Change search
ReferencesLink to record
Permanent link

Direct link
Comparison of i*-based and Use Case-based Security Modelling Initiatives for Software Requirements Engineering: An empirical comparison of Secure Tropos and Misuse Cases
Norwegian University of Science and Technology, Faculty of Information Technology, Mathematics and Electrical Engineering, Department of Computer and Information Science.
2012 (English)MasteroppgaveStudent thesis
Abstract [en]

In the course TDT4501 - Specialization Project - “ReqSec project”, the preparatory course to this thesis, through purely analytical evaluation of the eight modeling approaches, the advantages and disadvantages were illustrated based on the categories - i*-based modeling approach and Use Case-based modeling approach. However, only a purely analytical evaluation of the modeling approaches does not always reflect their practical usefulness. Hence, the [motivation] of the thesis was selecting two modeling approaches, those are Secure Tropos and Misuse Cases, using an empirical investigation for such evaluations to guide the researchers and practitioners a better overview and understanding of the benefits of the two modeling approaches in a real life usage. The objective was to see if the advantages claimed analytically in the previous project also come true in practice. [Questions] Through a controlled experiment, two core problems shall be investigated: a) How about the participants’ performance when they applied the two modeling approaches to finish tasks in the experiment and b) Their preference for the two modeling approaches after the experiment. The [principle] was using two modeling approaches to perform the experiment, through the participants’ performance on the identified number of threats and mitigations for the experiment cases, and their perception of the two modeling approaches by means of asking them to estimate the usage of modeling diagrams, textual description of cases, and memory in the experiment. And combining with the evaluation of post-questionnaire analysis, the conclusions were summarized based on the empirical study of statistical results and the previous analytical study results, to investigate whether the empirical evaluation could match well with analytical evaluation or not. [Contribution] The experiment project was the first time to compare the Secure Tropos and Misuse Cases comprehensibly. The results illustrated that both modeling techniques had no significant difference of identifying threats but they had significant difference of identifying mitigations in this controlled experiment with 50 students who apply to both modeling approaches with relevant cases. And through analyzing the same case with the same modeling approach or different modeling approach of the experiment, it was found that Net Shopping case was identified more mitigations and threats by the participants when considering the aspect of technique criteria of threats and mitigations. The participants were complementary regarding goal-based modeling approach in some security issues and performed non-techniques threats and mitigations in this controlled experiment. Hence, Secure Tropos was investigated perceiving more favorable. In the last, comparing with the six dimensions from previous analytical comparison, the investigation shows that most of the two modeling approaches’ advantages were confirmed, and the results also coincided to the previous analytical evaluation. Keywords: Secure Tropos, Misuse Case, Empirical Study, Security Modeling

Place, publisher, year, edition, pages
Institutt for datateknikk og informasjonsvitenskap , 2012. , 164 p.
Keyword [no]
ntnudaim:5883, MSINFOSYST Master in Information Systems, Information Systems Engineering
URN: urn:nbn:no:ntnu:diva-18758Local ID: ntnudaim:5883OAI: diva2:566243
Available from: 2012-11-08 Created: 2012-11-08

Open Access in DiVA

fulltext(2516 kB)353 downloads
File information
File name FULLTEXT01.pdfFile size 2516 kBChecksum SHA-512
Type fulltextMimetype application/pdf
cover(184 kB)43 downloads
File information
File name COVER01.pdfFile size 184 kBChecksum SHA-512
Type coverMimetype application/pdf

By organisation
Department of Computer and Information Science

Search outside of DiVA

GoogleGoogle Scholar
Total: 353 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

Total: 460 hits
ReferencesLink to record
Permanent link

Direct link