Software Engineering Institute

Security engineering has historically emphasized the use of industry best practices (e.g., firewalls and encryption) as well as performing vulnerability analysis and security (e.g., penetration) testing of existing systems to ensure adequate security. Most books and articles on security do not provide much content with regard to security requirements, and what little is published tends to emphasize the specification of ambiguous security goals or else focuses on architectural constraints. Security processes rarely specify the required amount of a security type or address the security ramifications of non-security requirements. Although security requirements may be mentioned, they are rarely defined, and a clear taxonomy of the different kinds of security requirements is rarely, if ever, used.

This paper addresses the problems associated with a lack of a clear security taxonomy by identifying four different types of security-related requirements, providing them with clear definitions, and placing them within an organizing hierarchical taxonomy. This paper does this by recognizing the significant similarity between safety and security as sister subtypes of defensibility within a quality model and reusing the similar identifications, definitions, and taxonomy of safety requirements.