In most modern information systems (IS), functionality and security are competing design goals. Therefore, system designers are constantly forced to make security-related trade-off decisions. Systems security engineers must build systems that are secure against real-world attacks without overengineering against any particular one. By understanding which attacks are most likely and which risks are most serious, system designers can make informed security-related trade-off decisions. We describe a systems security engineering methodology designers can use to make these decisions.