Utilizing security requirements engineering methods for operational security maintenance purposes

Secure systems are achieved by implementing appropriate controls and policies specified based on appropriate selection of minimum security requirements. Maintaining security for these systems is a major challenge. Systems may encounter threats that may arise due to exploitation of vulnerabilities or due to programming flaws. In this work we address security requirements engineering approaches and focus primarily on methods that may be utilized for the purpose of investigating incidents. We have shown empirically that threats may be identified by using methods such as faults trees; and systematically that by using other methods such as events trees, incidents may be avoided or prevented.