A User Study: Abuse Cases Derived from Use Case Description and CAPEC Attack Patterns

  • Imano WilliamsEmail author
  • Xiaohong Yuan
Conference paper
Part of the Lecture Notes in Electrical Engineering book series (LNEE, volume 514)


Nowadays, developers should incorporate software security best practices from the early stages of the software development lifecycle to build more robust software against software security attacks. However, incorporating security practices at the early stages of the SDLC is difficult for novice software developers that do not have a systematic approach to address security issues. In this paper, we proposed a preliminary method to derive abuse cases, one of software security best practices, based on use case description and attack patterns and then evaluate the method in a user study. We investigated the effectiveness of the proposed method to help novices develop abuse cases and gained insights on how a novice of software security would select keywords from use case descriptions, and select relevant attack patterns for developing abuse cases. Our main findings were (1) the approaches participants used to select the keywords and the attack patterns as they related to the use cases; (2) the approach used to select relevant attack patterns; (3) the relationship between the keywords and the attack patterns; and (4) use case based on the textual content showed the method can be effective in assisting non-experts to create abuse cases. Finally, we suggest possible approaches to select keywords more effectively and the implication of using an inference engine to build relationships between use cases and attack patterns.


Software security Attack patterns Abuse cases 



This work is partially supported by National Science Foundation under the grant HRD-1332504 Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.


  1. 1.
    Wei C. Sia: “misuse cases and abuse cases in eliciting security requirements”. System security: COMPSCI, vol 725Google Scholar
  2. 2.
    McDermott J, Fox C (1999) Using abuse case models for security requirements analysis. In: Proceedings of 15th annual computer security applications conference, 1999 (ACSAC’99), pp 55–64Google Scholar
  3. 3.
    McGraw G (2006) Software security: building security, vol 1. Addison-Wesley ProfessionalGoogle Scholar
  4. 4.
    Hope P, McGraw G, Antón AI (2004) Misuse and abuse cases: getting past the positive. IEEE Secur Priv 2:90–92CrossRefGoogle Scholar
  5. 5.
    CAPEC (2014) Classification (CAPEC)Google Scholar
  6. 6.
    Sindre G, Opdahl AL (2000) Eliciting security requirements by misuse cases. In: Proceedings 37th international conference on technology of object-oriented languages and systems, 2000 (TOOLS-Pacific 2000), pp 120–131Google Scholar
  7. 7.
    Alexander I (2002) Initial industrial experience of misuse cases in trade-off analysis. In: Proceedings of IEEE joint international conference on requirements engineering, 2002, pp 61–68Google Scholar
  8. 8.
    Pauli JJ, Engebretson PH (2008) Hierarchy-driven approach for attack patterns in software security education. In: Fifth international conference on information technology: new generations, 2008 (ITNG 2008), pp 1156–1157Google Scholar
  9. 9.
    Kaiya H, Kono S, Ogata S, Okubo T, Yoshioka N, Washizaki H et al (2014) Security requirements analysis using knowledge in capec. In: International conference on advanced information systems engineering, 2014, pp 343–348Google Scholar
  10. 10.
    Yuan X, Nuakoh EB, Beal JS, Yu H (2014) Retrieving relevant CAPEC attack patterns for secure software development. In: Proceedings of the 9th annual cyber and information security research conference. Oak Ridge, Tennessee, USA.Google Scholar
  11. 11.
    Yuan X, Nuakoh EB, Williams I, Yu H (2015) Developing abuse cases based on threat modeling and attack patterns. JSW 10:491–498CrossRefGoogle Scholar
  12. 12.
    Microsoft threat modeling tool (2014) Accessed 28 Feb 2018
  13. 13.
    Owasp threat risk modeling. Accessed 28 Feb 2018
  14. 14.
    Castañeda V, Ballejos L, Caliusco ML, Galli MR (2010) The use of ontologies in requirements engineering. Glob J Res Eng 10:2–8Google Scholar

Copyright information

© Springer Nature Singapore Pte Ltd. 2019

Authors and Affiliations

  1. 1.Department of Computer ScienceNorth Carolina A&T State UniversityGreensboroUSA

Personalised recommendations