Security Story is an artifact that anyone (developer, manager, business owner, user, etc ) can read and feel assured that their security concerns are addressed.It is a collaborative effort that highlights how the implementation, application design, service infrastructure, organization processes, and the business environment itself protect what’s important to the business.
There is no fixed format or content for a security story as a security story should evolve over the life of an application. A story may contain text, images, diagrams, spreadsheets, links, and other formats.
security story can be write in many ways most commonly it can start with capturing the concerns of application stakeholders, including both application providers and application users followed by list down the lifelines of the application.You need to create strategy to defend the each lifeline.Build the specific defence and proof of these defenses should be included in story. security stories are not static they has to change when condition changes .