An extended misuse case notation: Including vulnerabilities and the insider threat Lillian Røstad 1 Norwegian University of Science and Technology, Trondheim, Norway Lillian.Rostad@idi.ntnu.no Abstract. Misuse cases are a useful technique for eliciting and mod- elling security requirements and threats. In addition they may be very useful in a risk analysis process, particularly as part of the system de- velopment process. The original misuse case notation adds inverted use cases to model threats and inverted actors to represent attackers. How- ever, an attack is usually performed by exploiting a vulnerability in a system and it would be useful to be able to represent vulnerable func- tions in a model. In addition, it should be possible to discern between insiders and outside attackers in a model, as they have very different abil- ities and potential for attacking a system. This paper therefore proposes an extended misuse case notation that includes the ability to represent vulnerabilities and the insider threat, and discusses the use of this ex- tended notation in the system development and risk analysis processes. 1 Introduction Security is being increasingly recognized as an important quality of IT-systems. Much of the reason for this can be explained by the evolution of IT-systems towards what Gary McGraw in [13] defines as the trinity of trouble : connectivity, extensibility and complexity. While these three properties typically improves the possibilities of what a system can do, they also significantly increases the risks. Being secure means having control and being able to keep the bad guys out - but the more complex a system is the harder it is to manage, and the possibility of third-party extensions only adds to the complexity. Connectivity is seductive as it greatly increases the potential use of a system, but it also greatly increases the number of attackers that can have a go at breaking into or otherwise harm the system. In some systems, like health care, defence and banking, security has always been considered an important property. But as the system’s operational environment changes, so does the threat scenarios and need for defence mechanisms. Where isolation previously has been considered an appropriate defence, this is no longer an option. An excellent example of this, and the original motivation for the work pre- sented here, is access control in healthcare systems. In healthcare systems pro- tecting the patient’s privacy is a major concern - however it always has to be bal- anced against the need for access to information to make sound medical decisions and provide the best possible care. The current state-of-the art is Role-Based