Mal-Activity Diagrams for Capturing Attacks on Business Processes Export

@incollection{citeulike:4740390, abstract = {Security is becoming an increasingly important issue for IT systems, yet it is often dealt with as separate from mainstream systems and software development and in many cases neglected or addressed post-hoc, yielding costly and unsatisfactory solutions. One idea to improve the focus on security might be to include such concerns into mainstream diagram notations used in information systems analysis, and one existing proposal for this is misuse cases, allowing for representation of attack use cases together with the normal legitimate use cases of a system. While this technique has shown much promise, it is not equally useful for all kinds of attack. In this paper we look into another type of technique that could complement misuse cases for early elicitation of security requirements, namely mal-activity diagrams. These allow the inclusion of hostile activities together with legitimate activities in business process models. Through some examples and a small case study, mal-activity diagrams are shown to have strengths in many aspects where misuse cases have weaknesses.}, author = {Sindre, Guttorm}, citeulike-article-id = {4740390}, citeulike-linkout-0 = {http://dx.doi.org/10.1007/978-3-540-73031-6_27}, citeulike-linkout-1 = {http://www.springerlink.com/content/gq3746966q4r3xp4}, doi = {10.1007/978-3-540-73031-6_27}, journal = {Requirements Engineering: Foundation for Software Quality}, keywords = {0\_mal\_processes, david}, pages = {355--366}, posted-at = {2009-06-04 06:02:51}, priority = {2}, title = {Mal-Activity Diagrams for Capturing Attacks on Business Processes}, url = {http://dx.doi.org/10.1007/978-3-540-73031-6_27}, year = {2007} }

TY - CHAP ID - citeulike:4740390 L3 - citeulike-article-id:4740390 N2 - Security is becoming an increasingly important issue for IT systems, yet it is often dealt with as separate from mainstream systems and software development and in many cases neglected or addressed post-hoc, yielding costly and unsatisfactory solutions. One idea to improve the focus on security might be to include such concerns into mainstream diagram notations used in information systems analysis, and one existing proposal for this is misuse cases, allowing for representation of attack use cases together with the normal legitimate use cases of a system. While this technique has shown much promise, it is not equally useful for all kinds of attack. In this paper we look into another type of technique that could complement misuse cases for early elicitation of security requirements, namely mal-activity diagrams. These allow the inclusion of hostile activities together with legitimate activities in business process models. Through some examples and a small case study, mal-activity diagrams are shown to have strengths in many aspects where misuse cases have weaknesses. JF - Requirements Engineering: Foundation for Software Quality EP - 366 TI - Mal-Activity Diagrams for Capturing Attacks on Business Processes SP - 355 KW - 0_mal_processes KW - david AU - Sindre, Guttorm PY - 2007/// UR - http://dx.doi.org/10.1007/978-3-540-73031-6_27 ER -