The Artima Developer Community
Sponsored Link

Thinking Aloud
Enhancing agile planning with abuser stories
by Johan Peeters
June 5, 2005
Agile iteration planning has traditionally maximized business value based exclusively on user stories. However, implementing a user story increases the attack surface of a system and consequently the risk of abuse. The cost of absorbing such risk is often not taken into account. Abuser stories redress the balance.


Agile development aims to deliver the greatest business value in the least possible time. Iteration plans have therefore maximized the sum of business values realised through individual user stories.

However, implementing a user story increases the attack surface of a system and hence the risk of abuse, which may carry important business costs. Therefore, a traditionally calculated iteration's value should be viewed as its gross value. In order to arrive at net business value, gross value should be corrected for unmitigated risk.

Introducing abuser stories allows business value to be tracked more accurately and facilitates rational planning of the effort required for security-related development. Abuser stories identify how attackers may abuse the system to damage the customer's assets through the system's functionality. Thus they state systems' security requirements. It is the development team's task to refute the abuser stories, by demonstrating that the attack described is impossible, or at least implausible. As risk mitigation reduces risk absorption costs, but requires effort, iteration plans for security-sensitive projects would not only include user stories that will be realized, but also abuser stories that will be refuted.

Talk Back!

Have an opinion? Readers have already posted 2 comments about this weblog entry. Why not add yours?

RSS Feed

If you'd like to be notified whenever Johan Peeters adds a new entry to his weblog, subscribe to his RSS feed.

About the Blogger

Johan Peeters is an independent software architect who spends a lot of time plumbing and generally fixing leaks.

This weblog entry is Copyright © 2005 Johan Peeters. All rights reserved.

Sponsored Links


Copyright © 1996-2019 Artima, Inc. All Rights Reserved. - Privacy Policy - Terms of Use