Abstract
Security is becoming an increasingly important issue for IT systems, yet it is often dealt with as separate from mainstream systems and software development and in many cases neglected or addressed post-hoc, yielding costly and unsatisfactory solutions. One idea to improve the focus on security might be to include such concerns into mainstream diagram notations used in information systems analysis, and one existing proposal for this is misuse cases, allowing for representation of attack use cases together with the normal legitimate use cases of a system. While this technique has shown much promise, it is not equally useful for all kinds of attack. In this paper we look into another type of technique that could complement misuse cases for early elicitation of security requirements, namely mal-activity diagrams. These allow the inclusion of hostile activities together with legitimate activities in business process models. Through some examples and a small case study, mal-activity diagrams are shown to have strengths in many aspects where misuse cases have weaknesses.
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Liu, L., Yu, E., Mylopoulos, J.: Security and Privacy Requirements Analysis within a Social Setting. 11th International Requirements Engineering Conference (RE’03), Monterey Bay, CA, 8-12 September, pp. 151–160. IEEE Press, New York (2003)
Sindre, G., Opdahl, A.L.: Eliciting Security Requirements with Misuse Cases. Requirements Engineering 10, 34–44 (2005)
van Lamsweerde, A., Brohez, S., De Landtsheer, R., Janssens, D.: Froim System Goals to Intruder Anti-Goals: Attack Generation and Resolution for Security Requirements Engineering. In: Heytmeier, C., Mead, N. (eds.) 2nd International Workshop on Requirements Engineering for High Assurance Systems (RHAS’03), Carnegie Mellon University, September 8, pp. 49–56. Monterey Bay, CA (2003)
Haley, C.B., Moffett, J., Laney, R., Nuseibeh, B.: Arguing Security: Validating Security Requirements Using Structured Argumentation. In: 3rd Symposium on Requirements Engineering for Information Security (SREIS 2005), Paris, France, (August 29, 2005)
Lodderstedt, T., Basin, D., Doser, J.: SecureUML: A UML-Based Modeling Language for Model-Driven Security. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002 - The Unified Modeling Language. Model Engineering, Concepts, and Tools. LNCS, vol. 2460, pp. 426–441. Springer, Heidelberg (2002)
Jürjens, J.: Secure Systems Development with UML. Springer, Heidelberg (2004)
Sindre, G., Opdahl, A.L.: Eliciting Security Requirements by Misuse Cases. In: Henderson-Sellers, B., Meyer, B. (eds.) TOOLS Pacific 2000, Sydney, pp. 120–131. IEEE CS Press, Los Alamitos (2000)
Jackson, M.: Problem Frames. Addison-Wesley, London (2001)
Mitnick, K.D., Simon, W.L.: The Art of Deception: Controlling the Human Element of Security. Wiley Publishing, Inc, Indianapolis (2002)
Lin, L., Nuseibeh, B., Ince, D., Jackson, M.: Using Abuse Frames to Bound the Scope of Security Problems. In: Maiden, N.A.M. (ed.) 12th IEEE International Requirements Engineering Conference (RE’04), Kyoto, Japan, IEEE (2004)
Diallo, M.H., Romero-Mariona, J., Sim, S.E., Richardson, D.J.: A Comparative Evaluation of Three Approaches to Specifying Security Requirements. REFSQ’06, Luxembourg (2006)
Rodriguez, A., Fernandez-Medina, E., Piattini, M.: Capturing Security Requirements in Business Processes through a UML 2. In: Roddick, J.F., Benjamins, V.R., Si-Saïd Cherfi, S., Chiang, R., Claramunt, C., Elmasri, R., Grandi, F., Han, H., Hepp, M., Lytras, M., Mišić, V.B., Poels, G., Song, I.-Y., Trujillo, J., Vangenot, C. (eds.) ER 2006 Workshops. LNCS, vol. 4231, pp. 6–9. Springer, Heidelberg (2006)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2007 Springer Berlin Heidelberg
About this paper
Cite this paper
Sindre, G. (2007). Mal-Activity Diagrams for Capturing Attacks on Business Processes. In: Sawyer, P., Paech, B., Heymans, P. (eds) Requirements Engineering: Foundation for Software Quality. REFSQ 2007. Lecture Notes in Computer Science, vol 4542. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-73031-6_27
Download citation
DOI: https://doi.org/10.1007/978-3-540-73031-6_27
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-73030-9
Online ISBN: 978-3-540-73031-6
eBook Packages: Computer ScienceComputer Science (R0)