Experimental comparison of attack trees and misuse cases for security threat identification

  title={Experimental comparison of attack trees and misuse cases for security threat identification},
  author={A. Opdahl and G. Sindre},
  journal={Inf. Softw. Technol.},
  • A. Opdahl, G. Sindre
  • Published 2009
  • Engineering, Computer Science
  • Inf. Softw. Technol.
  • A number of methods have been proposed or adapted to include security in the requirements analysis stage, but the industrial take-up has been limited and there are few empirical and comparative evaluations. This paper reports on a pair of controlled experiments that compared two methods for early elicitation of security threats, namely attack trees and misuse cases. The 28 and 35 participants in the two experiments solved two threat identification tasks individually by means of the two… CONTINUE READING
    130 Citations

    Topics from this paper

    An Experimental Comparison of Two Risk-Based Security Methods
    • 33
    • Highly Influenced
    • PDF
    Comparing attack trees and misuse cases in an industrial setting
    • 24
    Security requirement elicitation techniques: The comparison of misuse cases and issue based information systems
    • 7
    • Highly Influenced
    • PDF
    Identifying Security Requirements Hybrid Technique
    • 17
    A review of threat modelling and its hybrid approaches to software security testing
    • 4
    • Highly Influenced
    • PDF
    Security Threat Assessment of an Internet Security System Using Attack Tree and Vague Sets
    • Kuei-Hu Chang
    • Computer Science, Medicine
    • TheScientificWorldJournal
    • 2014
    • 6
    • PDF
    Methodologies to Identify and Mitigate Security Threats in Software Development
    • 1
    • Highly Influenced
    An experiment on comparing textual vs. visual industrial methods for security risk assessment
    • 18
    • Highly Influenced
    • PDF


    Empirical and statistical analysis of risk analysis-driven techniques for threat management
    • K. Buyens, B. D. Win, W. Joosen
    • Computer Science
    • The Second International Conference on Availability, Reliability and Security (ARES'07)
    • 2007
    • 21
    • PDF
    Using abuse frames to bound the scope of security problems
    • 85
    • PDF
    Detecting Conflicts between Functional and Security Requirements with Secure Tropos: John Rusnak and the Allied Irish Bank
    • Eric Yu, Paolo Giorgini
    • Business, Computer Science
    • Social Modeling for Requirements Engineering
    • 2011
    • 12
    • PDF
    Initial industrial experience of misuse cases in trade-off analysis
    • I. Alexander
    • Computer Science
    • Proceedings IEEE Joint International Conference on Requirements Engineering
    • 2002
    • 130
    Security and privacy requirements analysis within a social setting
    • L. Liu, E. Yu, J. Mylopoulos
    • Computer Science
    • Proceedings. 11th IEEE International Requirements Engineering Conference, 2003.
    • 2003
    • 419
    • PDF
    Industrial experiences with Misuse Cases
    • 8