Development of the information security requirements of practical telecommunications and software-intensive systems is typically at an inadequate level and relies heavily on the experience of the security professionals. Security requirements are in the focus in all phases of security engineering. Obviously, automated approaches are needed in this field. We here introduce a framework for security evaluation based on security requirement definition, behavior modeling and evidence collection.