Computer misuse cases: Get there before the bad guys

Computer misuse cases: Get there before the bad guys

One of the biggest challenges for security people is to imagine what might go wrong with their systems and to plan for those eventualities. What effects could users' mistakes have on the smooth running of the systems? And how could thieves and hackers cause problems?

More from Royal Holloway

Have a look at the rest of the 2009 theses from MSc graduates of Royal Holloway, University of London (RHUL).

    Requires Free Membership to View

    Login

    SearchSecurity.co.UK members gain immediate and unlimited access to breaking UK industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.co.UK today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.co.uk you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.co.uk is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

One approach is to borrow from software developers. They build their systems to meet a set of pre-defined uses that have been mapped out in the requirements and design stage.

What if security people were to adopt a similar approach, but instead of looking at the correct way to interacting with a system, they were to map out a series of computer 'misuse cases' to show how systems could be improperly used, either by accident or for malicious purposes? If that were done ahead of time, then it would be easier to plans for such eventualities, and also to define what is needed from a security point of view.

This is the argument outlined by John Neil Ruck and Geraint Price, in a new article published in SearchSecurity.co.uk, entitled 'Misuse Cases: earlier and smarter information security' (see below for the full .pdf). The article is part of our 2009 series featuring the best new MSc theses from graduates of the information security group at Royal Holloway University of London (RHUL).

The authors argue that misuse cases could be embedded into the software development lifecycle, from the very earliest definition of requirements, right through to final testing. They would help to define and prioritise the security requirements at an early stage, and they would also help in ensuring that all security requirements have been met before the systems goes into production.

To illustrate the power of the concept, the authors provide a hypothetical case study of an IT contractor management system, and show how the many possible misuses can be pre-determined and accounted for.

Read Misuse cases: Earlier and smarter information security (.pdf) by John Neil Ruck and Geraint Price.

SearchSecurity's association with RHUL began last year when we published 12 articles from RHUL's MSc graduates. These were widely appreciated for their new ideas and relevance to security problems. We believe the 2009 series is equally wide-ranging and thought-provoking.

This was first published in June 2009

Back to top