Selecting Security Mechanisms in Secure Tropos Michalis Pavlidis, Haralambos Mouratidis Emmanouil Panaousis and Nikolaos Argyropoulos University of Brighton {m.pavlidis,h.mouratidis,e.panaousis,n.argyropoulos}@brighton.ac.uk Abstract. As security is a growing concern for modern information systems, Security Requirements Engineering has been developed as a very active area of research. A large body of work deals with elicitation, modelling, analysis, and reasoning about security requirements. However, there is little evidence of efforts to align security requirements with se- curity mechanisms. This paper extends the Secure Tropos methodology to enable a clear alignment, between security requirements and security mechanisms, and a reasoning technique to optimise the selection of secu- rity mechanisms based on these security requirements and a set of other factors. The extending Secure Tropos supports modelling and analysis of security mechanisms; defines mathematically relevant modelling con- cepts to support a formal analysis; and defines and solves an optimisation problem to derive optimal sets of security mechanisms. We demonstrate the applicability of our work with the aid of a case study from the health care domain. Keywords: Security modelling, Secure Tropos. 1 Introduction Security is an important aspect of modern information systems and it is widely accepted that it should be treated from the early stages of the information system development process, and not as an afterthought [1–4]. As a result, during the last fifteen years the research community has witnessed a significant amount of works [5, 6], which deal with the definition, elicitation, analysis, and reasoning of security requirements. We have contributed to this body of literature, with our work on Secure Tropos [7], which is a security requirements engineering methodology that supports elicitation and analysis of security requirements. Ideally, enough security countermeasures (also known as security mechanisms or security safeguards) should be applied to a system to satisfy those security requirements. However, in practice, there is usually a trade-off between security measures and other factors such as cost and time. The literature from the se- curity engineering community has proposed a number of works that focus on security countermeasures selection usually in relation to vulnerabilities [8–10], investment costs [11,12] or risks [13,14]. However, such approaches have ignored the relationship between security mechanisms and security requirements. We believe, this is an important parameter, especially in the current era of information systems, where security requirements can frequently evolve, and