research-article

Enhanced Misuse Cases for Prioritization of Security Requirements

Authors:
Sang Guun Yoo

Departamento de Ciencias de la Computación, Universidad de las Fuerzas, Armadas ESPE, Av. General Rumiñahui s/n, Sangolquí, Ecuador and Facultad de Ingeniería de Sistemas, Escuela Politécnica Nacional, Ladrón de Guevara, Quito, Ecuador

Departamento de Ciencias de la Computación, Universidad de las Fuerzas, Armadas ESPE, Av. General Rumiñahui s/n, Sangolquí, Ecuador and Facultad de Ingeniería de Sistemas, Escuela Politécnica Nacional, Ladrón de Guevara, Quito, Ecuador
View Profile

,
Hugo Pérez Vaca

Departamento de Seguridad y Defensa, Universidad de las Fuerzas Armadas ESPE, Av. General Rumiñahui s/n, Sangolquí, Ecuador

Departamento de Seguridad y Defensa, Universidad de las Fuerzas Armadas ESPE, Av. General Rumiñahui s/n, Sangolquí, Ecuador
View Profile

,
Juho Kim

Department of Computer Science and Engineering, Sogang University, Mapo-gu, Seoul, Korea

Department of Computer Science and Engineering, Sogang University, Mapo-gu, Seoul, Korea
View Profile

ICIME 2017: Proceedings of the 9th International Conference on Information Management and EngineeringOctober 2017Pages 1–10https://doi.org/10.1145/3149572.3149580

Published:09 October 2017Publication History

ICIME 2017: Proceedings of the 9th International Conference on Information Management and Engineering

Pages 1–10

ABSTRACT

Nowadays, it is impossible to ignore the implementation of security features in information systems since they manage important assets that are critical for the business processes of organizations. In this aspect, there have been several researches for introducing the security analysis in different stages of software development life cycle. Among those solutions, one of the most interesting one is the usage of misuse cases. Misuse cases, which are extensions of the well-known use cases, were created for defining security requirements. A misuse case can be considered as the inverse of a use case and it defines functions that the system should not allow. Even though, misuse cases are very useful for eliciting security requirements, they do not provide a mechanism to prioritize such requirements. Therefore, they do not address the problem of optimal risk management. Software engineers often have to work within a given set of budget constraints that may impede them from implementing all possible countermeasures. Thus, the software engineer needs to find a way to prioritize the security requirements to decide which requirements will be developed. Motivated by the mentioned limitation of misuse cases, the presented paper proposes an enhanced misuse case model which incorporates a method for prioritization of security requirements.

References

Walton, J. P. 2002. Developing an Enterprise Information Security Policy. In: 30th Annual ACM SIGUCCS Conference on User Services, pp. 153--156 (2002) Google ScholarDigital Library
McGraw, G. 2004. Software Security. IEEE Security & Privacy, 2(2): 80--83 (2004). Google ScholarDigital Library
Mouratidis, H, Giorgini, P, and Manson, G. 2005. When security meets software engineering; a cases of modelling secure information systems. Information Systems, 30(8): 609--629 (2005). Google ScholarDigital Library
Devanbu, P. T. and Stubblebine S. 2000. Software engineering for security: a roadmap. In: Conference on the Future of Software Engineering, New York, NY, USA: ACM. Pp. 227--239 (2000). Google ScholarDigital Library
Alexander, I. 2003. Misuse Cases: Use Cases with Hostile Intent. IEEE Software, 20(1): 58--66 (2003) Google ScholarDigital Library
Firesmith, D. G. 2003. Security Use Cases. Journal of Object Technology, 2(3): 53--64 (2003)Google ScholarCross Ref
Sindre, G. and Opdahl, A. L. 2005. Eliciting Security Requirements with Misuse Cases. Requirements Engineering Journal, 10(1): 34--44 (2005) Google ScholarDigital Library
Anton, A., Carter, R., Dagnino, A., Dempster, J., and Siege, D. 2001. Deriving Goals from a Use-Case Based Requirements Specification. Requirements Engineering, 6(1): 63--73 (2001)Google ScholarCross Ref
Some, S. 2006. Supporting use case based requirements engineering. Information and Software Technology, 48(1): 43--58 (2006) Google ScholarDigital Library
Sindre, G. and Opdahl, A. L. 2000. Eliciting Security Requirements by Misuse Cases. In: TOOLS Pacific 2000, 20--23. pp 120--131 (Nov 2000)Google Scholar
Park, K, Yoo, S, and Kim, J. 2001. Security Requirements Prioritization Based on Threat Modeling and Valuation Graph. In: ICHIT 2001, pp. 142--152 (2001).Google Scholar
First.org. CVSS v3.0 Preview 2: Metrics / Formula / Examples. Decembre 2014.Google Scholar
First.org. CVSS v3.0 Formula. Decembre 2014.Google Scholar
Swiderski, F. and Snyder, W. 2014. Threat Modeling. Microsoft Press (2004). Google ScholarDigital Library

Index Terms

Enhanced Misuse Cases for Prioritization of Security Requirements
1. Software and its engineering
  1. Software creation and management
    1. Designing software
      1. Requirements analysis

Recommendations

A systematic literature review of software requirements prioritization research

Context: During requirements engineering, prioritization is performed to grade or rank requirements in their order of importance and subsequent implementation releases. It is a major step taken in making crucial decisions so as to increase the economic ...
Read More
Eliciting security requirements with misuse cases

Use cases have become increasingly common during requirements engineering, but they offer limited support for eliciting security threats and requirements. At the same time, the importance of security is growing with the rise of phenomena such as e-...
Read More
An Approach for Eliciting Software Requirements and its Prioritization Using Analytic Hierarchy Process
ARTCOM '09: Proceedings of the 2009 International Conference on Advances in Recent Technologies in Communication and Computing

Most software engineering methods presume that requirements are explicitly and completely stated; however, experience shows that requirements are rarely complete and usually contain implicit requirements. The failure or success of a software system ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in

ICIME 2017: Proceedings of the 9th International Conference on Information Management and Engineering
October 2017
233 pages
ISBN:9781450353373
DOI:10.1145/3149572

Copyright © 2017 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 9 October 2017
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
Software engineering
misuse case
prioritization
requirement engineering
use case
Qualifiers
- research-article
- Research
- Refereed limited
Conference

Acceptance Rates
Overall Acceptance Rate19of31submissions,61%
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 7
  Total Citations
  View Citations
- 141
  Total Downloads
- Downloads (Last 12 months)13
- Downloads (Last 6 weeks)4
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Enhanced Misuse Cases for Prioritization of Security Requirements

ICIME 2017: Proceedings of the 9th International Conference on Information Management and Engineering

ABSTRACT

References

Cited By

Index Terms

Recommendations

A systematic literature review of software requirements prioritization research

Eliciting security requirements with misuse cases

An Approach for Eliciting Software Requirements and its Prioritization Using Analytic Hierarchy Process

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Acceptance Rates

Funding Sources

Other Metrics

Article Metrics

Other Metrics

Cited By

PDF Format

eReader

Digital Edition

Caption

Enhanced Misuse Cases for Prioritization of Security Requirements

ICIME 2017: Proceedings of the 9th International Conference on Information Management and Engineering

ABSTRACT

References

Cited By

Index Terms

Recommendations

A systematic literature review of software requirements prioritization research

Eliciting security requirements with misuse cases

An Approach for Eliciting Software Requirements and its Prioritization Using Analytic Hierarchy Process

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Acceptance Rates

Funding Sources

Article Metrics

Other Metrics

PDF Format

eReader

Digital Edition

Share this Publication link

Share on Social Media