Skip to main content
SpringerLink
Log in

Towards Security Risk-Oriented Misuse Cases

  • Conference paper
Business Process Management Workshops (BPM 2012)

Part of the book series: Lecture Notes in Business Information Processing ((LNBIP,volume 132))

Included in the following conference series:

Abstract

Security has turn out to be a necessity of information systems (ISs) and information per se. Nevertheless, existing practices report on numerous cases when security aspects were considered only at the end of the development process, thus, missing the systematic security analysis. Misuse case diagrams help identify security concerns at early stages of the IS development. Despite this fundamental advantage, misuse cases tend to be rather imprecise; they do not comply with security risk management strategies, and, thus, could lead to misinterpretation of the security-related concepts. Such limitations could potentially result in poor security solutions. This paper applies a systematic approach to understand how misuse case diagrams could help model organisational assets, potential risks, and security countermeasures to mitigate these risks. The contribution helps understand how misuse cases could deal with security risk management and support reasoning for security requirements and their implementation in the software system.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Ahmed, N., Matulevičius, R., Mouratidis, H.: A Model Transformation from Misuse Cases to Secure Tropos. In: Proc of the CAiSE 2012 Forum at the 24th Int. Conf. (CAiSE), pp. 7–14. CEUR-WS (2012)

    Google Scholar 

  2. Alexander, I.: Misuse cases: Use cases with Hostile Intent. IEEE Soft. 20(1), 58–66 (2003)

    Article  Google Scholar 

  3. Altuhhova, O., Matulevičius, R., Ahmed, N.: Towards Definition of Secure Business Processes. In: Bajec, M., Eder, J. (eds.) CAiSE Workshops 2012. LNBIP, vol. 112, pp. 1–15. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  4. Chowdhury, M.J.M., Matulevičius, R., Sindre, G., Karpati, P.: Aligning Mal-activity Diagrams and Security Risk Management for Security Requirements Definitions. In: Regnell, B., Damian, D. (eds.) REFSQ 2011. LNCS, vol. 7195, pp. 132–139. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  5. Ekelhart, A., Fenz, S., Neubauer, T.: AURUM: A Framework for Information Security Risk Management. In: HICSS 2009, pp. 1–10. IEEE Computer Society (2009)

    Google Scholar 

  6. Firesmith, D.: Security Use Cases. Journal of Object Technology 2(3), 53–64 (2003)

    Article  Google Scholar 

  7. Herrmann, A., Morali, A., Etalle, S., Wieringa, R.J.: RiskREP: Risk-based Security Requirements Elicitation and Prioritization. In: Perspectives in Business Informatics Research, Riga, pp. 155–162. Riga Technical University (2011)

    Google Scholar 

  8. van Lamsweerde, A.: Elaborating Security Requirements by Construction of Intentional Anti-Models. In: Proceedings of the 26th International Conference on Software Engineering, ICSE 2004, pp. 148–157. IEEE Computer Society (2004)

    Google Scholar 

  9. Matulevičius, R., Mayer, N., Heymans, P.: Alignment of Misuse Cases with Security Risk Management. In: Proceedings of 3rd International Conf. on Availability, Reliability and Security, pp. 1397–1404. IEEE Computer Society (2008)

    Google Scholar 

  10. Matulevičius, R., Mouratidis, H., Mayer, N., Dubois, E., Heymans, P.: Syntactic and Semantic Extensions to Secure Tropos to Support Security Risk Management. J. UCS 18(6), 816–844 (2012)

    Google Scholar 

  11. Mayer, N.: Model-based Management of Information System Security Risk. Ph.D. thesis, University of Namur (2009)

    Google Scholar 

  12. Mayer, N., Heymans, P., Matulevičius, R.: Design of a Modelling Language for Information System Security Risk Management. In: Proceedings of the First International Conference on Research Challenges in Information Science, RCIS 2007, pp. 121–132 (2007)

    Google Scholar 

  13. McDermott, J.: Abuse-Case-Based Assurance Arguments. In: Proc. of the 17th Annual Comp. Security Applications Conf., ACSAC 2001, pp. 366. IEEE Computer Society (2001)

    Google Scholar 

  14. McDermott, J., Fox, C.: Using Abuse Case Models for Security Requirements Analysis. In: Proceedings of ACSAC 1999, pp. 55–66. IEEE Computer Society (1999)

    Google Scholar 

  15. Pauli, J.J., Xu, D.: Trade-off Analysis of Misuse Case-based Secure Software Architec-tures: A Case Study. In: Proc. of MSVVEIS Workshop, pp. 89–95. INSTICC Press (2005)

    Google Scholar 

  16. Røstad, L.: An Extended Misuse Case Notation: Including Vulnerabilities and The Insider Threat. In: Proc. 12th Working Conf. REFSQ 2006 (2006)

    Google Scholar 

  17. Sindre, G., Opdahl, A.L.: Templates for Misuse Case Description. In: Proc. of the 7th International Workshop on REFSQ 2001 (2001)

    Google Scholar 

  18. Sindre, G., Opdahl, A.L.: Eliciting Security Requirements with Misuse Cases. Requir. Eng. 10(1), 34–44 (2005)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Institute of Computer Science, University of Tartu, J. Liivi 2, 50409, Tartu, Estonia

    Inam Soomro & Naved Ahmed

Authors
  1. Inam Soomro
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Naved Ahmed
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Queensland University of Technology, Brisbane, QLD, Australia

    Marcello La Rosa

  2. University of Haifa, Haifa, Israel

    Pnina Soffer

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Soomro, I., Ahmed, N. (2013). Towards Security Risk-Oriented Misuse Cases. In: La Rosa, M., Soffer, P. (eds) Business Process Management Workshops. BPM 2012. Lecture Notes in Business Information Processing, vol 132. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-36285-9_68

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-36285-9_68

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-36284-2

  • Online ISBN: 978-3-642-36285-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation