Summary
Agile iteration planning has traditionally maximized business value based exclusively on user stories.
However, implementing a user story increases the attack surface of a system and consequently the risk of abuse.
The cost of absorbing such risk is often not taken into account.
Abuser stories redress the balance.
Advertisement
Agile development aims to deliver the greatest business value in the least possible time.
Iteration plans have therefore maximized the sum of business values realised through individual user stories.
However, implementing a user story increases the attack surface of a system and hence the risk of abuse, which may carry important business costs.
Therefore, a traditionally calculated iteration's value should be viewed as its gross value.
In order to arrive at net business value, gross value should be corrected for unmitigated risk.
Introducing abuser stories allows business value to be tracked more accurately and facilitates rational planning of the effort required for security-related development.
Abuser stories identify how attackers may abuse the system to damage the customer's assets through the system's functionality.
Thus they state systems' security requirements.
It is the development team's task to refute the abuser stories, by demonstrating that the attack described is impossible, or at least implausible.
As risk mitigation reduces risk absorption costs, but requires effort, iteration plans for security-sensitive projects would not only include user stories that will be realized, but also abuser stories that will be refuted.