Experimental comparison of attack trees and misuse cases for security threat identification

A number of methods have been proposed or adapted to include security in the requirements analysis stage, but the industrial take-up has been limited and there are few empirical and comparative evaluations. This paper reports on a pair of controlled experiments that compared two methods for early elicitation of security threats, namely attack trees and misuse cases. The 28 and 35 participants in the two experiments solved two threat identification tasks individually by means of the two techniques, using a Latin-Squares design to control for technique and task order. The dependent variables were effectiveness of the techniques measured as the number of threats found, coverage of the techniques measured in terms of the types of threats found and perceptions of the techniques measured through a post-task questionnaire based on the Technology Acceptance Model. The only difference was that, in the second experiment, the participants were given a pre-drawn use-case diagram to use as a starting point for solving the tasks. In the first experiment, no pre-drawn use-case diagram was provided. The main finding was that attack trees were more effective for finding threats, in particular when there was no pre-drawn use-case diagram. However, the participants had similar opinions of the two techniques, and perception of a technique was not correlated with performance with that technique. The study underlines the need for further comparisons in a broader range of settings involving additional techniques, and it suggests several concrete experiments and other paths for further work.

[1]  Andreas L. Opdahl,et al.  Generalization/specialization as a structuring mechanism for misuse cases , 2002 .

[2]  Claes Wohlin,et al.  Experimentation in software engineering: an introduction , 2000 .

[3]  Donald Firesmith,et al.  Security Use Cases , 2003, J. Object Technol..

[4]  John Mylopoulos,et al.  Security and privacy requirements analysis within a social setting , 2003, Proceedings. 11th IEEE International Requirements Engineering Conference, 2003..

[5]  Peter Sommerlad,et al.  Security Patterns: Integrating Security and Systems Engineering , 2006 .

[6]  David A. Basin,et al.  SecureUML: A UML-Based Modeling Language for Model-Driven Security , 2002, UML.

[7]  Anthony Hall,et al.  Correctness by Construction: Developing a Commercial Secure System , 2002, IEEE Softw..

[8]  Wouter Joosen,et al.  Empirical and statistical analysis of risk analysis-driven techniques for threat management , 2007, The Second International Conference on Availability, Reliability and Security (ARES'07).

[9]  John Mylopoulos,et al.  Towards requirements-driven information systems engineering: the Tropos project , 2002, Inf. Syst..

[10]  Michael Gegick,et al.  Matching attack patterns to security vulnerabilities in software-intensive system designs , 2005, SESS@ICSE.

[11]  John P. McDermott,et al.  Using abuse case models for security requirements analysis , 1999, Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99).

[12]  Bashar Nuseibeh,et al.  Using abuse frames to bound the scope of security problems , 2004, Proceedings. 12th IEEE International Requirements Engineering Conference, 2004..

[13]  Eric S. K. Yu,et al.  Do viewpoints lead to better conceptual models? An exploratory case study , 2005, 13th IEEE International Conference on Requirements Engineering (RE'05).

[14]  Axel van Lamsweerde,et al.  From system goals to intruder anti-goals: attack generation and resolution for security requirements engineering , 2003 .

[15]  Fabio Massacci,et al.  Using a security requirements engineering methodology in practice: The compliance with the Italian data protection legislation , 2005, Comput. Stand. Interfaces.

[16]  John Mylopoulos,et al.  From object-oriented to goal-oriented requirements analysis , 1999, CACM.

[17]  Ian F. Alexander,et al.  Initial industrial experience of misuse cases in trade-off analysis , 2002, Proceedings IEEE Joint International Conference on Requirements Engineering.

[18]  Mario Piattini,et al.  Towards an integration of Security Requirements into Business Process Modeling , 2005, WOSIS.

[19]  Tor Stålhane,et al.  A Comparison of Two Approaches to Safety Analysis Based on Use Cases , 2007, ER.

[20]  David Levin Lessons learned in using live red teams in IA experiments , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[21]  Mario Piattini,et al.  Capturing Security Requirements in Business Processes Through a UML 2.0 Activity Diagrams Profile , 2006, ER.

[22]  Eric Yu,et al.  Detecting Conflicts between Functional and Security Requirements with Secure Tropos: John Rusnak and the Allied Irish Bank , 2011, Social Modeling for Requirements Engineering.

[23]  Donald Firesmith,et al.  Engineering Security Requirements , 2003, J. Object Technol..

[24]  Ketil Stølen,et al.  The CORAS approach for model-based risk management applied to a telemedicine service , 2003, MIE.

[25]  Nicolas Mayer,et al.  Design of a Modelling Language for Information System Security Risk Management , 2007, RCIS.

[26]  Fred D. Davis Perceived Usefulness, Perceived Ease of Use, and User Acceptance of Information Technology , 1989, MIS Q..

[27]  Anthony Boswell Specification and Validation of a Security Policy Model , 1995, IEEE Trans. Software Eng..

[28]  Dag I. K. Sjøberg,et al.  Evaluating the effect of a delegated versus centralized control style on the maintainability of object-oriented software , 2004, IEEE Transactions on Software Engineering.

[29]  Régine Laleau,et al.  Adopting a situational requirements engineering approach for the analysis of civil aviation security standards , 2006, Softw. Process. Improv. Pract..

[30]  J. Michael Spivey,et al.  The Z notation - a reference manual , 1992, Prentice Hall International Series in Computer Science.

[31]  John Mylopoulos,et al.  Modeling security requirements through ownership, permission and delegation , 2005, 13th IEEE International Conference on Requirements Engineering (RE'05).

[32]  J. F. Bouchard,et al.  IEEE TRANSACTIONS ON SYSTEMS , MAN , AND CYBERNETICS — PART A : SYSTEMS AND HUMANS , 2001 .

[33]  Patrick Heymans,et al.  Comparing Goal Modelling Languages: An Experiment , 2007, REFSQ.

[34]  Brian Ritchie,et al.  Integrating Model-based Security Risk Management into eBusiness Systems Development: The CORAS Approach , 2002, I3E.

[35]  Jan Jürjens,et al.  UMLsec: Extending UML for Secure Systems Development , 2002, UML.

[36]  Edward G. Amoroso,et al.  Fundamentals of computer security technology , 1994 .

[37]  John Mylopoulos,et al.  Requirement Engineering Meets Security: A Case Study on Modelling Secure Electronic Transactions by VISA and Mastercard , 2003, ER.

[38]  Graham J Hole,et al.  How to Design and Report Experiments , 2002 .

[39]  Andreas L. Opdahl,et al.  Eliciting security requirements with misuse cases , 2004, Requirements Engineering.

[40]  Neil A. M. Maiden,et al.  Automatically Generating Requirements from i* Models: Experiences with a Complex Airport Operations System , 2007, REFSQ.

[41]  Bruce Schneier,et al.  Secrets and Lies: Digital Security in a Networked World , 2000 .

[42]  Magne Mæhre Industrial experiences with Misuse Cases , 2005 .