Comparing attack trees and misuse cases in an industrial setting

The last decade has seen an increasing focus on addressing security already during the earliest stages of system development, such as requirements determination. Attack trees and misuse cases are established techniques for representing security threats along with their potential mitigations. Previous work has compared attack trees and misuse cases in two experiments with students. The present paper instead presents an experiment where industrial practitioners perform the experimental tasks in their workplace. The industrial experiment confirms a central finding from the student experiments: that attack trees tend to help identifying more threats than misuse cases. It also presents a new result: that misuse cases tend to encourage identification of threats associated with earlier development stages than attack trees. The two techniques should therefore be considered complementary and should be used together in practical requirements work.

[1]  Jacob Cohen Statistical Power Analysis for the Behavioral Sciences , 1969, The SAGE Encyclopedia of Research Design.

[2]  John Mylopoulos,et al.  Security and privacy requirements analysis within a social setting , 2003, Proceedings. 11th IEEE International Requirements Engineering Conference, 2003..

[3]  Paul Jones,et al.  Secrets and Lies: Digital Security in a Networked World , 2002 .

[4]  Andreas L. Opdahl,et al.  Generalization/specialization as a structuring mechanism for misuse cases , 2002 .

[5]  Punam Bedi,et al.  Identifying Security Requirements Hybrid Technique , 2009, 2009 Fourth International Conference on Software Engineering Advances.

[6]  Claes Wohlin,et al.  Experimentation in software engineering: an introduction , 2000 .

[7]  David A. Basin,et al.  SecureUML: A UML-Based Modeling Language for Model-Driven Security , 2002, UML.

[8]  Guttorm Sindre A Look at Misuse Cases for Safety Concerns , 2007, Situational Method Engineering.

[9]  Fred D. Davis Perceived Usefulness, Perceived Ease of Use, and User Acceptance of Information Technology , 1989, MIS Q..

[10]  Ivar Jacobson,et al.  Object-Oriented Software Engineering , 1991, TOOLS.

[11]  H. D. Rombach,et al.  The Goal Question Metric Approach , 1994 .

[12]  Dong Seong Kim,et al.  Cyber security analysis using attack countermeasure trees , 2010, CSIIRW '10.

[13]  Donald Firesmith,et al.  Security Use Cases , 2003, J. Object Technol..

[14]  Peter Sommerlad,et al.  Security Patterns: Integrating Security and Systems Engineering , 2006 .

[15]  Philippe Massonet,et al.  GRAIL/KAOS: An Environment for Goal-Driven Requirements Engineering , 1997, Proceedings of the (19th) International Conference on Software Engineering.

[16]  Tor Stålhane,et al.  A Comparison of Two Approaches to Safety Analysis Based on Use Cases , 2007, ER.

[17]  Axel van Lamsweerde,et al.  From system goals to intruder anti-goals: attack generation and resolution for security requirements engineering , 2003 .

[18]  Nicola Guarino,et al.  Sweetening Ontologies with DOLCE , 2002, EKAW.

[19]  Eric Dubois,et al.  A Systematic Approach to Define the Domain of Information System Security Risk Management , 2010, Intentional Perspectives on Information Systems Engineering.

[20]  Ivar Jacobson,et al.  Object-oriented software engineering - a use case driven approach , 1993, TOOLS.

[21]  Fausto Giunchiglia,et al.  Tropos: An Agent-Oriented Software Development Methodology , 2004, Autonomous Agents and Multi-Agent Systems.

[22]  Andreas L. Opdahl,et al.  Eliciting security requirements with misuse cases , 2004, Requirements Engineering.

[23]  Andreas L. Opdahl,et al.  Experimental Comparison of Misuse Case Maps with Misuse Cases and System Architecture Diagrams for Eliciting Security Vulnerabilities and Mitigations , 2011, 2011 Sixth International Conference on Availability, Reliability and Security.

[24]  Guttorm Sindre,et al.  Aligning Mal-activity Diagrams and Security Risk Management for Security Requirements Definitions , 2012, REFSQ.

