This paper presents a framework for security requirements elicitation and analysis, based upon the construction of a context for the system and satisfaction arguments for the security of the system. One starts with enumeration of security goals based on assets in the system. These goals are used to derive security requirements in the form of constraints. The system context is described using a problem-centered notation, then this context is validated against the security requirements through construction of a satisfaction argument. The satisfaction argument is in two parts: a formal argument that the system can meet its security requirements, and a structured informal argument supporting the assumptions expressed in the formal argument. The construction of the satisfaction argument may fail, revealing either that the security requirement cannot be satisfied in the context, or that the context does not contain sufficient information to develop the argument. In this case, designers and architects are asked to provide additional design information to resolve the problems.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Alexander, I.: Misuse Cases in Systems Engineering. Computing and Control Engineering Journal, 14(1) (Feb 2003), 40--45.
	2	Allen, J.H.: CERT System and Network Security Practices. In Proceedings of the Fifth National Colloquium for Information Systems Security Education (NCISSE'01), George Mason University, Fairfax, VA USA, 22--24 May 2001.
	3	Ross J. Anderson, Security Engineering: A Guide to Building Dependable Distributed Systems, John Wiley & Sons, Inc., New York, NY, 2001
	4	Antón, A.I., Earp, J.B.: Strategies for Developing Policies and Requirements for Secure E-Commerce Systems. In E-Commerce Security and Privacy, vol. 2, Advances In Information Security, A. K. Ghosh, Ed.: Kluwer Academic Publishers, Jan 15 2001, pp. 29--46.
	5	Brewer, D.F.C., Nash, M.J.: The Chinese Wall security policy. In Proceedings of the 1989 IEEE Symposium on Security and Privacy, Oakland, CA USA: IEEE Computer Society Press, 1-3 May 1989, pp. 206--214.
	6	Howard Chivers , Martyn Fletcher, Applying Security Design Analysis to a service-based system: Research Articles, Software—Practice & Experience, v.35 n.9, p.873-897, July 2005  [doi>10.1002/spe.v35:9]
	7	Premkumar T. Devanbu , Stuart Stubblebine, Software engineering for security: a roadmap, Proceedings of the Conference on The Future of Software Engineering, p.227-239, June 04-11, 2000, Limerick, Ireland  [doi>10.1145/336512.336559]
	8	Firesmith, D.: Specifying Reusable Security Requirements. Journal of Object Technology, 3(1) (Jan-Feb 2004), 61--75.
	9	B. Haley , C. Laney , D. Moffett , Bashar Nuseibeh, Using trust assumptions with security requirements, Requirements Engineering, v.11 n.2, p.138-151, February 2006  [doi>10.1007/s00766-005-0023-4]
	10	Charles B. Haley , Robin C. Laney , Bashar Nuseibeh, Deriving security requirements from crosscutting threat descriptions, Proceedings of the 3rd international conference on Aspect-oriented software development, p.112-121, March 22-24, 2004, Lancaster, UK  [doi>10.1145/976270.976285]
	11	Haley, C.B., Moffett, J.D., Laney, R., Nuseibeh, B.: Arguing Security: Validating Security Requirements Using Structured Argumentation. In Proceedings of the Third Symposium on Requirements Engineering for Information Security (SREIS'05) held in conjunction with the 13th International Requirements Engineering Conference (RE'05), Paris France, 29 Aug 2005.
	12	Constance L. Heitmeyer, Applying Practical Formal Methods to the Specification and Analysis of Security Properties, Proceedings of the International Workshop on Information Assurance in Computer Networks: Methods, Models, and Architectures for Network Security, p.84-89, May 21-23, 2001
	13	ISO/IEC: Information Technology - Security Techniques - Evaluation Criteria for IT Security - Part 1: Introduction and General Model. International Standard 15408-1, ISO/IEC, Geneva Switzerland, 1 Dec 1999.
	14	ISO/IEC: Information Technology - Security Techniques - Evaluation Criteria for IT Security - Part 2: Security Functional Requirements. International Standard 15408-2, ISO/IEC, Geneva Switzerland, 1 Dec 1999.
	15	ISO/IEC: Information Technology - Security Techniques - Evaluation Criteria for IT Security - Part 3: Security Assurance Requirements. International Standard 15408-3, ISO/IEC, Geneva Switzerland, 1 Dec 1999.
	16	Jackson, M.: Problem Frames. Addison Wesley, 2001.
	17	Ian Sommerville , Gerald Kontonya , Gerald Kotonya, Requirements Engineering: Processes and Techniques, John Wiley & Sons, Inc., New York, NY, 1998
	18	Axel van Lamsweerde, Elaborating Security Requirements by Construction of Intentional Anti-Models, Proceedings of the 26th International Conference on Software Engineering, p.148-157, May 23-28, 2004
	19	Lee, Y., Lee, J., Lee, Z.: Integrating Software Lifecycle Process Standards with Security Engineering. Computers and Security, 21(4) (2002), 345--355.
	20	Lin Liu , Eric Yu , John Mylopoulos, Security and Privacy Requirements Analysis within a Social Setting, Proceedings of the 11th IEEE International Conference on Requirements Engineering, p.151, September 08-12, 2003
	21	John McDermott , Chris Fox, Using Abuse Case Models for Security Requirements Analysis, Proceedings of the 15th Annual Computer Security Applications Conference, p.55, December 06-10, 1999
	22	Mouratidis, H., Giorgini, P., Manson, G.: Integrating Security and Systems Engineering: Towards the Modelling of Secure Information Systems. In Proceedings of the 15th Conference on Advanced Information Systems Engineering (CAiSE'03), Klagenfurt/Velden Austria: Springer-Verlag, 16-20 Jun 2003, pp. 63--78.
	23	NIST: An Introduction to Computer Security: The NIST Handbook. Special Pub SP 800-12, National Institute of Standards and Technology (NIST), Oct 1995.
	24	Bashar Nuseibeh, Weaving Together Requirements and Architectures, Computer, v.34 n.3, p.115-117, March 2001
	25	Charles P. Pfleeger , Shari Lawrence Pfleeger, Security in Computing, Prentice Hall Professional Technical Reference, 2002
	26	Rushby, J.: Security Requirements Specifications: How and What? In Proceedings of the Symposium on Requirements Engineering for Information Security (SREIS), Indianapolis, IN USA, 5-6 Mar 2001.
	27	Sindre, G., Opdahl, A.L.: Eliciting Security Requirements by Misuse Cases. In Proceedings of the 37th International Conference on Technology of Object-Oriented Languages and Systems (TOOLS-Pacific'00), Sydney Australia, 20-23 Nov 2000, pp. 120--131.
	28	Eugene H. Spafford, The internet worm program: an analysis, ACM SIGCOMM Computer Communication Review, v.19 n.1, p.17-57, Jan. 1989  [doi>10.1145/66093.66095]
	29	Tettero, O., Out, D.J., Franken, H.M., Schot, J.: Information security embedded in the design of telematics systems. Computers and Security, 16(2) (1997), 145--164.