Please cite this article in press as: El-Attar, M., Towards developing consistent misuse case models. J. Syst. Software (2011), doi:10.1016/j.jss.2011.08.023 ARTICLE IN PRESS G Model JSS-8787; No. of Pages 17 The Journal of Systems and Software xxx (2011) xxx–xxx Contents lists available at SciVerse ScienceDirect The Journal of Systems and Software j our na l ho mepage: www.elsevier.com/locate/jss Towards developing consistent misuse case models Mohamed El-Attar ∗ Information and Computer Science Department, King Fahd University of Petroleum and Minerals, P.O. 5066, Dhahran 31261, Saudi Arabia a r t i c l e i n f o Article history: Received 8 October 2010 Received in revised form 18 August 2011 Accepted 18 August 2011 Available online xxx Keywords: Misuse cases Use cases Model consistency a b s t r a c t Secure software development should begin at the early stages of the development life cycle. Misuse case modeling is a technique that stems from traditional use case modeling, which facilitates the elicitation and modeling functional security requirements at the requirements phase. Misuse case modeling is an effective vehicle to potentially identify a large subset of these threats. It is therefore crucial to develop high quality misuse case models otherwise end system developed will be vulnerable to security threats. Templates to describe misuse cases are populated with syntax-free natural language content. The inher- ent ambiguity of syntax-free natural language coupled with the crucial role of misuse case models in development can have a very detrimental effect. This paper proposes a structure that will guide mis- use case authors towards developing consistent misuse case models. This paper also presents a process that utilizes this structure to ensure the consistency of misuse case models as they evolve, eliminating potential damages caused by inconsistencies. A tool was developed to provide automation support for the proposed structure and process. The feasibility and application of this approach were demonstrated using two real-world case studies. © 2011 Elsevier Inc. All rights reserved. 1. Introduction Use case modeling (Armour and Miller, 2000; Booch et al., 2003; Jacobson et al., 1992, 1995; OMG, 2003) is constantly increasing in popularity amongst business analysts and requirements engi- neers as a preferred choice to determine, communicate and specify functional requirements. This constant increase in use case mod- eling popularity is attributed to its relatively small and simple set of syntactical rules and large degree of natural language use. Non-technical stakeholders feel more comfortable and involved in the requirements engineering process when dealing with use case rather than with declarative specifications. To capitalize on this success, researchers are constantly devising new techniques that will allow use case modelers to capture and specify non-functional requirements. In this paper, the focal non-functional requirements category considered is security requirements. In the context of UC model- ing, an approach to elicit security requirements with misuse cases has shown to be promising (Alexander, 2002, 2003; Ekremsvik and Tiset, 2004; Mæhre, 2005; Diallo et al., 2006; Stålhane and Sindre, 2007). In essence, misuse cases are similar to traditional ∗ Corresponding author. E-mail address: melattar@kfupm.edu.sa use cases except they describe negative operational sequences that can harm the stakeholders of a system. Misusers (analogous to actors) are defined as external entities that interact with the system with harmful intentions. Misusers interact with the system through misuse cases to attain their goals. Misuse cases and misusers are modeled as a supplement to traditional use case models. A number of templates to describe misuse cases have been proposed in the literature. Misuse cases can be described used a “lightweight” approach by embedding the description of mis- use within regular use case templates (Sindre and Opdahl, 2005), such as (Cockburn, 1997, 2001; Constantine, 1995; Kruchten, 1999; Kulak and Guiney, 2000). Alternatively, misuse cases can be described in an “extensive” format (Sindre and Opdahl, 2001, 2005). These templates are populated with syntax-free natural language and are discussed in great detail in Section 2.2. Using syntax-free natural language is a double-edge sword. On one hand, the expres- siveness power and readability of syntax-free natural language attract non-technical stakeholders. On the other hand, syntax-free natural language is inherently ambiguous. The use of syntax-free natural language thus hampers several use case modeling quality attributes. Such quality attributes include consistency, complete- ness, understandability, correctness and its analytical perspective. Given the similarity in nature between misuse cases and tradi- tional use cases, it can be inferred that misuse case models would equally suffer from the use of syntax-free natural language. In fact, the use of syntax-free natural language could prove to be 0164-1212/$ – see front matter © 2011 Elsevier Inc. All rights reserved. doi:10.1016/j.jss.2011.08.023