Im with some doubts about defining non functional requirements relatively to security, modificability and usability.

Relative to security for example a requirement for a system that needs to use https because it deals with financial information. A security non functional requirement for this can be "all transactions that involve financial information must be encrypted"? Because it seems a non functional requirement, however dont seems measurable.

Relative to modificability, specificaly in the case in which a system that must be implemented in a way that it is easy to add new functions. How can we define a non functional requirement for this that its not vague and it is measurable?

And about usability, "the system must present understandable error messages" is non functional requirement? Because its not functional, however, its not measurable, so, it can be considered non functional requirement? Also a requirement like "the interface must responsive" and "the system must be cross browsing" are non functional requirements relative to usability?

requirements