Date Added: Aug 2009
Most attacks on computer and software systems are caused by threats to known vulnerabilities. Part of the reason is that it is difficult to possess necessary broad and deep knowledge of security related strategic knowledge to choose mitigating solutions suitable for a specific application or organization. This paper presents three patterns that use goal-oriented concepts to capture knowledge of security problems and their corresponding mitigating solutions. Each pattern captures three kinds of problems, including an undesirable outcome that negatively affects a security goal, threats that lead to the undesirable outcome and vulnerabilities that could be exploited by the threats.