The analysis of security requirements is the important premise and basis of security management. As the change of the background and task of information systems,the asset-based risk analysis methods come out to be out of place. A business process-based security requirements analysis method is put forward. A tri-layer information systems model is established to be the basis and the communication platform of security requirement analysis. The primary security requirements can be listed through analyzing the security requirements of business processes. A concept of risk packet and a risk transferring model are brought forward to facilitate the risk analysis of assets of information systems. Then, a coverage analysis method is used to check whether all kinds of risk of assets are satisfied by the primary security requirements. If some kinds of risk can't be covered by the primary requirements, supplementary requirements will be needed to form the final security requirements list. This method, which aims to protect the security operations of business processes supported by information systems,has strong objective and can facilitate the engineering applications of security management.
