Abstract. Use cases are becoming increasingly common in the early phases of requirements engineering, but they offer limited support for expressing security requirements. However, misuse cases can specify behavior not wanted in the system. This paper presents and builds on previous work on misuse cases, here focusing on misuse case generalization as a feature for structuring a larger number of misuse cases in a specification. 1

One of the misconceptions about network security is that a firewall equals protection. Firewall is no ‘silver bullet ’ and security is definitely more than a firewall. Security misconception often creates opportunity for attacks and to protect against many intrusions/attacks is to remove this opportunity. So immediately after a Firewall implementation, the next security implementation should be a Network-based Intrusion Detection System (NIDS). NIDS provides the monitoring mechanisms to detect misconfiguration of Firewall, violation of security policy, Network Service attacks and an attack in progress. Having been a security consultant myself for many years, I am of the opinion that any organization that is not protected by NIDS should be considered as operating in a vulnerable environment. Having said that, one should not be misconstrued that Host-based IDS (HIDS, the other type of Intrusion Detection) is no better than NIDS as each has its own respective usage and benefits under different environments. Nowadays, it is a common

Who administers security and grants access to applications? Are these individuals dedicated security administrators, or are they DBAs, functional admins, or general IT group professionals? How do the roles differ based on size and nature of the business?