In this post, I will talk about misuse cases and steps to identify security requirements. Ivar Jacobson while working on large telecommunication systems introduced use cases. According to him use cases describe system's desired behavior in the form of a story ('Scenario')from the point view of a user or interfacing system('Actor') and supported by subsidiary scenarios in the form of alternatives and exceptions[Jacabson 1992]. On the other hand misuse cases are the inverse of use cases. The concept was coined in 1990s by Guttorm Sindre of the Norwegian University of Science and Technology, and Andreas L. Opdahl of the University of Bergen, Norway. The basic concept is describing the steps of performing a malicious act against a system, just as you would describe an act that the system is supposed to perform in a use case. So, use cases models the behavior expected from the system and misuse cases models the behavior not expected from the system.

To read this post further and for detailed explanations along with diagramatic representaions please download the whitepaper for the same in whitepapers section under requirements management category from Whitepaper for Steps for Business Analyst To Gather Security Requirements from Misuse Cases
or,
you can visit
Steps for Business Analyst To Gather Security Requirements from Misuse Cases

I will be glad to hear from you on this blog topic. All comments,positive or negative :), are most welcomed.
Thanks !
1704 [dot] manishgmail [dot] com