Andreas L. Opdahl

Eliciting security requirements with misuse cases

Use cases have become increasingly common during requirements engineering, but they offer limited support for eliciting security threats and requirements. At the same time, the importance of security is growing with the rise of phenomena such as e-commerce and nomadic and geographically distributed work. This paper presents a systematic approach to eliciting security requirements based on use cases, with emphasis on description and method guidelines. The approach extends traditional use cases to also cover misuse, and is potentially useful for several other types of extra-functional requirements beyond security.

Eliciting security requirements by misuse cases

Use case diagrams (L. Jacobson et al., 1992) have proven quite helpful in requirements engineering, both for eliciting requirements and getting a better overview of requirements already stated. However, not all kinds of requirements are equally well supported by use case diagrams. They are good for functional requirements, but poorer at e.g., security requirements, which often concentrate on what should not happen in the system. With the advent of e- and m-commerce applications, security requirements are growing in importance, also for quite simple applications where a short lead time is important. Thus, it would be interesting to look into the possibility for applying use cases on this arena. The paper suggests how this can be done, extending the diagrams with misuse cases. This new construct makes it possible to represent actions that the system should prevent, together with those actions which it should support.

Ontological Evaluation of the UML using the Bunge-Wand-Weber Model

An ontological model of information systems, the Bunge–Wand–Weber (BWW) model, is used to analyse and evaluate the Unified Modeling Language (UML) as a language for representing concrete problem domains. As a result, each relevant and major UML construct becomes more precisely defined in terms of the phenomena in and aspects of the problem domain it represents. The analysis and evaluation shows that many of the central UML constructs are well matched with the BWW-model, but also suggests several concrete improvements to the UML-metamodel. New metaclasses are proposed to distinguish between (physically) impossible and (humanly) disallowed events, based on UML-exceptions. New abstract metaclasses are proposed for static and behavioural constraints, behaviours and static behaviours, as well as binding relationships and coupled events. New meta-subclasses of UML-objects, -classes, -typesand -relationshipsare proposed to make the UML more orthogonal, and a new definition is proposed for UML-responsibilities. The analysis also shows that the constructs in the UML must play several roles simultaneously, supporting representation both of the problem domain, of the development artifacts and of the proposed software or information system, while fitting together as a tightly integrated, well-defined language.

Experimental comparison of attack trees and misuse cases for security threat identification

A number of methods have been proposed or adapted to include security in the requirements analysis stage, but the industrial take-up has been limited and there are few empirical and comparative evaluations. This paper reports on a pair of controlled experiments that compared two methods for early elicitation of security threats, namely attack trees and misuse cases. The 28 and 35 participants in the two experiments solved two threat identification tasks individually by means of the two techniques, using a Latin-Squares design to control for technique and task order. The dependent variables were effectiveness of the techniques measured as the number of threats found, coverage of the techniques measured in terms of the types of threats found and perceptions of the techniques measured through a post-task questionnaire based on the Technology Acceptance Model. The only difference was that, in the second experiment, the participants were given a pre-drawn use-case diagram to use as a starting point for solving the tasks. In the first experiment, no pre-drawn use-case diagram was provided. The main finding was that attack trees were more effective for finding threats, in particular when there was no pre-drawn use-case diagram. However, the participants had similar opinions of the two techniques, and perception of a technique was not correlated with performance with that technique. The study underlines the need for further comparisons in a broader range of settings involving additional techniques, and it suggests several concrete experiments and other paths for further work.

Research areas and challenges for mobile information systems

This paper explores new challenges and possible approaches for developing mobile information systems, with an emphasis on model-based approaches on the conceptual and logical levels. Over the last few years, we have experienced these new challenges through our involvement in several research and industrial projects on mobile solutions, usability and model-based approaches. We summarise the main challenges of how model-based approaches can support the development of mobile information systems that are to be used together with other types of systems in a primarily professional setting and indicate upcoming research issues in this very dynamic area.

Ontological analysis of whole–part relationships in OO-models

Abstract Earlier semantic and formal analyses of whole–part (WP) relationships in object-oriented models have led to a framework, which distinguishes between primary, consequential, secondary and dependent characteristics of WP relationships. This paper interprets, validates and elaborates on that framework using an existing ontological theory and an associated formal model of objects. The revised framework confirms most of the original characteristics and suggests a number of additions and modifications. The analysis also grounds the characteristics in the framework and thereby suggests more precise definitions for some of them.

