INTRODUCTION Failure to incorporate security into systems requirements is a concern dating back at least a quarter of a century (Schell, Downey & Popek, 1973, Pipkin, 2000). Compounding this oversight is the lack of attention paid to security in textbooks and the exclusion of security as a functional requirement (Haworth, 2002, Trimmer, Parker & Schou, 2007).