research-article

Enhanced Misuse Cases for Prioritization of Security Requirements

Authors:

Sang Guun Yoo,

Hugo Pérez Vaca,

Juho KimAuthors Info & Claims

ICIME 2017: Proceedings of the 9th International Conference on Information Management and Engineering

Pages 1 - 10

https://doi.org/10.1145/3149572.3149580

Published: 09 October 2017 Publication History

Get Access

Abstract

Nowadays, it is impossible to ignore the implementation of security features in information systems since they manage important assets that are critical for the business processes of organizations. In this aspect, there have been several researches for introducing the security analysis in different stages of software development life cycle. Among those solutions, one of the most interesting one is the usage of misuse cases. Misuse cases, which are extensions of the well-known use cases, were created for defining security requirements. A misuse case can be considered as the inverse of a use case and it defines functions that the system should not allow. Even though, misuse cases are very useful for eliciting security requirements, they do not provide a mechanism to prioritize such requirements. Therefore, they do not address the problem of optimal risk management. Software engineers often have to work within a given set of budget constraints that may impede them from implementing all possible countermeasures. Thus, the software engineer needs to find a way to prioritize the security requirements to decide which requirements will be developed. Motivated by the mentioned limitation of misuse cases, the presented paper proposes an enhanced misuse case model which incorporates a method for prioritization of security requirements.

References

[1]

Walton, J. P. 2002. Developing an Enterprise Information Security Policy. In: 30th Annual ACM SIGUCCS Conference on User Services, pp. 153--156 (2002)

Digital Library

Google Scholar

[2]

McGraw, G. 2004. Software Security. IEEE Security & Privacy, 2(2): 80--83 (2004).

Digital Library

Google Scholar

[3]

Mouratidis, H, Giorgini, P, and Manson, G. 2005. When security meets software engineering; a cases of modelling secure information systems. Information Systems, 30(8): 609--629 (2005).

Digital Library

Google Scholar

[4]

Devanbu, P. T. and Stubblebine S. 2000. Software engineering for security: a roadmap. In: Conference on the Future of Software Engineering, New York, NY, USA: ACM. Pp. 227--239 (2000).

Digital Library

Google Scholar

[5]

Alexander, I. 2003. Misuse Cases: Use Cases with Hostile Intent. IEEE Software, 20(1): 58--66 (2003)

Digital Library

Google Scholar

[6]

Firesmith, D. G. 2003. Security Use Cases. Journal of Object Technology, 2(3): 53--64 (2003)

Crossref

Google Scholar

[7]

Sindre, G. and Opdahl, A. L. 2005. Eliciting Security Requirements with Misuse Cases. Requirements Engineering Journal, 10(1): 34--44 (2005)

Digital Library

Google Scholar

[8]

Anton, A., Carter, R., Dagnino, A., Dempster, J., and Siege, D. 2001. Deriving Goals from a Use-Case Based Requirements Specification. Requirements Engineering, 6(1): 63--73 (2001)

Crossref

Google Scholar

[9]

Some, S. 2006. Supporting use case based requirements engineering. Information and Software Technology, 48(1): 43--58 (2006)

Digital Library

Google Scholar

[10]

Sindre, G. and Opdahl, A. L. 2000. Eliciting Security Requirements by Misuse Cases. In: TOOLS Pacific 2000, 20--23. pp 120--131 (Nov 2000)

Google Scholar

[11]

Park, K, Yoo, S, and Kim, J. 2001. Security Requirements Prioritization Based on Threat Modeling and Valuation Graph. In: ICHIT 2001, pp. 142--152 (2001).

Google Scholar

[12]

First.org. CVSS v3.0 Preview 2: Metrics / Formula / Examples. Decembre 2014.

Google Scholar

[13]

First.org. CVSS v3.0 Formula. Decembre 2014.

Google Scholar

[14]

Swiderski, F. and Snyder, W. 2014. Threat Modeling. Microsoft Press (2004).

