How about starting with a description of the environment?
¥Defines experimental context and
assumptions
Ðyou need experimental ÒcontrolsÓ,
right?
Will you test to see if some security
objectives are met?
¥what security policy? is the system
responsible for all aspects of them, or is the environment responsible for some?
¥should you test to see which ones aren't
met?
Do you know what the thing is supposed to do?
¥what does it touch? what does it need to work?
Do you know what the thing is NOT supposed to do?
¥can you prove it won't? How?