Security is one of the major concerns when developing missioncritical business applications, and this concern motivated the Web Services Security specifications. However, the existing tools to configure the security properties of Web Services give a technology-oriented view; only assisting in choosing data to encrypt and the encryption algorithms to use. A user must manually bridge the gap between the security requirements and the configuration, which could cause extra configuration costs and lead to potential misconfiguration hazards. To ease this situation, we came up with refining security requirements from business to technology, leveraging the concepts of Service-Oriented Architecture (SOA) and Model-Driven Architecture (MDA). Security requirements are gradually transformed to more detailed ones or countermeasures by bridging the gap between them by using best practice patterns. Categories and Subject Descriptors D.2.1 [Software Engineering]: Requirements/Specifications ? methodo...