As IT-systems become more complex they become more susceptible to suffering of security threats and vulnerabilities. Accordingly, security has also become an increasingly growing concern that must be considered before the system has already been designed and put into operation. In particular, at the requirements phase of the Software Development Life Cycle. However, obtaining security requirements is non-trivial in view of requirements engineers’ insufficient knowledge of security terminology. There exist many methods that help to elicit security requirements by using various security concepts. Among the possible methods, this thesis compares Abuse Frame, Misuse Case and Common Criteria methods to identify the common security concepts they use to elicit security requirements and how they link security concepts to the security requirements. The research findings show that the most common security concepts that have been used by the above-mentioned methods are: threat, asset, and countermeasure. These concepts are directly related to security requirements in such manner where security requirements protect assets from harm caused by threats through describing the countermeasures that mitigate the threats and achieve the security objectives. It is also found that two out of three methods used the countermeasure concept as a synonym to a security requirementrather than a security architecture mechanism. A countermeasure is viewed as an abstract statement that describe how to mitigate a threat or eliminate a vulnerability without specifying any technical details or architecture mechanisms.