Investigating security threats in architectural context: Experimental evaluations of misuse case maps

• Misuse case maps (MUCM) augment use case maps with misuse case concepts.
• MUCMs provide integrated views of security issues and software systems architecture.
• MUCM were evaluated in controlled experiments with complex real-life intrusions.
• Misuse case maps lead to good understanding of intrusions and ability to suggest mitigations.
• Misuse case maps were perceived more positively and used more than two existing techniques used as alternative treatment.

Many techniques have been proposed for eliciting software security requirements during the early requirements engineering phase. However, few techniques so far provide dedicated views of security issues in a software systems architecture context. This is a problem, because almost all requirements work today happens in a given architectural context, and understanding this architecture is vital for identifying security vulnerabilities and corresponding mitigations. Misuse case maps attempt to provide an integrated view of security and architecture by augmenting use case maps with misuse case concepts. This paper evaluates misuse case maps through two controlled experiments where 33 and 54 ICT students worked on complex real-life intrusions described in the literature. The students who used misuse case maps showed significantly better understanding of intrusions and better ability to suggest mitigations than students who used a combination of two existing techniques as an alternative treatment. Misuse case maps were also perceived more favourably overall than the alternative treatment, and participants reported using misuse case maps more when solving their tasks.