The research field of information system security has received much attentionin the last few years with extensive number of publications, from differentperspectives ranging from technical to behavioral. However, modeling Informationin such a way that running security risk analysis can be carried out throughout thesystem lifetime has not received so much attention. Also continuously managingsecurity requirements due to uncertain operational environment has not been dealtwith extensively in the literatures. Even if it can be demonstrated that a softwaresystem can meet its security requirements prior to deployment, the ability to verifythe same assumptions at runtime is also inevitable. This is because at runtime,security requirements may be violated as a result of failure to anticipate the behaviorof all the agents (other systems and human users). At the beginning of this research work we adopted use misuse casetechniques as the building block and the explored methodology for securityrequirements engineering. Subsequently all the tasks involved in the research workwere built not in isolation but with respect to this established technique. The Field ofsafety and security has developed differently and largely independently over the pasthalf century and their separate treatment is proving to be inadequate. With the everincreasing exploitation of networking technologies, it is now much more imperativethat both safety and security will be significant for a giving system, giving rise to aneed for both to be considered during system requirement engineering phase of thesystem development. In light of this, we proposed a unified use case model for eliciting both safetyand security requirements during system development. We introduced new conceptslike vulnerable use case and abuse case in order to identify as much potential risks aspossible. We model the interactions between threats, safeguards and assets ondetailed level to allow for a better understanding pertaining to threats analysis andmitigation. We presented both the textual and diagrammatic representation of threatsand system interactions. Risk management provides an effective way to measuring the security throughrisk assessment, risk mitigation and evaluation. We have designed a procedure toanalyze the risk of information systems via misuse cases, and determine the tradeoffbetween risk and cost of countermeasures during system development. Information System (IS) security and safety requirements are seriousrequirements which must be carefully considered not as an isolated aspect, but as anelement considered throughout the software system development lifecycle. In thiswise, reuse is an all important and critical factor to be given attention to in securityrequirements engineering, hence the need for the concepts and relations ofuse-misuse case for the purpose of eliciting safety and security requirement to beformally defined so that they can be shared by the community of system developers.In order to achieve the ultimate goal of this research, that is realizing a kind ofmechanisms that can dynamically monitor information system against threats andapply right countermeasure to right risk , information system components shouldcollaborate and communicate with each other by sharing a common vocabulary,hence the need to build ontology. The proposed model.was developed into ontologyfor modeling safety and security requirements for reuse. The security ontology wasbuilt using use case concepts as the building blocks. OWL protégé3.3.1 editor wasused for the ontology coding. We elaborated the ontology to include risk factors inorder to aid the modeling of a risk based secure information system. Althoughexisting risk management approaches are highly accepted but demand very detailedknowledge (ontology) about the information system security domain and the actualorganization environment. The use case based security ontology provides a solidbase for an applicable and holistic information system security approach, enabling alow cost risk management and threat analysis.　　In order to create room for effective threat monitoring at run time we enhancedthe use case techniques with some security policy concepts for deployed informajionsystem security management. Specifically security policies according to PONDERpolicy specification language. Capturing security threats scenario during and afterinformation system (IS) development is a crucial step in building and maintaining aresilient system. In order to cope with these challenge we propose some extensionsand improvements to the popular use case technique so that IS can be developed in away that can facilitate IS security management after the system has been deployed.Our proposed approach incorporate security policy modeling concepts with use casemodeling to aid in identification of threats behaviors with respect to unauthorizedaccess and applies HAZOP inspired guide words to UML use case to facilitatesystematic identification of security violations with respect to authentication. For the purpose of security management at run time, we propose the use ofsoftware agents based architecture tagged Collect-Probe- Analyze-Reason-Reappraise (CPARR) to offer novel solutions to the complexity inherent inmanaging IS security requirements in a cost effective way in order to have tangibleRetum on Security Investment (RoSI). At the centre of this model is the case-basedreasoning system (CBR) that aids the adaptation of security measures in an efficientway. We adopted the Euclidean distance similarity function in determining thenearest neighbor. The modular approach in the design of the agents will facilitatescalability which is very essential in complex and large systems. It also helps toavoid degradation in functionality throughout the system lifetime. Risk can bedynamically generated or predicted, depending on the period of time specified. Inparticular agents are used to collect data in real time. The data will be analyzed withthe assistance of the semantic repository in form of ontology. We explore the theory of long term frequency as probability in determining thelikelihood of threats occurrence and use threshold scale value to convert the result toqualitative value in order to determine the risk level of the considered threats.The proposed CPARR model in this work for IS adaptive security management offerthese type of benefits. First, it provides a mechanism to reveal the risk factors to thesystem administrator who is responsible for securing the system. Second, it providesa practical means to analyze the security risk that IS is prone to at every point in time.This reduces the coarseness that is usually involved in risk analysis. This is achievedby acquiring runtime potential threats frequencies. Thirdly, the model can formallyreason on potential threats and associated risk factor by the inference provided by theontology. Modeling threats this way has a structured approach that is far more costefficient and effective than applying security features in a haphazard manner withoutknowing precisely the type of threats each feature is supposed to address. We liavedeveloped the proposed architecture into a tool and applied the tool to e-bankingsystem. Optimistic results were obtained.