[25]  John P. McDermott,et al.  Using abuse case models for security requirements analysis , 1999, Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99).

[26]  Mario Piattini,et al.  Towards an integration of Security Requirements into Business Process Modeling , 2005, WOSIS.

[27]  Sindre Guttorm,et al.  Misuse Cases for Identifying System Dependability Threats , 2008 .

[28]  Andreas L. Opdahl,et al.  Towards a Hacker Attack Representation Method , 2010, ICSOFT.

[29]  Andreas L. Opdahl,et al.  Comparing risk identification techniques for safety and security requirements , 2013, J. Syst. Softw..

[30]  Inger Anne Tøndel,et al.  Combining Misuse Cases with Attack Trees and Security Activity Models , 2010, 2010 International Conference on Availability, Reliability and Security.

[31]  Andreas L. Opdahl,et al.  Experimental comparison of attack trees and misuse cases for security threat identification , 2009, Inf. Softw. Technol..

[32]  Bashar Nuseibeh,et al.  Using abuse frames to bound the scope of security problems , 2004, Proceedings. 12th IEEE International Requirements Engineering Conference, 2004..

[33]  D. A. Grant The latin square principle in the design and analysis of psychological experiments. , 1948, Psychological bulletin.

[34]  Susan Elliott Sim,et al.  A Comparative Evaluation of Three Approaches to Specifying Security Requirements , 2006 .

[35]  Anthony Boswell,et al.  Specification and Validation of a Security Policy Model , 1993, IEEE Trans. Software Eng..

[36]  Jie Wang,et al.  Unified Parametrizable Attack Tree , 2011 .

[37]  J. F. Bouchard,et al.  IEEE TRANSACTIONS ON SYSTEMS , MAN , AND CYBERNETICS — PART A : SYSTEMS AND HUMANS , 2001 .

[38]  P ? ? ? ? ? ? ? % ? ? ? ? , 1991 .

[39]  Péter Kárpáti,et al.  A Combined Process for Elicitation and Analysis of Safety and Security Requirements , 2012, BMMDS/EMMSAD.

[40]  Lars Lundberg,et al.  Improving software security with static automated code analysis in an industry setting , 2013, Softw. Pract. Exp..

[41]  J. Michael Spivey,et al.  The Z notation - a reference manual , 1992, Prentice Hall International Series in Computer Science.

[42]  Will G. Hopkins,et al.  A new view of statistics , 2002 .

[43]  Eric Yu,et al.  Making Trade-offs among Security and Other Requirements during System Design , 2012 .

[44]  Eric S. K. Yu,et al.  Towards modelling and reasoning support for early-phase requirements engineering , 1997, Proceedings of ISRE '97: 3rd IEEE International Symposium on Requirements Engineering.

[45]  Brian Ritchie,et al.  Integrating Model-based Security Risk Management into eBusiness Systems Development: The CORAS Approach , 2002, I3E.

[46]  Jan Jürjens,et al.  UMLsec: Extending UML for Secure Systems Development , 2002, UML.

[47]  Activité ad‐hoc Types de tâches Introduction to BPMN , 2004 .

[48]  Raymond J. A. Buhr,et al.  Use Case Maps as Architectural Entities for Complex Systems , 1998, IEEE Trans. Software Eng..

[49]  Jan Jürjens,et al.  Connecting Security Requirements Analysis and Secure Design Using Patterns and UMLsec , 2011, CAiSE.

[50]  Mohammad Zulkernine,et al.  UMLintr: a UML profile for specifying intrusions , 2006, 13th Annual IEEE International Symposium and Workshop on Engineering of Computer-Based Systems (ECBS'06).

[51]  S. T. Buckland,et al.  An Introduction to the Bootstrap. , 1994 .

[52]  Walter F. Tichy,et al.  Hints for Reviewing Empirical Work in Software Engineering , 2000, Empirical Software Engineering.

