The book presents the STS method for designing secure software systems. The method focuses on the early stages of software design: requirements engineering. STS is model-driven: the central activity that the designers conduct is the construction of models that represent the security requirements of the system under design. These models are created using the Socio-Technical Security modeling language (STS-ml), which is thoroughly described in the book. In addition to presenting the STS-ml language and the STS method, the book describes the modeling and analysis software tool called STS-Tool that supports the presented approach through a graphical modeling environment, automated reasoning capabilities to verify the created models, and the automatic derivation of security requirements documents. The key message the authors convey through the book is that designing secure software systems has to adopt a socio-technical systems perspective, as opposed to considering just the technical aspects of the system. The book also features a background chapter concerning the computer and information security landscape, an application of the method to two case studies, and a detailed comparison to complementary and alternative approaches to security requirements engineering.