Page 388 -
P. 388
14.1 Security risk management 371
used and proposals for new and changed requirements. Assumptions about
the operating requirement made when the system was specified may be incor-
rect. Organizational changes may mean that the system is used in different
ways from those originally planned. Operational risk assessment therefore
leads to new security requirements that have to be implemented as the system
evolves.
Preliminary risk assessment focuses on deriving security requirements. In
Chapter 12, I show how an initial set of security requirements may be derived from a
preliminary risk assessment. In this section, I concentrate on life cycle and opera-
tional risk assessment to illustrate how the specification and design of a system are
influenced by technology and the way that the system is used.
To carry out a risk assessment, you need to identify the possible threats to a sys-
tem. One way to do this, is to develop a set of ‘misuse cases’ (Alexander, 2003;
Sindre and Opdahl, 2005). I have already discussed how use cases—typical interac-
tions with a system—may be used to derive system requirements. Misuse cases are
scenarios that represent malicious interactions with a system. You can use these to
discuss and identify possible threats and, therefore also determine the system’s secu-
rity requirements. They can be used alongside use cases when deriving the system
requirements.
Pfleeger and Pfleeger (2007) characterize threats under four headings, which may
be used as a starting point for identifying possible misuse cases. These headings are
as follows:
1. Interception threats that allow an attacker to gain access to an asset. So, a possi-
ble misuse case for the MHC-PMS might be a situation where an attacker gains
access to the records of an individual celebrity patient.
2. Interruption threats that allow an attacker to make part of the system unavail-
able. Therefore, a possible misuse case might be a denial of service attack on a
system database server.
3. Modification threats that allow an attacker to tamper with a system asset. In the
MHC-PMS, this could be represented by a misuse case where an attacker
changes the information in a patient record.
4. Fabrication threats that allow an attacker to insert false information into a sys-
tem. This is perhaps not a credible threat in the MHC-PMS but would certainly
be a threat in a banking system, where false transactions might be added to the
system that transfer money to the perpetrator’s bank account.
Misuse cases are not just useful in preliminary risk assessment but may be used
for security analysis in life-cycle risk analysis and operational risk analysis. They
provide a useful basis for playing out hypothetical attacks on the system and assess-
ing the security implications of design decisions that have been made.
