The ubiquity of information systems has made correct and reliable operation of critical systems indispensable. The trustworthiness of digital systems is increasingly dependent on the trustworthiness of the software. While hardware trustworthiness is by no means a solved problem, system-wide problems are increasingly blamed on poorly tested, defective software. System trustworthiness is therefore a combination of several key software attributes: reliability, safety, security, availability, performance, fault-tolerance, and privacy. Some of these attributes can be directly measured, some cannot. For example performance and availability can be numerically measured; safety and security cannot. Further, several of these attributes may conflict, such as security and performance. Therefore to demonstrate that the software of a system can be trusted, it requires a combination of qualitative arguments concerning the level achieved for some attributes in combination with the numerical (quantitative) scores measured for others. In order to understand the trustworthiness and security of a software system, we first need to understand its reliability and fault tolerance