Using Abuse Frames to Bound the Scope of Security Problems

Authors:
Luncheng Lin;Bashar Nuseibeh;Darrel Ince;Michael Jackson
Affiliations:
The Open University, UK;The Open University, UK;The Open University, UK;The Open University, UK
Venue:
RE '04 Proceedings of the Requirements Engineering Conference, 12th IEEE International
Year:
2004

Citing 0
Cited 10

Adapting Secure Tropos for Security Risk Management in the Early Phases of Information Systems Development

CAiSE '08 Proceedings of the 20th international conference on Advanced Information Systems Engineering
Experimental comparison of attack trees and misuse cases for security threat identification

Information and Software Technology
Requirements Engineering Education for Professional Engineers

Proceedings of the 2008 conference on Knowledge-Based Software Engineering: Proceedings of the Eighth Joint Conference on Knowledge-Based Software Engineering
Mal-activity diagrams for capturing attacks on business processes

REFSQ'07 Proceedings of the 13th international working conference on Requirements engineering: foundation for software quality
Goal-oriented security threat mitigation patterns: a case of credit card theft mitigation

Proceedings of the 16th Conference on Pattern Languages of Programs
Discovering Multidimensional Correlations among Regulatory Requirements to Understand Risk

ACM Transactions on Software Engineering and Methodology (TOSEM)
A Unified Use-Misuse Case Model for Capturing and Analysing Safety and Security Requirements

International Journal of Information Security and Privacy
Threat and Risk-Driven Security Requirements Engineering

International Journal of Mobile Computing and Multimedia Communications
Comparing attack trees and misuse cases in an industrial setting

Information and Software Technology
From misuse cases to mal-activity diagrams: bridging the gap between functional security analysis and design

Software and Systems Modeling (SoSyM)

Quantified Score

Hi-index	0.00

Visualization

Abstract

Security problems arise from the concern for protecting assets from security threats. In a systems development process, the security protection of a system is specified by security requirements, identified from the analysis of the threats to the system. However, as it is often not possible to obtain a full system description until late in the RE process, a security problem often has to be described in the context of a bounded scope, that is, one containing only the domains relevant to some part of the functionality of the full system. By binding the scope of a security problem, it can be described more explicitly and precisely, thereby facilitating the identification and analysis of threats, which in turn drive the elicitation and elaboration of security requirements. In this poster, we elaborate on an approach we developed based on abuse frames and suggest how it can provide a means for structuring and bounding the scope security problems.