It is critical and foremost to come up with the corresponding security requirements first which the following implementations are based on. However, previous security requirement elicitation work based on Common Criteria (CC) rarely addresses the detailed elicitation process of threats from specific functional requirements, which thus results in the widen gap between specific functional requirements and their corresponding threats. To this end, this paper proposes a framework for eliciting corresponding security requirements of specific functional requirements from the requirements specification. A formal model is built in the framework to assist requirement analysts in half-automatic collecting threats. To enhance the framework's automaticity and reusability, a security property base is constructed based on authoritative sources of security properties to support the framework. A practical information system is applied to verify the framework's practicability. Finally the framework's advantages and limitations are discussed thoroughly compared with previous approaches and useful insights are revealed.