UML and patterns. In: An introduction to Object Oriented analysis and design, Prentice-Hall, NJ

  12. 12.

    Alexander I (2003) Misuse cases: use cases with Hostile Intent. IEEE Softw 20(1)

  13. 13.

    Sindre G, Opdahl A (2001) Templates for misuse case description. In: Proceedings requirements engineering, foundations of software quality, Interlaken Switzerland

  14. 14.

    (1999) Common criteria implementation board, common criteria for information technology security evaluation, part 2: security functional requirments ISO/IEC 15408–1. Int Stand Organ

  15. 15.

    Ware M (2006) Using common criteria to elicit security requirements with use cases. In: Proceedings of the IEEE southeastern conference, Tennessee

  16. 16.

    McDermott J, Fox C (1999) Using abuse case models for security requirements analysis. In: Proceedings of the 15th Annual IEEE computer security applications conference

  17. 17.

    Nuseibh B, Lin L et al (2003) Introducing abuse frames for analyzing security requirements. In: Proceedings of the 11th IEEE international requirements, Engineering Conference

  18. 18.

    Whitmore J (2001) A method for designing secure solutions. IBM Syst J 40(3)

  19. 19.

    Diallo M, Romero-Mariona J et al (2006) A comparative evaluation of three approaches to specifying security requirements. In: 12th International workshop on requirements engineering foundations for software quality (REFSQ’ 06), Luxembourg

  20. 20.

    Nuseibeh B, Haley C, Lanley R (2004) Deriving security requirements from crosscutting threat descriptions. In: Proceedings of the 3rd international conference on aspect-oriented software development, Lancaster, UK

  21. 21.

    Object management group (2006) UML 2.0 OCL specification OMG

  22. 22.

    Ddahl H, Hoggenvik I, Stohen K (2007) Structured semantics for the CORAS security risk modelling language, SINTEF ICT. Technical, Report A970

  23. 23.

    Rumbaugh J (1994) Getting started: using use cases to capture requirements. J Object Oriented Program

  24. 24.

    Jacobson I (1992) Object-Oriented software engineering: a use case driven approach. Addison-Wesley

  25. 25.

    (2005) International standards organization, ISO/IEC 19501:2005 unified modeling language (UML) version 1.4.2, ISO

  26. 26.

    Alexander I (2002) Initial industrial experience of misuse cases in trade-off analysis. In: Proceedings of 10th IEEE joint international requirements engineering conference (RE02), Essen, Germany

  27. 27.

    Collins M (1999) Head driven statistical models for natural language parsing. Doctoral Disertation, University of Pennsylvania

  28. 28.

    Benoit S, Overmyer S, Rambow B (2001) Conceptual modeling through linguistic analysis using LIDA. In: Proceedings 23rd international conference on software engineering (ICSE 2001), Toronto, Canada

  29. 29.

    (1999) In: Landau S (ed) Cambridge dictionary of American English, Cambridge university press

  30. 30.

    Hartong M, Goel R, Wijesekera D (2006) Communications based positive train control systems architecture in the USA. In: Proceedings 63rd IEEE international vehicle technology conference Melbourne, Australia

  31. 31.

    (1994) Federal railroad administration, railroad communications and train control, report to congress

  32. 32.

    (1999) Federal railroad administration, report of the railroad safety advisory committee to the federal railroad administrator. Implement Posit Train Control Syst

  33. 33.

    (2004) Association of American railroads, policy and economics department, US freight railroad. Stat

  34. 34.

    (2003) US surface transportation board, office Of economics. In: Environmental analysis and administration, Statistics Of Class I Freight railroads in the United States

  35. 35.

    (2003) National transportation atlas databases (NTAD), federal railroad administration(FRA) national rail network 1:100,000 (line). In: Bureau of transportation statistics (BTS), Washington, DC

  36. 36.

    (2005) Congressional research service of the library of congress. In: Terrorist capabilities for cyber attack- overview and policy issues, Report RL33123, Washington, DC

  37. 37.

    (2002) Computer science and telecommunications board. In: National research council cybersecurity today and tomorrow: pay now or pay later, National academies press, Washington, DC

  38. 38.

