Comparing attack trees and misuse cases in an industrial setting期刊界 All Journals 搜尽天下杂志传播学术成果专业期刊搜索期刊信息化学术搜索

Comparing attack trees and misuse cases in an industrial setting

Affiliation:	1. Dept. of Computer and Information Science, Norwegian University of Science and Technology, Sem Sælands vei 7-9, NO-7491 Trondheim, Norway;2. Dept. of Information Science and Media Studies, University of Bergen, P.O. Box 7802, NO-5020 Bergen, Norway;1. Department of Informatics, Donald Bren School of Information and Computer Sciences, University of California, Irvine, CA 92697-3425, USA;2. Pontifícia Universidade Católica do Rio Grande do Sul (PUCRS), Av. Ipiranga 6681, Faculdade de Informática, Prédio 32, Sala 505, Partenon, Porto Alegre, RS 90619-900, Brazil;1. Open University of Madrid, UDIMA – Facultad de Enseñanzas Técnicas, Ctra. De la Coruña, Km 38.500 – Vía de Servicio 15 – 28400, Collado Villalba, Madrid, Spain;2. Technical University of Madrid, School of Computer Science, Campus de Montegancedo, s/n – 28660, Boadilla del Monte, Madrid, Spain;3. Universidad de las Islas Baleares, Departamento de Matemáticas e Informática, Edificio Anselm Turmeda, Crta. Valldemossa, Km 7.5 – 07122, Palma de Mallorca, Spain;1. Department of Computer Science and Information Engineering, Fu Jen Catholic University, No. 510, Zhongzheng Rd., Xinzhuang Dist., New Taipei City 24205, Taiwan, ROC;2. Department of Computer Science and Information Engineering, National Taipei University of Technology, Taipei City, Taiwan, ROC;1. Simon Fraser University, 8888 University Dr, Burnaby, BC V5A 1S6, Canada;2. Athabasca University, 1 University Drive, Athabasca, AB T9S 3A3, Canada;3. Ryerson University, 350 Victoria St, Toronto, ON M5B 2K3, Canada

Abstract:	The last decade has seen an increasing focus on addressing security already during the earliest stages of system development, such as requirements determination. Attack trees and misuse cases are established techniques for representing security threats along with their potential mitigations. Previous work has compared attack trees and misuse cases in two experiments with students. The present paper instead presents an experiment where industrial practitioners perform the experimental tasks in their workplace. The industrial experiment confirms a central finding from the student experiments: that attack trees tend to help identifying more threats than misuse cases. It also presents a new result: that misuse cases tend to encourage identification of threats associated with earlier development stages than attack trees. The two techniques should therefore be considered complementary and should be used together in practical requirements work.

Keywords:	Security requirements Requirements modelling Misuse cases Attack trees Industrial experiment
本文献已被 ScienceDirect 等数据库收录！

设为首页 | 免责声明 | 关于勤云 | 加入收藏