Table 3.
Results of second iteration during applying our methodology on the HR system.
| Step | Results |
|---|---|
| System modeling | The security problem frame diagrams SPF1 and SPF2 will be modified by adding the domains Campus Network and Authentication Data to give more elaboration on the system as shown in Fig. 8 |
| Identify assets | Assets: |
| – Authentication Data | |
| Identify threats and vulnerabilities | Abuse frames: |
| “AF3: Information disclosure of transmitted salary information and authentication data” | |
| AR: Salary information and authentication data are displayed to attackers while being transmitted | |
| “AF4: Spoofing a HR staff” | |
| AR: Attacker impersonates authorized HR staff and claims to be a valid accepted HR staff | |
| AF5: Repudiation of salary info editing” | |
| AR: Attacker makes changes to salary and denies performing it | |
| Identify security requirements | The security requirement in SPF1 will be as follows: |
| SR: Modification or creation of salary information is allowed only to authorized HR staff and not allowed to unauthorized users and the data sent over the campus network should not be understandable by eavesdroppers | |
| The security requirement in SPF2 will be as follows: | |
| SR: Authorized HR staff only is allowed to view salary information and the data sent over the campus network should not be understandable by eavesdroppers | |
| Security requirements evaluation | The requirements complete each other and do not cause conflicts |