    The President’s National Security Telecommunications Advisory Committee (2003) Wireless task force report wireless, security

  39. 39.

    (2003) Cybersecurity of freight information systems TRB special report 274. In: Transportation research board of the national academy of sciences, Washington, DC

  40. 40.

    Chittester C, Haines Y (2004) Risks of terrorism to information technology and to critical interdependent infrastructure. J Homel Secur Emerg Manage 1(4)

  41. 41.

    Weinstein B, Clower T (1998) The impact of the union pacific service disruptions on the Texas and national economies: an unfinished story. Railr Comm Texas

  42. 42.

    Rush W (2004) Engaging in worm warfare. Infoworld Media Group, San Francisco

  43. 43.

    (2005) United States national transportation safety board, report of railroad accident: collision of Norfolk southern freight train 192 with standing Norfolk Southern local train P22 with subsequent hazardous materials release. Graniteville, South Carolina, NTSB/RAR-05/04

  44. 44.

    Register Federal (2005) 49 CFR Parts 209, 234, and 236 standards for the development and use of processor based signal and train control systems. Final Rule

  45. 45.

    Carlson A, Frincke D, Laude M (2003) Railway security issues: a survey of developing railway technology. In: Proceedings of the international conference on computer, communications and Control technology, International Institute of Informatics and Systemic

  46. 46.

    Craven P (2004) A brief look at railroad communication vulnerabilities. In: Proceedings 2004 IEEE intelligent transportation systems conference, Washington, DC

  47. 47.

    Craven P, Craven S (2005) Security of ATCS wireless railway communications. In: Proceedings of the 2005 joint rail conference. Pueblo, CO.

  48. 48.

    Hartong M, Goel R, Wijesekera D (2006) Communications security in communications based train control. In: Tenth international conference on computer system design and operation in the railway and other transit systems, Prague, Czech Republic

  49. 49.

    Hartong M, Goel R, Wijesekera D (2006) Mapping use cases to functional fault trees in order to secure positive train control systems. In: Proceedings of 9th international conference on applications of advanced technology in transportation engineering, IL, Chicago

  50. 50.

    Hartong M, Goel R, Wijesekera D (2006) Key management requirments for positive train control communications security. In: Proceedings of the (2006) IEEE/ASME joint rail conference, Atlanta, GA

  51. 51.

    Warmer J, Kleppe A (1998) The object constraint language: precise modeling with UM. Addison-Wesley

  52. 52.

    Sendal S, Strohmeier A (2000) From use cases to system operation specifications, UML 2000—The unified modeling language. In: Kent, Evans (eds) 3rd international conference. Lecture notes in computer science, number 1939, UK, Springer-Verlag

  53. 53.

    (2004) Federal railroad administration benefits and costs of positive train control. Report Response Req Appropr Comm

  54. 54.

    (2004) United States general accounting office, GAO testimony before the subcommittee on technology information policy, intergovernmental relations and the census, house committee on government reform. Crit Infrastruct Protect Chall Efforts Secur Control Syst

  55. 55.

    (2006) US department of homeland security, office of grants and training FY 2006 infrastructure protection program. Intercity Passeng Rail Secur Progr Guidel Appl Kit

  56. 56.

    American association of state highway and transportation officials (2002) Transportation-invest in America: freight-rail bottom line report. http://freight.transportation.org/ doc/ FreightRailReport.pdf

  57. 57.

    (2006) Burlington Northern Santa Fe Railway, Product safety plan version 2.1

Download references

Author information

Correspondence to Mark Hartong.

Additional information

The views and opinions expressed herein are that of the authors and do not necessarily state or reflect those of the United States Government, the Department of Transportation, or the Federal Railroad Administration, and shall not be used for advertising or product endorsement purposes.

Rights and permissions

Reprints and Permissions

About this article

Cite this article

Hartong, M., Goel , R. & Wijesekera, D. Security requirement derivation by noun–verb analysis of use–misuse case relationships: a case study using positive train control. Innovations Syst Softw Eng 10, 103–122 (2014). https://doi.org/10.1007/s11334-013-0227-6

Download citation


  • Requirements definition
  • Noun–verb analysis
  • Use cases
  • Misuse case
  • System security
  • Positive train control