The trouble with security requirements

Manifold approaches to security requirements engineering have been proposed, yet there is no consensus how to elicit, analyze, or express security needs. This perspective paper systematizes the problem space of security requirements engineering. Security needs result from the interplay of three dimensions: threats, security goals, and system design. Elementary statements can be made in each dimension, but such one-dimensional requirements remain partial and insufficient. To understand security needs, one has to analyze their interaction. Distinct analysis tasks arise for each pair of dimensions and are supported by different techniques: risk analysis, as in CORAS, between threats and security goals; security design, as exemplified by the framework of Haley et al., between goals and design; and security design analysis, such as Microsoft's threat modeling technique with data flow diagrams and STRIDE, between design and threats. All three perspectives are necessary to develop secure systems. Security requirements engineering must iterate through them, because threats determine the relevance of security goals, security design seeks ways to fulfill them, and design choices themselves influence threats and security goals.