Using or Misusing?: Introducing Misuse Cases in a Software Engineering Course for Undergraduate Engineering Students

Today's cyberphysical systems are increasingly prone to misuse. To secure existing and future software systems, introducing concepts of IT-Security and Secure Software Engineering (SecSE) in Software Engineering (SE) courses is essential for academic education of future software engineers. This is not only important for computer science students, but also for engineering students studying topics of computing and SE. However, only little research exists on integrating these topics into traditional SE courses, especially for engineering students in non-computer science majors. To narrow this gap, this paper contributes with the design and evaluation of an exercise on modeling misuse cases alongside use cases, based on the inductive teaching method problem-based learning (PBL). The exercise is part of an educational design research investigating which learning content and teaching methods are suitable for integrating IT-Security and SecSE topics into traditional SE education of engineering students to convey factual knowledge as well as raise awareness and interest for both topics during software development. We present the integration of the exercise design into a traditional SE course for engineering students and its evaluation to examine its suitability. We evaluated the exercise design regarding the suitability of the design components, the learning content of misuse cases and the intended learning goals as well as its impact on students' motivation, and their interest in IT-security. The paper then presents indications on the feasibility and success of the exercise design for teaching misuse cases to engineering students and sparking their interest in IT-Security.