MASG: Advanced Misuse Case Analysis Model with Assets and Security Goals

Misuse case model and its development process are useful and practical for security requirements analysis, but they require expertise especially about security assets and goals. To enable inexperienced requirements analysts to elicit and to analyse security requirements, we present an extension of misuse case model and its development process by incorporating new model elements, assets and security goals. We show its effectiveness from the quantitative and qualitative results of a case study. According to the results, we conclude the extension and its process enable inexperienced analysts to elicit security requirements as well as experienced analysts do.

[1]  John Mylopoulos,et al.  Computer-aided Support for Secure Tropos , 2007, Automated Software Engineering.

[2]  Donald Firesmith,et al.  Security Use Cases , 2003, J. Object Technol..

[3]  Dieter Gollmann,et al.  Computer Security , 1979, Lecture Notes in Computer Science.

[4]  日本規格協会 情報技術-セキュリティ技術-情報セキュリティ管理策の実践のための規範 : ISO/IEC 27002 = Information technology-Security techniques-Code of practice for information security controls : ISO/IEC 27002 , 2013 .

[5]  Ketil Stølen,et al.  Using model-based security analysis in component-oriented system development , 2006, QoP '06.

[6]  Ivar Jacobson,et al.  Object-oriented software engineering - a use case driven approach , 1993, TOOLS.

[7]  Frank Swiderski,et al.  Threat Modeling , 2018, Hacking Connected Cars.

[8]  Nobukazu Yoshioka,et al.  Misuse Cases + Assets + Security Goals , 2009, 2009 International Conference on Computational Science and Engineering.

[9]  Beth Kapes Covering Your Assets , 2003 .

[10]  Matt Bishop,et al.  Computer Security: Art and Science , 2002 .

[11]  Haruhiko Kaiya,et al.  Security Requirements Elicitation Using Method Weaving and Common Criteria , 2008, MoDELS Workshops.

[12]  Alistair Cockburn,et al.  Writing Effective Use Cases , 2000 .

[13]  Nakornthip Prompoon,et al.  Enterprise Assets Security Requirements Construction from ESRMG Grammar based on Security Patterns , 2007, 14th Asia-Pacific Software Engineering Conference (APSEC'07).

[14]  John Mylopoulos,et al.  Security and privacy requirements analysis within a social setting , 2003, Proceedings. 11th IEEE International Requirements Engineering Conference, 2003..

[15]  Yijun Yu,et al.  AVT Vector: A Quantitative Security Requirements Evaluation Approach Based on Assets, Vulnerabilities and Trustworthiness of Environment , 2009, 2009 17th IEEE International Requirements Engineering Conference.

[16]  Axel van Lamsweerde,et al.  Elaborating security requirements by construction of intentional anti-models , 2004, Proceedings. 26th International Conference on Software Engineering.

[17]  Haralambos Mouratidis,et al.  Secure Tropos: a Security-Oriented Extension of the Tropos Methodology , 2007, Int. J. Softw. Eng. Knowl. Eng..

[18]  Bashar Nuseibeh,et al.  Security Requirements Engineering: A Framework for Representation and Analysis , 2008, IEEE Transactions on Software Engineering.

[19]  Axel van Lamsweerde,et al.  Requirements Engineering: From System Goals to UML Models to Software Specifications , 2009 .

[20]  Eric Yu,et al.  Social Modeling for Requirements Engineering , 2011, Cooperative information systems.

[21]  John Mylopoulos,et al.  Non-Functional Requirements in Software Engineering , 2000, International Series in Software Engineering.

[22]  Michael Howard,et al.  The security development lifecycle : SDL, a process for developing demonstrably more secure software , 2006 .

[23]  Hisham M. Haddad,et al.  A Methodological Tool for Asset Identification in Web Applications: Security Risk Assessment , 2009, 2009 Fourth International Conference on Software Engineering Advances.

[24]  R. B. Johnson,et al.  Educational Research: Quantitative, Qualitative, and Mixed Approaches , 2007 .

[25]  John P. McDermott,et al.  Using abuse case models for security requirements analysis , 1999, Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99).

[26]  Nobukazu Yoshioka,et al.  Aligning Security Requirements and Security Assurance Using the Common Criteria , 2010, 2010 Fourth International Conference on Secure Software Integration and Reliability Improvement.

[27]  Andreas L. Opdahl,et al.  Eliciting security requirements with misuse cases , 2004, Requirements Engineering.