Modelling and reasoning about security requirements in socio-technical systems