ABSTRACT
Nowadays, it is impossible to ignore the implementation of security features in information systems since they manage important assets that are critical for the business processes of organizations. In this aspect, there have been several researches for introducing the security analysis in different stages of software development life cycle. Among those solutions, one of the most interesting one is the usage of misuse cases. Misuse cases, which are extensions of the well-known use cases, were created for defining security requirements. A misuse case can be considered as the inverse of a use case and it defines functions that the system should not allow. Even though, misuse cases are very useful for eliciting security requirements, they do not provide a mechanism to prioritize such requirements. Therefore, they do not address the problem of optimal risk management. Software engineers often have to work within a given set of budget constraints that may impede them from implementing all possible countermeasures. Thus, the software engineer needs to find a way to prioritize the security requirements to decide which requirements will be developed. Motivated by the mentioned limitation of misuse cases, the presented paper proposes an enhanced misuse case model which incorporates a method for prioritization of security requirements.
- Walton, J. P. 2002. Developing an Enterprise Information Security Policy. In: 30th Annual ACM SIGUCCS Conference on User Services, pp. 153--156 (2002) Google ScholarDigital Library
- McGraw, G. 2004. Software Security. IEEE Security & Privacy, 2(2): 80--83 (2004). Google ScholarDigital Library
- Mouratidis, H, Giorgini, P, and Manson, G. 2005. When security meets software engineering; a cases of modelling secure information systems. Information Systems, 30(8): 609--629 (2005). Google ScholarDigital Library
- Devanbu, P. T. and Stubblebine S. 2000. Software engineering for security: a roadmap. In: Conference on the Future of Software Engineering, New York, NY, USA: ACM. Pp. 227--239 (2000). Google ScholarDigital Library
- Alexander, I. 2003. Misuse Cases: Use Cases with Hostile Intent. IEEE Software, 20(1): 58--66 (2003) Google ScholarDigital Library
- Firesmith, D. G. 2003. Security Use Cases. Journal of Object Technology, 2(3): 53--64 (2003)Google ScholarCross Ref
- Sindre, G. and Opdahl, A. L. 2005. Eliciting Security Requirements with Misuse Cases. Requirements Engineering Journal, 10(1): 34--44 (2005) Google ScholarDigital Library
- Anton, A., Carter, R., Dagnino, A., Dempster, J., and Siege, D. 2001. Deriving Goals from a Use-Case Based Requirements Specification. Requirements Engineering, 6(1): 63--73 (2001)Google ScholarCross Ref
- Some, S. 2006. Supporting use case based requirements engineering. Information and Software Technology, 48(1): 43--58 (2006) Google ScholarDigital Library
- Sindre, G. and Opdahl, A. L. 2000. Eliciting Security Requirements by Misuse Cases. In: TOOLS Pacific 2000, 20--23. pp 120--131 (Nov 2000)Google Scholar
- Park, K, Yoo, S, and Kim, J. 2001. Security Requirements Prioritization Based on Threat Modeling and Valuation Graph. In: ICHIT 2001, pp. 142--152 (2001).Google Scholar
- First.org. CVSS v3.0 Preview 2: Metrics / Formula / Examples. Decembre 2014.Google Scholar
- First.org. CVSS v3.0 Formula. Decembre 2014.Google Scholar
- Swiderski, F. and Snyder, W. 2014. Threat Modeling. Microsoft Press (2004). Google ScholarDigital Library
Index Terms
- Enhanced Misuse Cases for Prioritization of Security Requirements
Recommendations
A systematic literature review of software requirements prioritization research
Context: During requirements engineering, prioritization is performed to grade or rank requirements in their order of importance and subsequent implementation releases. It is a major step taken in making crucial decisions so as to increase the economic ...
Eliciting security requirements with misuse cases
Use cases have become increasingly common during requirements engineering, but they offer limited support for eliciting security threats and requirements. At the same time, the importance of security is growing with the rise of phenomena such as e-...
An Approach for Eliciting Software Requirements and its Prioritization Using Analytic Hierarchy Process
ARTCOM '09: Proceedings of the 2009 International Conference on Advances in Recent Technologies in Communication and ComputingMost software engineering methods presume that requirements are explicitly and completely stated; however, experience shows that requirements are rarely complete and usually contain implicit requirements. The failure or success of a software system ...
Comments