Abstract: “The goal of the software security requirements is to build better, defect-free software. But most requirements engineers are poorly trained to elicit, analyze, and specify security requirements, often confusing them with the architectural security mechanisms that are traditionally used to fulfill them. They thus end up specifying architecture and design constraints rather than true security requirements. This paper defines the basic of the security requirements and assets and threats in detail. And at last define the different types of security requirements as proposed by Firesmith [1] and provides associated examples and guildlines with the intent of enabling requirements engineers to adequately specify security requirements without unnecessarily constraining the security and architecture teams from using the most appropriate security mechanisms for the job.”

Keywords: Information System, Security Requirement Elicitation, Security Services, Security Mechanism, Assets, Threats, Identification and Prioritization