A technique for expressing IT security objectives

At the specification phase, the developer of an IT security product identifies and documents applicable security objectives. Specifications are often intuitive and hard to assess and while being syntactically correct may still fail to appropriately capture the security problem addressed. A technique is proposed for expressing Common Criteria compliant security environments and security objectives for high assurance IT security products. The technique is validated by an analysis of the security specification for a device computing digital signatures within the European Union PKI framework. Modifications to the specification are proposed and the possibility of extending the CC treatment of security objectives is discussed.