A Unified Use-Misuse Case Model for Capturing and Analysing Safety and Security Requirements

A Unified Use-Misuse Case Model for Capturing and Analysing Safety and Security Requirements

O. T. Arogundade (Chinese Academy of Sciences, China), A. T. Akinwale (University of Agriculture, Abeokuta, Nigeria), Z. Jin (Peking University, China) and X. G. Yang (Chinese Academy of Sciences, China)
Copyright: © 2011 |Pages: 23
DOI: 10.4018/jisp.2011100102
OnDemand PDF Download:
$37.50

Abstract

This paper proposes an enhanced use-misuse case model that allows both safety and security requirements to be captured during requirements elicitation. The proposed model extends the concept of misuse case by incorporating vulnerable use case and abuse case notations and relations that allows understanding and modeling different attackers and abusers behaviors during early stage of system development life cycle and finishes with a practical consistent combined model for engineering safety and security requirements.The model was successfully applied using health care information system gathered through the university of Kansas HISPC project. The authors were able to capture both security and safety requirements necessary for effective functioning of the system. In order to enhance the integration of the proposed model into risk analysis, the authors give both textual and detailed description of the model. The authors compare the proposed approach with other existing methods that identify and analyze safety and security requirements and discovered that it captures more security and safety threats.
Article Preview

Introduction

Use case method is a research tool in Requirement Engineering (RE) field where the concept of use case is used to model functional requirements and misuse case is used to model non-functional requirements for a system. The use of use case is becoming popular for determining, communicating, specifying and documenting requirements (Constantine & Lockwood, 1999; Cockburn, 2001; Jacobson et al., 1992; Kulak & Guiney, 2000; Rumbaugh, 1994). Misuse case, the extension of use case by Sindre and Opdahl (2005), allows the concept of use case to be useful in eliciting non-functional requirements. Safety and security requirements are often developed independently of the rest of the requirements engineering activity and hence are not integrated into the mainstream of the requirements activities. As a result, safety and security requirements that are specific to the system and that provide for protection of essential services, features and assets are often neglected (Mead, 2007).

The ad hoc integration of safety and security mechanisms into a software system which has already been developed has a negative impact on the maintainability and security of the system (Eduardo, Jurjens, Trujillo, & Sushil, 2009)

With the ever increasing exploitation of networking technologies, it is now imperative that both safety and security will be taken into account during the early stage of system development life cycle (Harrison & Sujan, 2008).

In our initial work (Arogundade et al., in press) we have introduced vulnerable use case including inside abuser in order to address the issue of deliberate act for safety concerns. This paper refines this initial work by proposing an enhanced use-misuse case model for eliciting and analyzing safety and security requirements in a unified framework. The ideas in this paper have been applied to one realistic case study, the e-health care system. The e-health care information used in this paper is retrieved from Health Information Technology Resource Toolkit developed through the university of Kansas HISPC project (http://ehealth.kansashealthonline.org).

Complete Article List

Search this Journal:
Reset
Open Access Articles: Forthcoming
Volume 11: 4 Issues (2017)
Volume 10: 4 Issues (2016)
Volume 9: 4 Issues (2015)
Volume 8: 4 Issues (2014)
Volume 7: 4 Issues (2013)
Volume 6: 4 Issues (2012)
Volume 5: 4 Issues (2011)
Volume 4: 4 Issues (2010)
Volume 3: 4 Issues (2009)
Volume 2: 4 Issues (2008)
Volume 1: 4 Issues (2007)
View Complete Journal Contents Listing