Table 2.
Results of first iteration during applying our methodology on the HR system.
| Step | Results |
|---|---|
| System modeling | Problem frames: |
| “PF1: Salary Info editing” | |
| Requirement: Salary info is edited by users | |
| “PF2: Salary Info display” | |
| Requirement: Salary information is displayed to users | |
| Identify assets | Assets: |
| Salary Information | |
| Identify threats and vulnerabilities | Abuse frames diagrams: |
| “AF1: Information disclosure of salary information” | |
| AR: Salary information is displayed to attackers without authorization | |
| “AF2: Tampering Salary information” | |
| AR: Attacker makes modifications to salary information without authorization | |
| Identify security requirements | “SPF1: Integrity preserving of salary information” |
| SR: Modification or creation of salary information is allowed only to authorized HR staff and not allowed to unauthorized users | |
| “SPF2: Confidentiality preserving of salary information” | |
| SR: Authorized HR staff only is allowed to view salary information | |
| Security requirements evaluation | The requirements complete each other and do not cause conflicts |