In the Information Security Profession we are losing the Battle. Today’s Information Systems are, perversely, more secure than Tomorrow’s. The only way we can reverse this trend is by securing Information Systems smarter and faster than we do today. This dissertation explores Information Systems and how they are developed with the aim of incorporating Security in the early stages of their development; using a technique called ‘Misuse Cases’.

Misuse Cases capture how an Information System can be used in a way that it is not supposed to, either deliberately (an attack) or accidentally (a mistake). It is true to say that Information Systems are misused by Human beings. Humans may use machines as a proxy from which to commit their misuses, but ultimately the security profession is at the mercy of human creativity (and stupidity).

Misuse Cases provide us with a way to reason about how a System might be misused at an early stage in its development. We can use this information to incorporate countermeasures into the System’s Requirements (in the form of security requirements).

We apply Four Techniques based on Misuse Cases to a hypothetical Case Study-an IT Contractor Management System to achieve the following:

• Identify potential top-level Misuses;
• Use Misuse Cases to Elicit Security Requirements;
• Propose a way to develop Tests to verify that Security Requirements have been met.

In applying the Techniques we recognise their benefits and limitations and where appropriate propose some enhancements.