MotivationIn component-based software engineering, an application system is composed of several stand-alone software components developed by third parties. These components are readily available from various distributed sources for runtime execution. However, the paramount security concerns of these 'third-party' software components and their compositions with large scale systems over the Internet have become a major challenge. In a highly fluid distributed environment, software integrators are virtually forced to compose systems with third-party components of which they have only partial or no knowledge about their underlying security properties. When components are acquired from the Internet and composed with an application system, it is unclear what type of ultimate security can be achieved with these components for the enclosing system. The entire composite system from time to time may require different types of functionality and accordingly, the composition of the security contracts between components needs to be re-characterised to match the re-configuration requirements of the system in order to support systems security evolution. In a component-based system, we need to achieve both the security compatibility between interacting components and the security objectives for the entire system. When the entire composite system is running and providing meaningful services to the users, the systems-level security properties need to be characterised.To illustrate the main focus of this paper, we consider the following systems scenario. A number of individual healthcare components provide independent services to their environments. The services include keeping patients information, providing diagnosis reports based on test data, offering specialists advice based on the diagnosis reports, quoting prices for prescribed medicines and so on. Each of these services are independent and catered by different individual stand-alone components. We can compose a complete healthcare system by integrating the individual services provided by different components. Such a composite system is considered as a collaboration of different components which provide services in a seamless and secure way. These service providing individual components deal with a whole range of sensitive issues related to patient information such as diagnostic reports, MRI/CT-Scan images, pathological test results, diagnosis reports and prescriptions. For example, a component offering pathological services may advertise its services as providing confidentiality through secure storage of test results. On behalf of its patients, another component offering general medical services (e.g., GP practices) may require such confidentiality provided at a particular level (as guaranteed by specific encryption schemes with specific key lengths). The pathol-