A technique to include computer security, safety, and resilience requirements as part of the requirements specification

Abstract

Provisions to ensure computer security, safety, and resilience are often implemented only after a system has been developed. This leaves many potential risks that must be accounted for at huge costs at a later stage. This article takes computer security, safety, and resilience to the beginning of the systems development life cycle: the user requirement specification. Limited reference was found in the literature on how to determine the requirements for computer security, safety, and resilience. This article proposes a technique for identifying and specifying computer security, safety, and resilience requirements and including these as part of the requirement specification. By use of this technique, a complete set of computer security, safety, and resilience requirements can be identified and specified as early as possible during the development phase. This technique is based on the definition of a requirements matrix by a constraints engineer. The importance of the different computer security, safety, and resilience requirements will be rated in relation to the functional requirements, and applicable counter measures will be allocated. This will lead to justifiable costs for implementing computer security, safety, and resilience for applicable systems. The complete set of computer security, safety, and resilience requirements can be used as a reference after implementation of the system to determine whether all the computer security, safety, and resilience requirements have been accounted for.