That some good can be derived from every event is a better proposition than that everything happens for the best, which it assuredly does not.
James Kern Feibleman, philosopher and psychiatrist (1904–1987)
The study of error is not only in the highest degree prophylactic, but it serves as a stimulating introduction to the study of truth.
Walter Lippmann, journalist (1889–1974)
To design a secure system, we first need to understand the possible threats to the system. We have proposed a systematic approach to threat identification, starting from the analysis of the activities in the use cases of the system, and postulating possible threats [Fer06a]. This method identifies high-level threats such as ‘the customer can be an imposter’, but once the system is designed we need to see how the chosen components could be used by the attacker to reach their objectives. A misuse is an unauthorized use (read, modify, deny use) of information, and our emphasis is in how the misuse is performed. A misuse pattern describes, from the point of view of the attacker, how a type of attack is performed (what units it uses and how), analyzes the ways of stopping the attack by enumerating possible security patterns that can be applied for this purpose, and describes how to trace the attack once it has happened by appropriate collection and observation of forensics data. It also describes precisely the context in which the attack may occur.
Figure 14.1 presents ...