Computer misuse cases: Get there before the bad guys

More from Royal Holloway Have a look at the rest of the 2009 theses from MSc graduates of Royal Holloway, University of London (RHUL).

One approach is to borrow from software developers. They build their systems to meet a set of pre-defined uses that have been mapped out in the requirements and design stage.

What if security people were to adopt a similar approach, but instead of looking at the correct way to interacting with a system, they were to map out a series of computer 'misuse cases' to show how systems could be improperly used, either by accident or for malicious purposes? If that were done ahead of time, then it would be easier to plans for such eventualities, and also to define what is needed from a security point of view.

This is the argument outlined by John Neil Ruck and Geraint Price, in a new article published in SearchSecurity.co.uk, entitled 'Misuse Cases: earlier and smarter information security' (see below for the full .pdf). The article is part of our 2009 series featuring the best new MSc theses from graduates of the information security group at Royal Holloway University of London (RHUL).

The authors argue that misuse cases could be embedded into the software development lifecycle, from the very earliest definition of requirements, right through to final testing. They would help to define and prioritise the security requirements at an early stage, and they would also help in ensuring that all security requirements have been met before the systems goes into production.

To illustrate the power of the concept, the authors provide a hypothetical case study of an IT contractor management system, and show how the many possible misuses can be pre-determined and accounted for.

Read Misuse cases: Earlier and smarter information security (.pdf) by John Neil Ruck and Geraint Price.

SearchSecurity's association with RHUL began last year when we published 12 articles from RHUL's MSc graduates. These were widely appreciated for their new ideas and relevance to security problems. We believe the 2009 series is equally wide-ranging and thought-provoking.

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Threat and Vulnerability Management Considering two-factor authentication? Do cost, risk analysis Clientless SSL VPN vulnerability and Web browser protection Microsoft's Charney details new botnet protection, IdM technology at RSA Look into SIEM services to cut costs, comply with PCI DSS, HIPAA Cloud security issues, targeted attacks to be hot-button topics at RSA Zeus Trojan continues reign infecting 74,000 PCs in global botnet How to use Google Webmaster tools to help protect your site New Community Security Policy aims to reduce computer misuse The value of booting from a VHD in Windows 7 What to do with network penetration test results

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Centre for the Protection of National Infrastructure  (SearchSecurityUK.com) Serious Organized Crime Agency  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary