Understanding the business processes that cyber-attackers use is one way in which enterprises can understand and combat the threats that they face.

In the same way that cyber attackers are targeting and disrupting your business processes and value creation chains businesses must understand the processes and motivations employed by cyber intruders in order to prepare well founded security practices that can protect your enterprise.

Crime is a business like any other and taking a security approach to systems design to disrupt the ‘working practices’ of your opponents through design cuts the cost and impact of an attack and limits the scope of an attacker to cause havoc in your organisation.

The modelling approaches listed below can be employed to visualise and counteract the processes of cyber attackers using the standard UML and BPMN notation. All that is required is to shift the emphasis from ‘How will I do that?’ to ‘How would I Hack That?’

Combining abuse/misuse cases to well-known attacker processes enables companies to anticipate their opponents’ value chain moves and take action to prevent damage through proactive measures.

System Use Cases

Creating system use cases is part of the daily work of systems analysts and architects, to elicit and uncover the requirements for software implementation. They are used to model business scenarios through what are essentially structured stories and scenarios that guide the implementation of business systems and software design.

The output (depending on the method used) are user stories or use cases that are used to guide implementation.

System Misuse Cases

 For each and every use case identify the opposite misuse case, utilising the opposite meaning to the intention of the system designer and place it on the same diagram.By describing functionality that the designer does not wish to occur it allows participants to visualise the behaviours an external attacker would take to subverting the system capabilities by extending the proposed usage of the system to that of a bad actor.

Misuse restaurant model

The advantage of using this approach means that it is possible to capture security requirements and think about the implications and vulnerabilities of design early in the system lifetime, reducing the attack surface and thus preventing costly rework.

Misuse case modelling is visual and is used to generate communication between system stakeholders and can be used as part of showing a ‘Privacy by Design’ approach to compliance with legislation like GDPR.

Using misuse cases allows system designers to add in controls so that actions can be described to counteract the threat from external actors. It allows, like a game of chess, to allow designers to model the best moves that their system can take to mitigate vulnerability or dampen the threats posed.

The advantage and disadvantage of this approach is in its’ simplicity and the further analysis work that is required to plan and implement controls.

System Abuse Cases

Closely related to misuse cases is the concept of using abuse cases to model the mitigating measures necessary by describing “a type of complete interaction between a system and one or more actors, where the results of the interaction are harmful to the system, one of the actors, or one of the stakeholders in the system” (see details here)

Abuse cases extend UML notation by creating a separate abuse case diagram that is associated to a use case. In the abuse case, the designer identifies the actions open to an attacker trying to subvert a system use case. Although the notation is very similar, abuse cases include a description of the attackers’ resources, skills and objectives.

In abuse cases the effect of compromised, but not abused systems behaviour is not fully taken into account, whereby systems may be compromised but not modelled until the abuse has taken place.Misuse case modelling is interesting because it places both cases on the same diagram, allowing the interplay of actions and counteractions to be modelled.

A good in depth comparison of the strengths and weaknesses of the two modelling viewpoints is given here.

System Attacker Business Processes

Although the use of the techniques is an interesting use of industry notation they do not fully appreciate the processes by which attackers gain entry, and the motivations and processes that they employ in real world attacks.

Although the majority of cyber-attacks are ‘off the shelf’ hacks that are available to any interested party, the most damaging and persistent threats to complex systems comes from attack mechanisms backed by processes, the major ones are listed below:

Objective To encrypt enterprise data and elicit a ransom.
Process Attacker Research; Social Engineering; Encryption & Malware infection; Ransom; Decryption
Motivation Cash
Business Model Extortion
Actors Organised Crime
Sophistication Average
Advanced Persistent Threats
Objective To infiltrate the enterprise and exfiltrate information using host processes.
Process Attacker Research; Social Engineering; Remote Command; Lateral Movement; Exfiltration; Audit tampering; Data Exposure
Motivation IP, Data, sometimes cash.
Business Model longer term covert sting operation
Actors Government, Industrial Espionage
Sophistication High
Distributed Denial of Service
Objective To deny users access to the system or website.
Process Recruit Botnet network; Identify high profile target; Attack Website; Probe for weaknesses; Ransom
Motivation Cash, Website Crash, Disrupt business operations
Business Model Extortion or Service Denial
Actors Organised Crime, Hacktivists or hackers.
Sophistication Low
Objective To publicise conflicting activities or values of an organisation.
Process Research or Insider Knowledge; Lateral Movement; Privilege Escalation; Exfiltration; Publication
Motivation Publicity or Political Protest
Business Model Publicity
Actors Political Groups, Motivated/malicious insiders
Sophistication Variable, trusted insider threat

By using BPMN methods the attacker processes shown can be modelled. This will give insight into the protective measures that may be taken by organisations who may be facing the greatest threats. It will help businesses to visualise the attack threat vectors and prepare defences against them.


Using BPMN to direct the Misuse or Abuse cases informs business analysts through their prior knowledge of the techniques used and can aid the visualisation where process is used to amplify the effect of an attacker and ‘trust points’ allow entry into a system.

Although this approach does not confront processes we are not yet aware of, or zero day vulnerability attacks it helps to frame the process of attack in the same view as that of the business.

The ‘stepwise’ decomposition of attack actions fails to take into account the advantage that attackers take of the system as a whole and how they make many of the same moves, not all possible moves open to them.

Taking a blended modelling and process approach allows business analysts to mitigate the specific threats posed to their organisation by understanding the nature and vector of attack, and can use system abuse/misuse cases to highlight areas where enterprises can identify attacks in progress, take remedial action and prepare resilience plans.

As systems mature and interactions between them increase it falls to enterprise architects and those who take a full systems view to identify the gaps and vulnerabilities in process and value chains using metamodelling techniques to prevent opportunistic attackers using your process to aid theirs.