CSDL Home A ARES 2008 2012 Seventh International Conference on Availability, Reliability and Security
Mar. 4, 2008 to Mar. 7, 2008
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/ARES.2008.88
It is recognised that security has to be addressed through the whole system development process. However current practices address security only in late stages, i.e., development or maintenance. Due to the success of UML use cases, misuse cases have been accepted by industry as a means to tackle security. However misuse cases, firstly, lack a precise application process, secondly, are too general which results in under-definition or misinterpretation of their concepts. In this paper we examine misuse cases in the light of a reference model for information system security risk management (ISSRM). Using the well-known Meeting Scheduler example we show how misuse cases can be used to follow a security risk management process. Next we check the misuse case ontology according to the concepts found in current risk management standards. The paper suggests improvements for the conceptual appropriateness of misuse cases for the security risk domain.
Security risk management, Misuse cases, Requirements engineering, Information systems
Raimundas Matulevicius, Nicolas Mayer, Patrick Heymans, "Alignment of Misuse Cases with Security Risk Management", ARES, 2008, 2012 Seventh International Conference on Availability, Reliability and Security, 2012 Seventh International Conference on Availability, Reliability and Security 2008, pp. 1397-1404, doi:10.1109/ARES.2008.88