Threat Modeling for Security Failure-Tolerant Requirements

This paper describes an approach to modeling security threats to applications and to deriving security failure-tolerant requirements from the threats. This paper assumes that unbreakable core security services for applications, such as authentication, access control, cryptosystem, or digital signature, are broken all the time in a real-world setting. The UML use case model for application requirements is analyzed to model security threats to the system in terms of threat points at which each threat is described using a structured template. This paper also derives security failure-tolerant requirements from the threats at threat points, and the requirements are modeled by means of security failure-tolerant use cases separately from application use cases in the use case model. A security failure-tolerant use case is extended from an application use case at a security point. The Internet banking application is used to illustrate the proposed approach.