# Lab 1: Security Requirements

## Metaverse User Stories

`Metaverse Users` are referred to as users here.

User | Task | Goal | Context | Action | Outcomes
-- | -- | -- | -- | -- | -- 
User | perform authorized payment transactions | only I can make transactions in my name | An adversary knows my payment information | he tries to pay with my info | the payment is declined if not authorized by me
Developer | access user configurations (avatars, config) | personalize the user experience of my applications
Teacher | make physical course material available in the metaverse | students can see them in virtual reality
User | have a unique identification key in bound to my avatar | everyone can recognize my avatar | my avatar is public | my avatar is used by another user | the user cannot impersonate my identity because he doesn't know the key
User | virtual home to be self or zero knowledge hosted | my privacy can not be intruded

Corrections:

- User stories are more non-functional and should not contain less security aspects, rather the use-case functionality

User | Task                      | Goal
--   | --                        | --
User | Perform a payment         | Acquire a virtual/physical asset
User | Add and remove friends    | Keep track of what my friends are up to
User | Set home privacy          | Prevent strangers from entering my home
User | Use voice chat            | Communicate with other users
User | Fast travel               | Quickly get to another location in the virtual space
User | Give another user an item | Sell/Gift assets

> As a 'Metaverse user', 
> I want to add/remove friends (from/to my virtual friend list)
> So I can keep track of their activites

**Integrity** => Befriending strangers => disclosing personal information to strangers (HARM)
**ACTION** => Unauthorized access (edit) to FList

## Assets
- User identity
- User belongings
- Friends lists
- Public image of system
- Voice data

### Harm analysis

> "What **HARM** could come to [asset] from an [action] violating a [concern]?"
> assets from User Stories
> actions yield Avoid goals
> concerns from CIA+ principles

Action                                 | Asset         | Harm
--                                     | --            | --
Steal user credentials                 | User identity | User information compromised, belongings stolen
Accept unwanted friend request         | Friends lists | User information partially compromised, trust acquired
Unmute user microphone without consent | Voice data    | User privacy compromised

### *'Achieve'* goals
- Always use multi-factor authentication for users

## Use Cases

Produced using [Lucidchart](https://lucid.app/lucidchart/daccac87-861b-46f9-a0f1-5d13ae90bc02/edit?invitationId=inv_6aea8472-a917-4a59-ad01-afd8f3ca40e5).

![Use Case / Misuse Case diagram](MisuseCase.svg)