A methodology to include computer security, safety and resilience requirements as part of the user requirement

Abstract

Computer security, safety and resilience are usually implemented only after a system has been developed. This leaves a number of potential risks that must be accounted for at huge cost at a later stage. This article takes computer security, safety and resilience right to the beginning of the systems development life cycle—the user requirement specification. Limited reference is found in the literature on how to determine the requirements for computer security, safety and resilience. This article proposes a method for determining and specifying computer security, safety and resilience requirements and including these as part of the user requirement specification. By using this methodology, a complete set of computer security, safety and resilience requirements can be determined and specified as early as possible during the development phase. This methodology is based on the definition of a requirements matrix by a ‘constraints engineer’. The importance of the different computer security, safety and resilience requirements will be rated in relation to the functional requirements, and applicable countermeasures will be allocated. This will lead to justifiable costs for implementing computer security, safety and resilience for applicable systems. The complete set of computer security, safety and resilience requirements can be used as a reference after implementation of the system to determine whether all these requirements have been accounted for.