Savola, Reijo M.; Abie, Habtamu
The lack of appropriate information security solutions in software intensive systems can have serious consequences for businesses and the stakeholders. Carefully designed security metrics can be used to offer evidence of the security behavior of the system under development or operation. This study investigates holistic development of security metrics for a distributed messaging system based on threat analysis, security requirements, decomposition and use case information. Our approach is thus requirement centric. The highlevel security requirements are expressed in terms of lower level measurable components applying a decomposition approach.