Date Added: Jan 2011
Although security requirements engineering has recently attracted increasing attention, it has lacked a context in which to operate. A number of papers have described how security requirements may be violated, but apart from a few hints in the general literature, none have described satisfactorily what security requirements are. This paper proposes a strategy which unifies the concepts of the two disciplines of requirements engineering and security engineering. From requirements engineering it takes the concept of functional goals, which are operationalized into functional requirements, with appropriate constraints. From security engineering it takes the concept of assets, together with threats of harm to those assets.