Guttorm Sindre

Eliciting security requirements with misuse cases

Use cases have become increasingly common during requirements engineering, but they offer limited support for eliciting security threats and requirements. At the same time, the importance of security is growing with the rise of phenomena such as e-commerce and nomadic and geographically distributed work. This paper presents a systematic approach to eliciting security requirements based on use cases, with emphasis on description and method guidelines. The approach extends traditional use cases to also cover misuse, and is potentially useful for several other types of extra-functional requirements beyond security.

Understanding quality in conceptual modeling

With the increasing focus on early development as a major factor in determining overall quality, many researchers are trying to define what makes a good conceptual model. However, existing frameworks often do little more than list desirable properties. The authors examine attempts to define quality as it relates to conceptual models and propose their own framework, which includes a systematic approach to identifying quality-improvement goals and the means to achieve them. The framework has two unique features: it distinguishes between goals and means by separating what you are trying to achieve in conceptual modeling from how to achieve it (it has been made so that the goals are more realistic by introducing the notion of feasibility); and it is closely linked to linguistic concepts because modeling is essentially making statements in some language.<<ETX>>

Process models representing knowledge for action: a revised quality framework

A semiotic framework for evaluating the quality of conceptual models was proposed by (Lindland OI, Sindre G and Sølvberg A (1994) Understanding Quality in Conceptual Modelling, IEEE Software 11(2), 41–49) and has later been extended in several works. While the extensions have fixed some of the limitations of the initial framework, other limitations remain. In particular, the framework is too static in its view upon semantic quality, mainly considering models, not modelling activities, and comparing these models to a static domain rather than seeing the model as a facilitator for changing the domain. Also, the frameworks definition of pragmatic quality is quite narrow, focusing on understanding, in line with the semiotics of Morris, while newer research in linguistics and semiotics has focused beyond mere understanding, on how the model is used and impact its interpreters. The need for a more dynamic view in the semiotic quality framework is particularly evident when considering process models, which themselves often prescribe or even enact actions in the problem domain, hence a change to the model may also change the problem domain directly. This paper discusses the quality framework in relation to active process models and suggests a revised framework based on this.

Eliciting security requirements by misuse cases

Use case diagrams (L. Jacobson et al., 1992) have proven quite helpful in requirements engineering, both for eliciting requirements and getting a better overview of requirements already stated. However, not all kinds of requirements are equally well supported by use case diagrams. They are good for functional requirements, but poorer at e.g., security requirements, which often concentrate on what should not happen in the system. With the advent of e- and m-commerce applications, security requirements are growing in importance, also for quite simple applications where a short lead time is important. Thus, it would be interesting to look into the possibility for applying use cases on this arena. The paper suggests how this can be done, extending the diagrams with misuse cases. This new construct makes it possible to represent actions that the system should prevent, together with those actions which it should support.

Defining quality aspects for conceptual models

The notion of quality for information system models and other conceptual models is not well understood, and in most literature only lists of useful properties have been provided. However, the recent framework of Lindland et al. has tried to take a more systematic approach, defining the notions of syntactic, semantic, and pragmatic quality of models, and distinguishing between quality goals and the means to achieve them. Here, this framework is extended by discussing the six semiotic layers of communication identified by FRISCO. Definitions are provided for physical, syntactic, semantic, pragmatic, and social quality, respectively, and to the extent possible, metrics are provided for the defined quality goals. In addition the related areas of language and knowledge quality are discussed briefly.

Evaluating the quality of information models: empirical testing of a conceptual model quality framework

This paper conducts an empirical analysis of a semiotics-based quality framework for quality assuring information models. 192 participants were trained in the concepts of the quality framework, and used it to evaluate models represented in an extended Entity Relationship (ER) language. A randomised, double-blind design was used, in which each participant independently reviewed multiple models and each model was evaluated by multiple reviewers. A combination of quantitative and qualitative analysis techniques were used to evaluate the results, including reliability analysis, validity analysis, interaction analysis, influence analysis, defect pattern analysis and task accuracy analysis.. An analysis was also conducted of the frameworks likelihood of adoption in practice. The study provides strong support for the validity of the framework and suggests that it is likely to be adopted in practice, but raises questions about its reliability and the ability of participants to use it to accurately identify defects. The research findings provide clear directions for improvement of the framework. The research methodology used provides a general approach to empirical validation of quality frameworks.

Experimental comparison of attack trees and misuse cases for security threat identification

A number of methods have been proposed or adapted to include security in the requirements analysis stage, but the industrial take-up has been limited and there are few empirical and comparative evaluations. This paper reports on a pair of controlled experiments that compared two methods for early elicitation of security threats, namely attack trees and misuse cases. The 28 and 35 participants in the two experiments solved two threat identification tasks individually by means of the two techniques, using a Latin-Squares design to control for technique and task order. The dependent variables were effectiveness of the techniques measured as the number of threats found, coverage of the techniques measured in terms of the types of threats found and perceptions of the techniques measured through a post-task questionnaire based on the Technology Acceptance Model. The only difference was that, in the second experiment, the participants were given a pre-drawn use-case diagram to use as a starting point for solving the tasks. In the first experiment, no pre-drawn use-case diagram was provided. The main finding was that attack trees were more effective for finding threats, in particular when there was no pre-drawn use-case diagram. However, the participants had similar opinions of the two techniques, and perception of a technique was not correlated with performance with that technique. The study underlines the need for further comparisons in a broader range of settings involving additional techniques, and it suggests several concrete experiments and other paths for further work.

The REBOOT approach to software reuse

Although some companies have been successful in software reuse, many research projects on reuse have had little industrial penetration. Often the proposed technology has been too ambitious or exotic, or did not scale up. REBOOT emphasizes industrial applicability of the proposed technology in a holistic perspective: a validated method through a Methodology Handbook, a stabilized tool set around a reuse library, a training package, and initial software repositories of reusable components extracted from company-specific projects. This article presents the REBOOT approach to software reuse, covering both organizational and technical aspects and the experiences so far from the applications.

On the purpose of object-oriented analysis

The paper discusses the general purpose of analysis and evaluates OOA with respect to this, arguing that OOA does not deliver what it claims to do. The two major problems are that OOA often does not meet the full needs of the analysis phase, and that the transition to design is not always as easy as promised. The last point is illustrated by a solution to the OOPSLA conference registration problem. Due to the mentioned shortcomings, OOA/OOD was not found sufficient for forming the basis of a common development methodology for three Norwegian software producers in a technology transfer project with our university. The suggestion made is that OOA should become problem-oriented rather than target-oriented.

Mal-activity diagrams for capturing attacks on business processes

Security is becoming an increasingly important issue for IT systems, yet it is often dealt with as separate from mainstream systems and software development and in many cases neglected or addressed post-hoc, yielding costly and unsatisfactory solutions. One idea to improve the focus on security might be to include such concerns into mainstream diagram notations used in information systems analysis, and one existing proposal for this is misuse cases, allowing for representation of attack use cases together with the normal legitimate use cases of a system. While this technique has shown much promise, it is not equally useful for all kinds of attack. In this paper we look into another type of technique that could complement misuse cases for early elicitation of security requirements, namely mal-activity diagrams. These allow the inclusion of hostile activities together with legitimate activities in business process models. Through some examples and a small case study, mal-activity diagrams are shown to have strengths in many aspects where misuse cases have weaknesses.