Understanding the social engineering threat is important in requirements engineering for security-critical information systems. Mal-activity diagrams have been proposed as being better than misuse cases for this purpose, but without any empirical testing. The research question in this study is whether mal-activity diagrams would be more efficient than misuse cases for understanding social engineering attacks and finding prevention measures. After a conceptual comparison of the modelling techniques, a controlled experiment is presented, comparing the efficiency of using the two techniques together with textual descriptions of social engineering attacks. The results were fairly equal, the only significant difference being a slight advantage for mal-activity diagrams concerning perceived ease of use. The study gives new insights into the relative merits of the two techniques, and suggests that the advantage of mal-activity diagrams is smaller than previously assumed. However, more empirical investigations are needed to make detailed conclusions.

-- DanielAmyot - 16 Mar 2014


FormForVirtualLibrary edit

Title Comparing Misuse Case and Mal-Activity Diagrams for Modelling Social Engineering Attacks
Authors P. Karpati, G. Sindre, and R. Matulevicius
Type Journal
Conference/Journal Title International Journal of Secure Software Engineering (IJSSE)
Volume/Number 3(2)
Publisher IGI Global
Month April
Year 2012
Pages 54-73
DOI DOI: 10.4018/jsse.2012040103
Keywords Misuse Case, Security, UML, UCM, MUCM
Topic revision: r1 - 16 Mar 2014, DanielAmyot
This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback