Comparison of Security Risk-oriented
Modelling Languages: Secure Tropos vs. Malactivities
Stanislav Kutasevits
The usage and spread of the software systems nowadays is growing with
incredible speed. So grows the size and the complexity of the software systems,
leading to a large amount of security vulnerabilities.
In order to prevent those issues, security risks and threats have to be considered
at the software requirements elicitation/design stage. Usage of risk-oriented
modelling languages allows gaining it. There exists a number of risk-oriented
languages, this paper compares two popular risk-oriented modelling languages:
Secure Tropos and Mal-activities by presenting their strengths, weaknesses and
solving a case study using both of those languages.
1 Overview
1.1 Secure Tropos
Secure Tropos [2] is based on and extends the Tropos methodology [1] by
providing the security level to the basic elements of Tropos. The Secure Tropos
extension [2] brings additional secure constructs: security constraint (of the
security property), security goal (same as goal, but with the security focus), secure
plan (same as plan, but with the security focus typically leading to security goal).
The purpose of the Secure Tropos is to stress those security criterions that must
be taken into account at the very early development stage. These constraints are
(but not limited to) confidentiality, integrity availability of some goal, soft-goal or
resource. Additionally Secure Tropos helps to trace at which step of the process
the attack can occur, who is the threat agent, which attack method can be used and
which countermeasures should be implemented.
1.2 Mal-activities
Mal-activities, as can be guessed from the name, are derived from Activity
diagrams with mal(icious) prefix [5]. Mal-activities, additionally to the traditional
2
activity diagrams notation, have an inverse (white on black) swimlane(s) which
represents the violator’s role. This role is within the same system, but apart from
its traditional (non-inverse) variant, is using the exploits of the system to achieve
some gain or harm the assets.
The main purpose of the Mal-activities is to reveal the possible threats of the
system from the violator’s perspective and exploit them. If exploit is successful - it
indicates that the system is vulnerable to the risks and can be misused. Another
purpose of the Mal-activities diagrams is to come up with security solution by
designing the process with the known misuse.
2 Strengths/advantages
2.1 Secure Tropos
The main advantage of the Secure Tropos is the integrated overview of the
business assets, the security constraints and the possible risks. It can be easily
traced, which business assets/resource is of the violator’s interest. Besides that the
Secure Tropos supports the hierarchical structuring - composing/decomposing the
security constructs. That kind of overview helps to identify the potential security
problems at the earliest development stage.
Another advantage of the Secure Tropos is the amount of available papers on
this topic. Despite the fact that the Secure Tropos is rather new concept, firstly
introduced by [Mouratidis and Giorgini, 2007a], these exist around 15-20
publications as well as a dedicated website that help an active Secure Tropos
community to spread its ideas and visions.
2.2 Mal-activities
Comparing the Mal-activities to the Secure Tropos, it can be said that the main
advantage of the Mal-activities is clean overview. It can be seen where does the
process start, where and how the violator is intruding the normal process
workflow and where does the process end.
Another advantage is inherited from the original Activity diagrams - easiness of
learning. Even a person with zero knowledge about the Activity diagrams can
understand its purpose and the message being sent (diagram itself) with no or very
little explanations. That easiness of learning is gained by the the limited number of
diagram constructs and notations, which are very intuitive and can be quickly
learned.
3
3 Weaknesses/disadvantages
3.1 Secure Tropos
The first weakness of Secure Tropos is the visual complexity of the diagrams.
Not only it takes some time to make oneself accustomed with the notations and
learn the basic constructs, it can also take some time to read the diagram. That
statement can be proved by the following observation of the diagram notation: no
explicitly indicated ending and starting point, lack of the clean process flow.
Another disadvantage (or oversight) is the low spread of Secure Tropos
concepts and hence low popularity and people awareness comparing to, for
example, UML. This can be seen as a contradiction to the previously mentioned
advantage - number of publications and a dedicated website, yet despite those
popularity-oriented actions it must be admitted that Secure Tropos community has
quite some work to do in order to convince more people to use Secure Tropos.
