What is the difference between these two specifications?
1. Security: a team of 10 hackers [profiled elsewhere] per hour attempting to access account holders' credit card information shall be successful no more than an average of once every five years.
2. The system shall require users log in with a user name and password. On the third consecutive unsuccessful log-in attempt using a particular user name, the system will lock the corresponding account.
The first specification is a nonfunctional requirement. The second specification is a functional decomposition of that nonfunctional requirement.
All nonfunctional requirements can be decomposed into functional specifications.
In fact, when an interaction designer fleshes out (defines the particular steps in) a use case, she is functionally decomposing both functional and nonfunctional requirements. She is specifying functional steps that will satisfy the requirements.