Conceptual Modelling in Information Systems Engineering

1) From Information Algebra to Enterprise Modelling and Ontologies - a Historical Perspective on Modelling for Information Systems (Janis A. Bubenko jr.) - 2) Fact Oriented Modeling: Past, Present and Future (Terry Halpin) - 3) Data Integration - Problems, Approaches, and Perspectives (Patrick Ziegler, Klaus R. Dittrich) - 4) Challenges to Conceptual Modeling (Bernhard Thalheim) - 5) Interoperable Management of Conceptual Models (Andreas L. Opdahl, Guttorm Sindre) - 6) Uniform and Flexible Data Management in Workflow Management Systems (Johann Eder, Marek Lehmann) - 7) Using Models in Enterprise Systems Projects (Jon Atle Gulla) - 8) The Role of Business Models in Enterprise Modelling (Paul Johannesson) - 9) Capturing System Intentionality with Maps (Colette Rolland) - 10) Conceptual Modeling and Software Design of Multi-Agent Systems (David Kung, Krishna Kavi) - 11) Agent Approach to Online Legal Trade (Antje Dietrich, Peter C. Lockemann, Oliver Raabe) - 12) Methods and Tools for Developing Interactive Information Systems (Anthony I. Wasserman) - 13) Conceptual Alignement of Software Production Methods (Oscar Pastor, Arturo Gonzalez, Sergio Espana) - The Co-Development of System Requirements and Functional Architecture (Klaus Pohl, Ernst Sikora) - 15) Capturing Dependability Threats in Conceptual Modelling (Guttorm Sindre, Andreas L. Opdahl) - 16 What is Being Iterated? Reflections on Iteration in Information System Engineering Processes (Nicholas Berente, Kalle Lyytinen) - 17) Systems Development in a GRIDs Environment (Keith Jeffery) - 18) Adaptive Information Systems (Barbara Pernici) - 19) Modeling of the People, by the People, for the People (John Krogstie) - 19) A Research Agenda for a Conceptual Schema-Centric Development (Antoni Olive, Jordi Cabot)

The Unified Enterprise Modelling Language—Overview and further work

The Unified Enterprise Modelling Language (UEML) aims at supporting integrated use of enterprise and IS models expressed using different languages. To achieve this aim, UEML offers a hub through which modelling languages can be connected, thereby paving the way for also connecting the models expressed in those languages. This paper motivates and presents the most central parts of the UEML approach: a structured path to describing enterprise and IS modelling constructs; a common ontology to interrelate construct descriptions at the semantic level; a correspondence analysis approach to estimate semantic construct similarity; a quality framework to aid selection of languages; a meta-meta model to integrate the different parts of the approach; and a set of tools to aid its use and evolution. The paper also discusses the benefits of UEML and points to paths for further work.

Grounding the OML metamodel in ontology

Abstract The paper analyses and evaluates the OPEN Modelling Language (OML) in terms of the Bunge–Wand–Weber (BWW) model of information systems in order to: (1) Define the semantics of each relevant OML construct in terms of the kind of problem-domain phenomena they are intended to represent. (2) Inform further improvement of OML and similar object-oriented (OO) modelling languages by identifying OML-constructs which are ontologically overloaded, redundant or excessive and by identifying construct deficits in OML. (3) Investigate the ontological assumptions underlying OO modelling further. (4) Identify the multiple roles played by OML-constructs, some of which must simultaneously (a) support representation of the problem domain, (b) support developers and other stakeholders in establishing requirements and creating a software artifact, (c) support representation of that software artifact and (d) form a well-defined, compact and tightly integrated modelling language. (5) Provide general guidelines for defining OO and other modelling constructs in terms of the kind of problem-domain phenomena they are intended to represent.

A Template for Defining Enterprise Modelling Constructs

The paper explains the need for a standard way of defining modelling constructs from different enterprise modelling languages and proposes a template for defining enterprise modelling constructs in a way that facilitates language integration. The template is based on the Bunge-Wand-Weber (BWW) representation model of information systems (IS) and has been used on several existing modelling languages and frameworks. It is illustrated with definitions of constructs from the Unified Modeling Language (UML). The paper focusses on modelling constructs that represent concrete problem domains, i.e., that represent materials rather than concepts, and thus focuses on the concrete parts and aspects of enterprises.