System security requirements: A framework for early identification, specification and measurement of related software requirements

One of the responsibilities of developers is the early definition of non-functional requirements (NFR) at the system level and their related allocation as functional user requirements (FUR) at the software level. To identify some of the widely consensual security elements that could be used in a standards-based security framework, the security-related terminology and views from three sets of international standards (ECSS, IEEE and ISO) are analyzed and integrated. Next, the set of concepts adopted by ISO 19761 for describing software functionality at a lower level are introduced, thereby ensuring that the proposed framework is designed for measurement purposes as well. For the capture of security concepts, the proposed framework is designed using soft-goal interdependency graphs (SIG) and three main system NFR-security types: system availability, confidentiality and integrity. This standards-based system security framework at the function and service level can support software developers to derive such requirements in the early stages of the development process. Finally, an ATM example for the measurement of system security NFR allocated as software FUR within a service-oriented architecture (SOA) is presented.