Security attacks aim to system vulnerabilities that may lead to operational failures. In order to react to attacks software designers use to introduce Fault-Tolerant Techniques (FTTs), such as recovery procedures, and/or Security Mechanisms (SMs), such as encryption of data. FTTs and SMs inevitably consume system resources, hence they influence the system performance, even affecting its full operability.

The goal of this paper is to provide a model-based methodology able to quantitatively estimate the performance degradation due to the introduction of FTTs and/or SMs aimed at protecting critical systems. Such a methodology is able to inform software designers about the performance degradation the system may incur, thus supporting them to find appropriate security strategies while meeting performance requirements. This approach has been applied to a case study in the E-commerce domain, whose experimental results demonstrate its effectiveness.