[53]  Tor Stålhane,et al.  Safety Hazard Identification by Misuse Cases: Experimental Comparison of Text and Diagrams , 2008, MoDELS.

[54]  Michael Gegick,et al.  Matching attack patterns to security vulnerabilities in software-intensive system designs , 2005, SESS@ICSE.

[55]  Eric S. K. Yu,et al.  A vulnerability-centric requirements engineering framework: analyzing security attacks, countermeasures, and requirements based on vulnerabilities , 2010, Requirements Engineering.

[56]  John Mylopoulos,et al.  Modeling security requirements through ownership, permission and delegation , 2005, 13th IEEE International Conference on Requirements Engineering (RE'05).

[57]  Stefano Bistarelli,et al.  Defense trees for economic evaluation of security investments , 2006, First International Conference on Availability, Reliability and Security (ARES'06).

[58]  Yijun Yu,et al.  An Extended Ontology for Security Requirements , 2011, CAiSE Workshops.

[59]  M. Host,et al.  Experimental context classification: incentives and experience of subjects , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[60]  Kerri L. Johnson,et al.  Why People Fail to Recognize Their Own Incompetence , 2003 .

[61]  Guttorm Sindre,et al.  Mal-Activity Diagrams for Capturing Attacks on Business Processes , 2007, REFSQ.

[62]  Andrea Herrmann,et al.  RiskREP: Risk-Based Security Requirements Elicitation and Prioritization (extended version) , 2010 .

[63]  Jan Jürjens,et al.  From goal‐driven security requirements engineering to secure design , 2010, Int. J. Intell. Syst..

[64]  이훈,et al.  지각된 유용성(Perceived Usefulness)의 영향분석 , 2004 .

[65]  William H. Sanders,et al.  RRE: A Game-Theoretic Intrusion Response and Recovery Engine , 2014, IEEE Transactions on Parallel and Distributed Systems.

[66]  R.F. Mills,et al.  Using Attack and Protection Trees to Analyze Threats and Defenses to Homeland Security , 2006, MILCOM 2006 - 2006 IEEE Military Communications conference.

[67]  Robert J. Ellison,et al.  Attack Trees , 2009, Encyclopedia of Biometrics.

[68]  Ian F. Alexander,et al.  Misuse Cases: Use Cases with Hostile Intent , 2003, IEEE Softw..

[69]  Alwyn R. Pais,et al.  Suraksha: A Security Designers' Workbench , 2009 .

[70]  Mario Piattini,et al.  Capturing Security Requirements in Business Processes Through a UML 2.0 Activity Diagrams Profile , 2006, ER.

[71]  Andreas L. Opdahl,et al.  Comparing Two Techniques for Intrusion Visualization , 2010, PoEM.

[72]  Thomas Moser,et al.  Ontology-Based Support for Security Requirements Specification Process , 2012, OTM Workshops.

[73]  Haralambos Mouratidis,et al.  Adapting Secure Tropos for Security Risk Management in the Early Phases of Information Systems Development , 2008, CAiSE.

[74]  Andreas L. Opdahl,et al.  Visualizing Cyber Attacks with Misuse Case Maps , 2010, REFSQ.

[75]  David J. Parish,et al.  Unified P arametrizable Attack Tree , 2011 .

[76]  David Levin Lessons learned in using live red teams in IA experiments , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[77]  Anthony Hall,et al.  Correctness by Construction: Developing a Commercial Secure System , 2002, IEEE Softw..

[78]  Kai Petersen,et al.  Countermeasure graphs for software security risk assessment: An action research , 2013, J. Syst. Softw..

[79]  Wouter Joosen,et al.  Empirical and statistical analysis of risk analysis-driven techniques for threat management , 2007, The Second International Conference on Availability, Reliability and Security (ARES'07).

[80]  Jan Jürjens,et al.  Eliciting security requirements and tracing them to design: an integration of Common Criteria, heuristics, and UMLsec , 2010, Requirements Engineering.