How about starting with a description of the environment?
•Defines experimental context and
–you need experimental “controls”,
Will you test to see if some security
objectives are met?
•what security policy? is the system
responsible for all aspects of them, or is the environment responsible for some?
•should you test to see which ones aren't
Do you know what the thing is supposed to do?
•what does it touch? what does it need to work?
Do you know what the thing is NOT supposed to do?
•can you prove it won't? How?