Hard Problem: Security requirements are difficult to apply in design and must incorporate system architectrure, functional requirements, sexuriry policies, regulations, and standards.
Summary: Secure software depends upon the ability of software developers to respond to security risks early in the software development process. Despite a wealth of security requirements, often called security controls, there is a shortfall in the adoption and implementation of these requirements. This shortfall is due to the extensive expertise and higher level cognitive skillsets required to comprehend, decompose, and reassemble security requirements concepts in the context of an emerging system design. To address this shortfall, we propose to develop two empirical methods: 1) a method to derive security requirements patterns from requirements catalogues using expert knowledge; and 2) a method to empirically evaluate these patterns for their "usability" by novice software developers against a set of common problem descriptions, including the developer's ability to formulate problems, select and instantiate patterns. The study results will yield a framework for discovering and evaluating security requirements patterns and new scientific knowledge about the limitations of patterns-based approaches when applied by novice software developers.