Eliciting Security Requirements Through Misuse Activities

Author(s)

Michael Van Hilst, Nova Southeastern UniversityFollow
Fabricio A. Braz
Eduardo B. Fernandez

Document Type

Article

Publication Title

IEEE 19th International Conference on Database and Expert Systems Application

Event Date/Location

Turin, Italy / 2008

ISSN

978-0-7695-3299-8

Publication Date

9-2008

Abstract

In previous work we introduced an approach for finding security requirements based on misuse activities (actions). This method starts from the activity diagram of a use case (or a sequence of use cases). Each activity is analyzed to see how it could be subverted to produce a misuse of information. This analysis results in a set of threats. We then consider which policies can stop or mitigate these threats. We now extend that approach to consider in the analysis the type of misuse (confidentiality, integrity ...) that can happen in each activity, the role of the attacker, and the context for the threat. This extended analysis results in a finer and more systematic way to find threats and we can identify now more threats. We also improve the way to find the policies to control these threats and we consider how to map the corresponding policies to security patterns. The information in each pattern helps in the selection of an optimal (or good) set of policies. Our extended approach can be conveniently incorporated in a methodology to build secure systems.

DOI

10.1109/DEXA.2008.101

NSUWorks Citation

Van Hilst, Michael; Braz, Fabricio A.; and Fernandez, Eduardo B., "Eliciting Security Requirements Through Misuse Activities" (2008). CCE Faculty Articles. 470.
https://nsuworks.nova.edu/gscis_facarticles/470