System quality attributes

ISO/IEC 25010:2023 (the SQuaRE system and software quality model) defines eight top-level product quality characteristics: Functional Suitability, Performance Efficiency, Compatibility, Interaction Capability, Reliability, Security, Maintainability, and Flexibility. Security has five sub-characteristics:

• Confidentiality: data is accessible only to authorised entities.
• Integrity: the system prevents unauthorised access to or modification of data.
• Non-repudiation: actions can be proven to have taken place.
• Accountability: actions can be traced uniquely to the entity that performed them.
• Authenticity: the identity of a subject can be proven to be the one claimed.

Treating security as a quality characteristic rather than a separate compliance exercise has practical implications: security requirements are managed using the same requirements engineering practices as functional requirements; security quality is measured and tracked alongside reliability and performance; security regressions trigger the same response as performance regressions.

Security NFRs must be specific, measurable, and verifiable. A poor NFR: "The system must be secure." A well-formed NFR: "All customer payment data transmitted between the client application and the backend API must be encrypted using TLS 1.2 or higher. Connections on TLS 1.1 or below must be rejected. Compliance is verified by automated test TC-TLS-001 which connects to all production API endpoints using a TLS 1.1 client and confirms a connection failure."

Security frequently creates tension with other ISO 25010:2023 quality characteristics. Documented trade-off analysis is the correct response, not silently de-prioritising one characteristic.

Security versus Interaction Capability (usability): MFA increases Authenticity but adds login friction. Resolved by: contextual MFA (prompt only on new devices or unusual locations), passkeys (FIDO2/WebAuthn replacing both password and OTP friction), and user research identifying the friction level at which adoption drops materially.

Security versus Performance Efficiency: full-disk encryption, field-level encryption, and HTTPS certificate verification all add measurable latency. Resolved by: baseline performance measurement before and after; efficient implementations (AES-GCM hardware acceleration, TLS session resumption); an explicit acceptable latency budget for security overhead.

Architectural fitness functions (Ford, Parsons, Kua: "Building Evolutionary Architectures", O'Reilly 2017) are objective, automated measurements that validate security quality properties continuously in the CI/CD pipeline. Examples: a Trufflehog scan on every pull request failing if a secret pattern is detected (no secrets in source code); a Trivy scan failing the build on any CRITICAL CVE (no vulnerable images promoted); a TLS 1.1 client test confirming connection rejection on all API endpoints; a performance test blocking deployment if p99 latency under security controls exceeds 200ms. Fitness functions are most valuable when automated, continuous, and pipeline-blocking. A fitness function generating warnings rather than failures does not enforce the property it is meant to protect.

Security debt is the accumulation of known security deficiencies not yet remediated: deferred patches beyond their SLA, omitted controls during development, unupdated threat models, and documented but unclosed compliance gaps. A practical measurement approach:

1. Inventory: enumerate all open findings from SAST, DAST, penetration tests, vulnerability scans, and compliance assessments.
2. Score: assign severity and remediation cost estimate to each item.
3. Age: calculate days overdue beyond defined SLA per severity tier.
4. Aggregate: total security debt = sum of (overdue items × severity weight × remediation cost estimate).
5. Trend: is the debt increasing or decreasing, and at what rate?

For board audiences, translate findings into business risk: "We have three unmitigated CRITICAL vulnerabilities in our payments API. If exploited, they could expose all customer payment records, with ICO fine exposure of up to 4% of global annual turnover and reputational impact comparable to the British Airways £20 million fine." Compare remediation cost to breach cost: "Fixing these three issues requires approximately 15 engineering days. A breach at our scale would likely cost £2 to 10 million in fines, incident response, customer notification, and reputational impact."

NIST CSF 2.0 (published 2024) adds a sixth function to the original five: Govern (GV) for cybersecurity risk strategy, roles, and policy; Identify (ID) for asset management and risk assessment; Protect (PR) for access control and data security; Detect (DE) for monitoring and anomaly detection; Respond (RS) for incident response; and Recover (RC) for recovery planning. The Govern function recognises that security is a governance and quality concern, not only a technical one, aligning with ISO 25010:2023's quality characteristic framing.