Digital Library

Google Scholar

Cited By

View all

Andrade RTorres JOrtiz-Garcés IMiño JAlmeida L(2023)An Exploratory Study Gathering Security Requirements for the Software Development ProcessElectronics10.3390/electronics1217359412:17(3594)Online publication date: 25-Aug-2023
https://doi.org/10.3390/electronics12173594
Yeng PFauzi MYang BDiekuu JNimbe PHolik FKhatiwada PFahmi ASun L(2023)SecHealth: Enhancing EHR Security in Digital Health TransformationProceedings of the 8th International Conference on Sustainable Information Engineering and Technology10.1145/3626641.3627214(538-544)Online publication date: 24-Oct-2023
https://dl.acm.org/doi/10.1145/3626641.3627214
Khanneh SAnu V(2022)Security Requirements Prioritization Techniques: A Survey and Classification FrameworkSoftware10.3390/software10400191:4(450-472)Online publication date: 28-Oct-2022
https://doi.org/10.3390/software1040019
Show More Cited By

Index Terms

Enhanced Misuse Cases for Prioritization of Security Requirements
1. Software and its engineering
  1. Software creation and management
    1. Designing software
      1. Requirements analysis

Recommendations

A systematic literature review of software requirements prioritization research

Context: During requirements engineering, prioritization is performed to grade or rank requirements in their order of importance and subsequent implementation releases. It is a major step taken in making crucial decisions so as to increase the economic ...
Eliciting security requirements with misuse cases

Use cases have become increasingly common during requirements engineering, but they offer limited support for eliciting security threats and requirements. At the same time, the importance of security is growing with the rise of phenomena such as e-...
An Approach for Eliciting Software Requirements and its Prioritization Using Analytic Hierarchy Process
ARTCOM '09: Proceedings of the 2009 International Conference on Advances in Recent Technologies in Communication and Computing

Most software engineering methods presume that requirements are explicitly and completely stated; however, experience shows that requirements are rarely complete and usually contain implicit requirements. The failure or success of a software system ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

ICIME 2017: Proceedings of the 9th International Conference on Information Management and Engineering

October 2017

233 pages

ISBN:9781450353373

DOI:10.1145/3149572

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

In-Cooperation

University of Salford: University of Salford

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 09 October 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

ICIME 2017

ICIME 2017: 2017 9th International Conference on Information Management and Engineering

October 9 - 11, 2017

Barcelona, Spain

Acceptance Rates

Overall Acceptance Rate 19 of 31 submissions, 61%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

7
Total Citations
View Citations
147
Total Downloads

Downloads (Last 12 months)14
Downloads (Last 6 weeks)1

Reflects downloads up to 23 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Andrade RTorres JOrtiz-Garcés IMiño JAlmeida L(2023)An Exploratory Study Gathering Security Requirements for the Software Development ProcessElectronics10.3390/electronics1217359412:17(3594)Online publication date: 25-Aug-2023
https://doi.org/10.3390/electronics12173594
Yeng PFauzi MYang BDiekuu JNimbe PHolik FKhatiwada PFahmi ASun L(2023)SecHealth: Enhancing EHR Security in Digital Health TransformationProceedings of the 8th International Conference on Sustainable Information Engineering and Technology10.1145/3626641.3627214(538-544)Online publication date: 24-Oct-2023
https://dl.acm.org/doi/10.1145/3626641.3627214
Khanneh SAnu V(2022)Security Requirements Prioritization Techniques: A Survey and Classification FrameworkSoftware10.3390/software10400191:4(450-472)Online publication date: 28-Oct-2022
https://doi.org/10.3390/software1040019
Niazi MSaeed AAlshayeb MMahmood SZafar S(2020)A Maturity Model for Secure Requirements EngineeringComputers & Security10.1016/j.cose.2020.101852(101852)Online publication date: May-2020
https://doi.org/10.1016/j.cose.2020.101852
Katt BPrasher N(2019)Quantitative Security AssuranceExploring Security in Software Architecture and Design10.4018/978-1-5225-6313-6.ch002(15-46)Online publication date: 2019
https://doi.org/10.4018/978-1-5225-6313-6.ch002
Ijaz KInayat IAllah Bukhsh F(2019)Non-functional Requirements Prioritization: A Systematic Literature Review2019 45th Euromicro Conference on Software Engineering and Advanced Applications (SEAA)10.1109/SEAA.2019.00064(379-386)Online publication date: Aug-2019
https://doi.org/10.1109/SEAA.2019.00064
Katt BPrasher NPérez JMirandola RChen H(2018)Quantitative security assurance metricsProceedings of the 12th European Conference on Software Architecture: Companion Proceedings10.1145/3241403.3241464(1-7)Online publication date: 24-Sep-2018
https://dl.acm.org/doi/10.1145/3241403.3241464

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

A systematic literature review of software requirements prioritization research

Eliciting security requirements with misuse cases

An Approach for Eliciting Software Requirements and its Prioritization Using Analytic Hierarchy Process