3.2 Mal-activities
The weakness of Mal-activities is the opposite side of its simplicity. That is
resulting in a narrow scope, which only allows to see which activity can be
misused and how. It is not possible to specify any more than that (e.g. the risk
itself, business assets and its security criterion etc.)
Another disadvantage is the low availability of the publication on this subject.
While writing this paper author could only find very few publications (e.g. [4] and
[5]). That could perhaps be explained by the high level of similarity (concept
wise) between Mal-activity and the Activity diagram. Nevertheless more research
papers and the case study of how the Mal-activity diagram can be applied in real
life seems reasonable and justified.
Next disadvantage is its stagnation. As it appears Mal-activities have reached
its limit, and there is nothing that can be added. It could be another explanation
why there is no community around Mal-activities. One might however argue that
this can be seen as a state of perfection, where tool does what it has to do and that
is it. But as the previous Mal-activities weaknesses point out, there are things that
can be improved.
4
4 Case study
In order to see those two modelling languages ”in action” the following case
study will be applied. There exists a city X that offers those interested in tourism
to obtain a X-city card, which among other benefits allows a one-time free canal
cruise to the card holder. The obtaining ticket procedure is the following:
• card holder presents a card to the receptionist
• receptionist is checking the expiry date of X-city card
• if card is not expired, receptionist enters the card unique ID number
• if this card has not yet received canal cruise ticket, ticked is printed
This scenario contains some security vulnerabilities, which might become
revealed to violator: the city card ID number is randomly generated and does not
have any checksum. The receptionist does not have an access to real city card
database, and therefore cannot check the expiry date validity.
Those vulnerabilities open the following exploits: forging the new card ID
number, forging the new card expiry date.
4.1 Secure Tropos
The Figure 1 shows presented above case study implemented with Secure
Tropos notation.
Figure 1. Case study using Secure Tropos.
5
4.2 Mal-activities
The Figure 2 shows presented above case study implemented with MalActivity diagram notation.
Figure 2. Case study using Mal-Activity diagram.
5 Conclusion/what to choose
As the comparison indicated Secure Tropos and Mal-Activities have very
similar goal but gain it using different approach. There is however no good recipe
which tool to choose, the choice is entirely dependent on model goals.
Nevertheless the following rule of thumb is suggested to simplify the choice: if
a quick and simple model is required then the obvious choice would be MalActivities diagram. If however a more detailed level diagram is needed
(potentially with the actor goals, scope etc.) then the good choice would be the
Secure Tropos language.
6
References
[1] Mouratidis H, Giorgini, P., “Secure Tropos: A Security-Oriented Extension of the Tropos
Methodology”, International Journal of Software Engineering and Knowledge Engineering,
vol. 17 (2), pp 285-309, 2007
[2] Matulevicius R., Mouratidis H., Mayer N., Dubois E., Heymans P., “Syntactic and Semantic
Extensions to Secure Tropos to Support Security Risk Management”, Journal of Universal
Computer Science, 18(6), pp 816 – 844, 2012
[3] Matulevicius R., Mouratidis H., Dubois E., Heymans P., Genon N., “Adapting Secure Tropos
for Security Risk Management during Early Phases of the Information Systems
Development”, Proceedings 20th International Conference on Advanced Information
Systems Engineering (CAiSE’08), Montpellier, France, Lecture Notes in Computer Science,
pp 541-555, vol 5074, 2008
[4] Sindre G., “Mal-Activity Diagrams for Capturing Attacks on Business Processes”,
Requirements Engineering: Foundation for Software Quality, pp 355-366, 2007
[5] Chowdhury M., Matulevicius R., Sindre G., Karpati P., “Aligning Mal-activity Diagrams and
Security Risk Management for Security Requirements Definitions”, REFSQ 2012, LNCS
7195, Springer-Verlag Berlin Heidelberg, pp. 132–139, 2012