Security requirement elicitation techniques: The comparison of misuse cases and issue based information systems

There are myriads of security elicitation techniques reported in the literature, but their industrial adoption is inadequate. Furthermore there is a shortage of empirical and comparative evaluations which can aid the software industry in this respect. This paper compares two security elicitation techniques - Misuse cases (MUC) and Issue based information systems (IBIS) by carrying out controlled experiments. A 2*2 factorial design was used with 30 undergraduate students selected randomly who solved security goal identification tasks on an individual basis using the two techniques. Two dependent variables chosen were; effectiveness of the techniques in terms of number of security goals identified and coverage of the techniques in terms of number of types of security goals, time taken to learn, execute and interpret results by each technique in three different situations. The main finding was that in a situation of low level of detail, the time taken to interpret results was lower in IBIS while in medium and high level of detail MUC is more effective for finding security goals and provides better coverage by taking less learning time. The generality of the results is limited due to the fact that undergraduate students participated in the experiment. The study provides guideline for the software industry about the choice of security elicitation technique in three different situations. The study can be extended by adding multiple techniques for comparison and a framework can be developed.