''Anti-stories'' are things the user does not want to happen, commonly for safety or security reasons. For example, No way we let an ILOVEYOU EMail worm in our System! ---- Compare the following two stories. Here is the first user story: ''The user supplies the identifier of a user and will be given information about that identified user including their full name, last login date, and if they have unanswered Email. If online, information will also be presented showing how to contact them online.'' And here is the second user anti-story that should go with it: ''No user, however stupid or malicious, will be able to gain control of the queried computer system.'' Now the original implementation of finger and fingerd (the daemon that supported finger) satisfied the first story and was a great success. It did not satisfy the second story, the anti-story, and as such spawned some nasty exploits, hacks, and worms. My worries about XP and its ability to address anti-stories came to a head when I read BruceSchneier's essay, ''Why Computers are Insecure'' (more on this story moved to SecurityManagement) There is a deep logical reason why anti-stories and stories are different in theory, as well as in practice. So this is my question and challenge to the XP community -- before you program my bank's software, how are user anti-stories handled in XP? --DickBotting SecurityIsHard. High security systems may be a case for BigDesignUpFront. --JohnBrewer XP does not make security hard - it just exposes the problem. All requirements, no matter what your religion, must be state positively and testably. So "resist a SATAN or CRACK attack" is positive and testable - if a bit epic. --PhlIp ----- I set up LimitsOfUserStories to try to coalesce and sharpen the discussion that is now scattered over UserStory, UserAntiStory, TheExtremeProgrammingWayToHandleUserAntiStories, ThereAreNoUserAntiStories. --Alistair ----- I expect most NonFunctionalRequirements can be construed as anti-stories. ---- See MotherhoodStory, NonFunctionalRequirements