Enhanced Misuse Cases for Prioritization of Security Requirements.

Nowadays, it is impossible to ignore the implementation of security features in information systems since they manage important assets that are critical for the business processes of organizations. In this aspect, there have been several researches for introducing the security analysis in different stages of software development life cycle. Among those solutions, one of the most interesting one is the usage of misuse cases. Misuse cases, which are extensions of the well-known use cases, were created for defining security requirements. A misuse case can be considered as the inverse of a use case and it defines functions that the system should not allow. Even though, misuse cases are very useful for eliciting security requirements, they do not provide a mechanism to prioritize such requirements. Therefore, they do not address the problem of optimal risk management. Software engineers often have to work within a given set of budget constraints that may impede them from implementing all possible countermeasures. Thus, the software engineer needs to find a way to prioritize the security requirements to decide which requirements will be developed. Motivated by the mentioned limitation of misuse cases, the presented paper proposes an enhanced misuse case model which incorporates a method for prioritization of security requirements.