Abstract
Many security requirements elicitation techniques implicitly assume that assets are identified on beforehand, but few actually describe how this should be done. In this paper we suggest one specific method that can be used to identify and prioritize assets in any software engineering project.