Unlike functional implementations, it is difficult to analyze the impact software enhancements on security. One of the difficulties is identifying the range of effects by new security threats, and the other is developing proper countermeasures. This paper proposes an analysis process that uses two kinds of security pattern: security requirements patterns for identifying threats and security design patterns for identifying countermeasures at an action class level. With these two patterns and the conventional traceability methodology, developers can estimate and compare the amounts of modifications needed by multiple security countermeasures.