Object-oriented software engineering
Object-oriented software engineering
The Z notation: a reference manual
The Z notation: a reference manual
Specification and Validation of a Security Policy Model
IEEE Transactions on Software Engineering
GRAIL/KAOS: an environment for goal-driven requirements engineering
ICSE '97 Proceedings of the 19th international conference on Software engineering
Use Case Maps as Architectural Entities for Complex Systems
IEEE Transactions on Software Engineering
Experimentation in software engineering: an introduction
Experimentation in software engineering: an introduction
Secrets & Lies: Digital Security in a Networked World
Secrets & Lies: Digital Security in a Networked World
Hints for Reviewing Empirical Work in Software Engineering
Empirical Software Engineering
Sweetening Ontologies with DOLCE
EKAW '02 Proceedings of the 13th International Conference on Knowledge Engineering and Knowledge Management. Ontologies and the Semantic Web
SecureUML: A UML-Based Modeling Language for Model-Driven Security
UML '02 Proceedings of the 5th International Conference on The Unified Modeling Language
UMLsec: Extending UML for Secure Systems Development
UML '02 Proceedings of the 5th International Conference on The Unified Modeling Language
I3E '02 Proceedings of the IFIP Conference on Towards The Knowledge Society: E-Commerce, E-Business, E-Government
Using Abuse Case Models for Security Requirements Analysis
ACSAC '99 Proceedings of the 15th Annual Computer Security Applications Conference
Towards Modeling and Reasoning Support for Early-Phase Requirements Engineering
RE '97 Proceedings of the 3rd IEEE International Symposium on Requirements Engineering
Security and Privacy Requirements Analysis within a Social Setting
RE '03 Proceedings of the 11th IEEE International Conference on Requirements Engineering
Tropos: An Agent-Oriented Software Development Methodology
Autonomous Agents and Multi-Agent Systems
Using Abuse Frames to Bound the Scope of Security Problems
RE '04 Proceedings of the Requirements Engineering Conference, 12th IEEE International
Eliciting security requirements with misuse cases
Requirements Engineering
Experimental context classification: incentives and experience of subjects
Proceedings of the 27th international conference on Software engineering
Security Patterns: Integrating Security and Systems Engineering
Security Patterns: Integrating Security and Systems Engineering
Matching attack patterns to security vulnerabilities in software-intensive system designs
SESS '05 Proceedings of the 2005 workshop on Software engineering for secure systems—building trustworthy applications
Modeling Security Requirements Through Ownership, Permission and Delegation
RE '05 Proceedings of the 13th IEEE International Conference on Requirements Engineering
UMLintr: A UML Profile for Specifying Intrusions
ECBS '06 Proceedings of the 13th Annual IEEE International Symposium and Workshop on Engineering of Computer Based Systems
Defense trees for economic evaluation of security investments
ARES '06 Proceedings of the First International Conference on Availability, Reliability and Security
Empirical and statistical analysis of risk analysis-driven techniques for threat management
ARES '07 Proceedings of the The Second International Conference on Availability, Reliability and Security
CAiSE '08 Proceedings of the 20th international conference on Advanced Information Systems Engineering
Safety Hazard Identification by Misuse Cases: Experimental Comparison of Text and Diagrams
MoDELS '08 Proceedings of the 11th international conference on Model Driven Engineering Languages and Systems
Misuse Cases: Use Cases with Hostile Intent
IEEE Software
Experimental comparison of attack trees and misuse cases for security threat identification
Information and Software Technology
Identifying Security Requirements Hybrid Technique
ICSEA '09 Proceedings of the 2009 Fourth International Conference on Software Engineering Advances
Requirements Engineering - Special Issue on RE'09: Security Requirements Engineering; Guest Editors: Eric Dubois and Haralambos Mouratidis
Requirements Engineering - Special Issue on RE'09: Security Requirements Engineering; Guest Editors: Eric Dubois and Haralambos Mouratidis
Mal-activity diagrams for capturing attacks on business processes
REFSQ'07 Proceedings of the 13th international working conference on Requirements engineering: foundation for software quality
A comparison of two approaches to safety analysis based on use cases
ER'07 Proceedings of the 26th international conference on Conceptual modeling
From goal-driven security requirements engineering to secure design
International Journal of Intelligent Systems - Goal-driven Requirements Engineering
Cyber security analysis using attack countermeasure trees
Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research
Using attack and protection trees to analyze threats and defenses to homeland security
MILCOM'06 Proceedings of the 2006 IEEE conference on Military communications
Connecting security requirements analysis and secure design using patterns and UMLsec
CAiSE'11 Proceedings of the 23rd international conference on Advanced information systems engineering
ARES '11 Proceedings of the 2011 Sixth International Conference on Availability, Reliability and Security
Capturing security requirements in business processes through a UML 2.0 activity diagrams profile
CoMoGIS'06 Proceedings of the 2006 international conference on Advances in Conceptual Modeling: theory and practice
DARPA Information Assurance Program dynamic defense experiment summary
IEEE Transactions on Systems, Man, and Cybernetics, Part A: Systems and Humans
Aligning mal-activity diagrams and security risk management for security requirements definitions
REFSQ'12 Proceedings of the 18th international conference on Requirements Engineering: foundation for software quality
Comparing risk identification techniques for safety and security requirements
Journal of Systems and Software
Countermeasure graphs for software security risk assessment: An action research
Journal of Systems and Software
Making trade-offs among security and other requirements during system design
Making trade-offs among security and other requirements during system design
| Hi-index | 0.00 |
The last decade has seen an increasing focus on addressing security already during the earliest stages of system development, such as requirements determination. Attack trees and misuse cases are established techniques for representing security threats along with their potential mitigations. Previous work has compared attack trees and misuse cases in two experiments with students. The present paper instead presents an experiment where industrial practitioners perform the experimental tasks in their workplace. The industrial experiment confirms a central finding from the student experiments: that attack trees tend to help identifying more threats than misuse cases. It also presents a new result: that misuse cases tend to encourage identification of threats associated with earlier development stages than attack trees. The two techniques should therefore be considered complementary and should be used together in practical requirements work.