First of all, you are potentially misusing user stories as a mechanism. A user story emerges from a real need, it should not be invented or changed to fit the process.
Anyway, it could be something like:
As chief security manager, I want all communication between all our applications and all clients to be done via HTTPs so that the risk of a MITM attack is lowered.
Or:
As a page visitor, I want to see a "green lock" in my browser so that I feel safe and protected.
Note the difference between the two. For example, if you have a mobile app with client-server interaction, an API - first story forces you to cover those as well.
