Towards Security Risk-Oriented Misuse Cases

  • Inam Soomro
  • Naved Ahmed
Part of the Lecture Notes in Business Information Processing book series (LNBIP, volume 132)


Security has turn out to be a necessity of information systems (ISs) and information per se. Nevertheless, existing practices report on numerous cases when security aspects were considered only at the end of the development process, thus, missing the systematic security analysis. Misuse case diagrams help identify security concerns at early stages of the IS development. Despite this fundamental advantage, misuse cases tend to be rather imprecise; they do not comply with security risk management strategies, and, thus, could lead to misinterpretation of the security-related concepts. Such limitations could potentially result in poor security solutions. This paper applies a systematic approach to understand how misuse case diagrams could help model organisational assets, potential risks, and security countermeasures to mitigate these risks. The contribution helps understand how misuse cases could deal with security risk management and support reasoning for security requirements and their implementation in the software system.


Security risk management Misuse cases Security engineering Information system security 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Ahmed, N., Matulevičius, R., Mouratidis, H.: A Model Transformation from Misuse Cases to Secure Tropos. In: Proc of the CAiSE 2012 Forum at the 24th Int. Conf. (CAiSE), pp. 7–14. CEUR-WS (2012)Google Scholar
  2. 2.
    Alexander, I.: Misuse cases: Use cases with Hostile Intent. IEEE Soft. 20(1), 58–66 (2003)CrossRefGoogle Scholar
  3. 3.
    Altuhhova, O., Matulevičius, R., Ahmed, N.: Towards Definition of Secure Business Processes. In: Bajec, M., Eder, J. (eds.) CAiSE Workshops 2012. LNBIP, vol. 112, pp. 1–15. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  4. 4.
    Chowdhury, M.J.M., Matulevičius, R., Sindre, G., Karpati, P.: Aligning Mal-activity Diagrams and Security Risk Management for Security Requirements Definitions. In: Regnell, B., Damian, D. (eds.) REFSQ 2011. LNCS, vol. 7195, pp. 132–139. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  5. 5.
    Ekelhart, A., Fenz, S., Neubauer, T.: AURUM: A Framework for Information Security Risk Management. In: HICSS 2009, pp. 1–10. IEEE Computer Society (2009)Google Scholar
  6. 6.
    Firesmith, D.: Security Use Cases. Journal of Object Technology 2(3), 53–64 (2003)CrossRefGoogle Scholar
  7. 7.
    Herrmann, A., Morali, A., Etalle, S., Wieringa, R.J.: RiskREP: Risk-based Security Requirements Elicitation and Prioritization. In: Perspectives in Business Informatics Research, Riga, pp. 155–162. Riga Technical University (2011)Google Scholar
  8. 8.
    van Lamsweerde, A.: Elaborating Security Requirements by Construction of Intentional Anti-Models. In: Proceedings of the 26th International Conference on Software Engineering, ICSE 2004, pp. 148–157. IEEE Computer Society (2004)Google Scholar
  9. 9.
    Matulevičius, R., Mayer, N., Heymans, P.: Alignment of Misuse Cases with Security Risk Management. In: Proceedings of 3rd International Conf. on Availability, Reliability and Security, pp. 1397–1404. IEEE Computer Society (2008)Google Scholar
  10. 10.
    Matulevičius, R., Mouratidis, H., Mayer, N., Dubois, E., Heymans, P.: Syntactic and Semantic Extensions to Secure Tropos to Support Security Risk Management. J. UCS 18(6), 816–844 (2012)Google Scholar
  11. 11.
    Mayer, N.: Model-based Management of Information System Security Risk. Ph.D. thesis, University of Namur (2009)Google Scholar
  12. 12.
    Mayer, N., Heymans, P., Matulevičius, R.: Design of a Modelling Language for Information System Security Risk Management. In: Proceedings of the First International Conference on Research Challenges in Information Science, RCIS 2007, pp. 121–132 (2007)Google Scholar
  13. 13.
    McDermott, J.: Abuse-Case-Based Assurance Arguments. In: Proc. of the 17th Annual Comp. Security Applications Conf., ACSAC 2001, pp. 366. IEEE Computer Society (2001)Google Scholar
  14. 14.
    McDermott, J., Fox, C.: Using Abuse Case Models for Security Requirements Analysis. In: Proceedings of ACSAC 1999, pp. 55–66. IEEE Computer Society (1999)Google Scholar
  15. 15.
    Pauli, J.J., Xu, D.: Trade-off Analysis of Misuse Case-based Secure Software Architec-tures: A Case Study. In: Proc. of MSVVEIS Workshop, pp. 89–95. INSTICC Press (2005)Google Scholar
  16. 16.
    Røstad, L.: An Extended Misuse Case Notation: Including Vulnerabilities and The Insider Threat. In: Proc. 12th Working Conf. REFSQ 2006 (2006) Google Scholar
  17. 17.
    Sindre, G., Opdahl, A.L.: Templates for Misuse Case Description. In: Proc. of the 7th International Workshop on REFSQ 2001 (2001)Google Scholar
  18. 18.
    Sindre, G., Opdahl, A.L.: Eliciting Security Requirements with Misuse Cases. Requir. Eng. 10(1), 34–44 (2005)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Inam Soomro
    • 1
  • Naved Ahmed
    • 1
  1. 1.Institute of Computer ScienceUniversity of TartuTartuEstonia

Personalised recommendations