Security engineering has historically emphasized the use of industry best practices (e.g., firewalls, encryption) as well as performing vulnerability analysis and security (e.g., penetration) testing of existing systems to ensure adequate security. Most books and articles on security do not provide much content with regard to security requirements, and what little that is published tends to emphasize the specification of ambiguous security goals or else focuses on architectural constraints. Rarely is either the required amount of a specific type of security specified or the security ramifications of non-security requirements addressed in security processes. Although security requirements may be mentioned, they are rarely defined and a clear taxonomy of the different kinds of security requirements is rarely if ever used.
This paper addresses the problems associated with a lack of a clear security taxonomy by identifying four different types of security-related requirements, providing them with clear definitions, and placing them within an organizing hierarchical taxonomy. This paper does this by recognizing the significant similarity between safety and security as sister subtypes of defensibility within a quality model and reusing the similar identifications, definitions, and taxonomy of safety requirements.