Misuse, Abuse and Reuse: Economic Utility Functions for Characterising Security Requirements

Negative use cases - in the form of 'misuse' or 'abuse' cases - have found a broad following within the security community due to their ability to make explicit the knowledge, assumptions and desires of stakeholders regarding real and perceived threats to systems. As an accepted threat modelling tool, they have become a standard part of many Secure Software Engineering (SSE) processes. Despite this widespread adoption, aspects of the original misuse case concept have yet to receive a formal treatment in the literature. This paper considers the application of economic utility functions within the negative use case development process, as a means of addressing existing challenges. We provide a simple demonstration of how existing practice might integrate economic factors to describe the business, management and functional concerns that surround system security and software development.

[1]  Bernd Freisleben,et al.  Why eve and mallory love android: an analysis of android SSL (in)security , 2012, CCS.

[2]  Steve Lipner,et al.  Security development lifecycle , 2010, Datenschutz und Datensicherheit - DuD.

[3]  Gary Stoneburner,et al.  SP 800-30. Risk Management Guide for Information Technology Systems , 2002 .

[4]  James Stevens,et al.  Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process , 2007 .

[5]  Ivan Flechais,et al.  Designing Secure and Usable Systems , 2005 .

[6]  D. Pinto Secrets and Lies: Digital Security in a Networked World , 2003 .

[7]  A. Opdahl,et al.  A Reuse-Based Approach to Determining Secur ity Requirements , 2003 .

[8]  Martin Gilje Jaatun,et al.  Security Requirements for the Rest of Us: A Survey , 2008, IEEE Software.

[9]  Duminda Wijesekera,et al.  Meta-models for misuse cases , 2009, CSIIRW '09.

[10]  John P. McDermott,et al.  Abuse-case-based assurance arguments , 2001, Seventeenth Annual Computer Security Applications Conference.

[11]  Andrew C. Simpson,et al.  When the Winning Move is Not to Play: Games of Deterrence in Cyber Security , 2015, GameSec.

[12]  Andreas L. Opdahl,et al.  Templates for Misuse Case Description , 2001 .

[13]  Nicolas Christin,et al.  Secure or insure?: a game-theoretic analysis of information security games , 2008, WWW.

[14]  Andreas L. Opdahl,et al.  Eliciting security requirements with misuse cases , 2004, Requirements Engineering.

[15]  John P. McDermott,et al.  Using abuse case models for security requirements analysis , 1999, Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99).

[16]  H. Varian Intermediate Microeconomics: A Modern Approach , 1987 .

[17]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[18]  Kenneth R. van Wyk,et al.  Bridging the Gap between Software Development and Information Security , 2005, IEEE Secur. Priv..

[19]  Andreas L. Opdahl,et al.  Capturing Security Requirements through Misuse Cases , 2001 .

[20]  Mary Shaw,et al.  Software Selection and Configuration in Mobile Environments: A Utility-Based Approach , 2002 .

[21]  Bashar Nuseibeh,et al.  Weaving Together Requirements and Architectures , 2001, Computer.

[22]  Michael M. May,et al.  How much is enough? A risk management approach to computer security , 2000 .

[23]  Tyler Moore,et al.  The Iterated Weakest Link - A Model of Adaptive Security Investment , 2016, WEIS.

[24]  Juhani Heikka,et al.  Abuse Cases Revised: An Action Research Experience , 2006, PACIS.

[25]  Gary McGraw,et al.  Software Security: Building Security In , 2006, 2006 17th International Symposium on Software Reliability Engineering.

[26]  Susan Lilly,et al.  Use case pitfalls: top 10 problems from real projects using use cases , 1999, Proceedings of Technology of Object-Oriented Languages and Systems - TOOLS 30 (Cat. No.PR00278).

[27]  Tyler Moore,et al.  The Economics of Information Security , 2006, Science.

[28]  Bruce Schneier,et al.  Secrets and Lies: Digital Security in a Networked World , 2000 .

[29]  Andreas L. Opdahl,et al.  Generalization/specialization as a structuring mechanism for misuse cases , 2002 .

[30]  Paul Dyson,et al.  Cost-Effective Security , 2007, IEEE Security & Privacy.

[31]  Annie I. Antón,et al.  Misuse and Abuse Cases : Getting Past the Positive , 2022 .

[32]  Wouter Joosen,et al.  On the secure software development process: CLASP, SDL and Touchpoints compared , 2009, Inf. Softw. Technol..

[33]  Ian F. Alexander,et al.  Misuse Cases: Use Cases with Hostile Intent , 2003, IEEE Softw..

[34]  G. Stoneburner,et al.  Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology , 2002 .

[35]  Nancy R. Mead,et al.  Survivable Network System Analysis: A Case Study , 1999, IEEE Softw..

[36]  Lillian. Rostad An extended misuse case notation: Including vulnerabilities and the insider threat , 2006 .

[37]  David Brumley,et al.  An empirical study of cryptographic misuse in android applications , 2013, CCS.