Abstract
Security has turn out to be a necessity of information systems (ISs) and information per se. Nevertheless, existing practices report on numerous cases when security aspects were considered only at the end of the development process, thus, missing the systematic security analysis. Misuse case diagrams help identify security concerns at early stages of the IS development. Despite this fundamental advantage, misuse cases tend to be rather imprecise; they do not comply with security risk management strategies, and, thus, could lead to misinterpretation of the security-related concepts. Such limitations could potentially result in poor security solutions. This paper applies a systematic approach to understand how misuse case diagrams could help model organisational assets, potential risks, and security countermeasures to mitigate these risks. The contribution helps understand how misuse cases could deal with security risk management and support reasoning for security requirements and their implementation in the software system.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Ahmed, N., Matulevičius, R., Mouratidis, H.: A Model Transformation from Misuse Cases to Secure Tropos. In: Proc of the CAiSE 2012 Forum at the 24th Int. Conf. (CAiSE), pp. 7–14. CEUR-WS (2012)
Alexander, I.: Misuse cases: Use cases with Hostile Intent. IEEE Soft. 20(1), 58–66 (2003)
Altuhhova, O., Matulevičius, R., Ahmed, N.: Towards Definition of Secure Business Processes. In: Bajec, M., Eder, J. (eds.) CAiSE Workshops 2012. LNBIP, vol. 112, pp. 1–15. Springer, Heidelberg (2012)
Chowdhury, M.J.M., Matulevičius, R., Sindre, G., Karpati, P.: Aligning Mal-activity Diagrams and Security Risk Management for Security Requirements Definitions. In: Regnell, B., Damian, D. (eds.) REFSQ 2011. LNCS, vol. 7195, pp. 132–139. Springer, Heidelberg (2012)
Ekelhart, A., Fenz, S., Neubauer, T.: AURUM: A Framework for Information Security Risk Management. In: HICSS 2009, pp. 1–10. IEEE Computer Society (2009)
Firesmith, D.: Security Use Cases. Journal of Object Technology 2(3), 53–64 (2003)
Herrmann, A., Morali, A., Etalle, S., Wieringa, R.J.: RiskREP: Risk-based Security Requirements Elicitation and Prioritization. In: Perspectives in Business Informatics Research, Riga, pp. 155–162. Riga Technical University (2011)
van Lamsweerde, A.: Elaborating Security Requirements by Construction of Intentional Anti-Models. In: Proceedings of the 26th International Conference on Software Engineering, ICSE 2004, pp. 148–157. IEEE Computer Society (2004)
Matulevičius, R., Mayer, N., Heymans, P.: Alignment of Misuse Cases with Security Risk Management. In: Proceedings of 3rd International Conf. on Availability, Reliability and Security, pp. 1397–1404. IEEE Computer Society (2008)
Matulevičius, R., Mouratidis, H., Mayer, N., Dubois, E., Heymans, P.: Syntactic and Semantic Extensions to Secure Tropos to Support Security Risk Management. J. UCS 18(6), 816–844 (2012)
Mayer, N.: Model-based Management of Information System Security Risk. Ph.D. thesis, University of Namur (2009)
Mayer, N., Heymans, P., Matulevičius, R.: Design of a Modelling Language for Information System Security Risk Management. In: Proceedings of the First International Conference on Research Challenges in Information Science, RCIS 2007, pp. 121–132 (2007)
McDermott, J.: Abuse-Case-Based Assurance Arguments. In: Proc. of the 17th Annual Comp. Security Applications Conf., ACSAC 2001, pp. 366. IEEE Computer Society (2001)
McDermott, J., Fox, C.: Using Abuse Case Models for Security Requirements Analysis. In: Proceedings of ACSAC 1999, pp. 55–66. IEEE Computer Society (1999)
Pauli, J.J., Xu, D.: Trade-off Analysis of Misuse Case-based Secure Software Architec-tures: A Case Study. In: Proc. of MSVVEIS Workshop, pp. 89–95. INSTICC Press (2005)
Røstad, L.: An Extended Misuse Case Notation: Including Vulnerabilities and The Insider Threat. In: Proc. 12th Working Conf. REFSQ 2006 (2006)
Sindre, G., Opdahl, A.L.: Templates for Misuse Case Description. In: Proc. of the 7th International Workshop on REFSQ 2001 (2001)
Sindre, G., Opdahl, A.L.: Eliciting Security Requirements with Misuse Cases. Requir. Eng. 10(1), 34–44 (2005)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Soomro, I., Ahmed, N. (2013). Towards Security Risk-Oriented Misuse Cases. In: La Rosa, M., Soffer, P. (eds) Business Process Management Workshops. BPM 2012. Lecture Notes in Business Information Processing, vol 132. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-36285-9_68
Download citation
DOI: https://doi.org/10.1007/978-3-642-36285-9_68
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-36284-2
Online ISBN: 978-3-642-36285-9
eBook Packages: Computer ScienceComputer Science (R0)