Enhancing Misuse Cases With Risk Assessment for Safety Requirements

Abstract

Risk-driven requirements elicitation represents an approach that allows assignment of appropriate countermeasure for the protection of the Information System (IS) depending on the risk level. Elicitation of safety requirements based on risk analysis is essential for those IS which will run on the open and dynamic Internet platform. Traditionally, misuse cases are used to find the weak points of an IS but cannot differentiate between the weak point that can lead to lenient hazard and/or serious hazard. In this paper, we present an enhanced misuse case approach to support IS safety risk assessment at the early stages of software process. We extensively examined and identified concepts which constitute a modelling technique for IS safety risk assessment and build a conceptual model for achieving IS safety risk assessment during the requirement analysis phase of software process. The risk assessment process follows an approach of consequential analysis based on misuse cases for safety hazard identification and qualitative risk measurement. The safety requirements are elicited according to the results of the risk assessment. A medical IS is used as a case study to validate the proposed model.