How Well Do You Know Your Personae Non Gratae?

Imagine that you´re building a software system that collects healthcare data and financial information from its users. It might seem obvious that this personal information should be protected from prying eyes through access control mechanisms, audit trails, transaction controls, transmission encryption, and so on--in fact, perhaps so obvious that in many cases people perform only a cursory security analysis and produce rather generic security requirements. But is this the right way to build secure software? Are security requirements so similar across projects that we simply don´t need to invest the time to explore product-level needs or to document requirements at an individual level for each project? The Web extra at http://youtu.be/qoocRI-7yRQ is an audio podcast in which author Jane Cleland-Huang discusses the importance of making informed decisions about how much time and effort to invest in analyzing security needs and specifying product-level security requirements.