Security Requirements Prioritization Techniques: A Survey and Classification Framework

Abstract

Security requirements Engineering (SRE) is an activity conducted during the early stage of the SDLC. SRE involves eliciting, analyzing, and documenting security requirements. Thorough SRE can help software engineers incorporate countermeasures against malicious attacks into the software’s source code itself. Even though all security requirements are considered relevant, implementing all security mechanisms that protect against every possible threat is not feasible. Security requirements must compete not only with time and budget, but also with the constraints they inflect on a software’s availability, features, and functionalities. Thus, the process of security requirements prioritization becomes an integral task in the discipline of risk-analysis and trade-off-analysis. A sound prioritization technique provides guidance for software engineers to make educated decisions on which security requirements are of topmost importance. Even though previous research has proposed various security requirement prioritization techniques, none of the existing research efforts have provided a detailed survey and comparative analysis of existing techniques. This paper uses a literature survey approach to first define security requirements engineering. Next, we identify the state-of-the-art techniques that can be adopted to impose a well-established prioritization criterion for security requirements. Our survey identified, summarized, and compared seven (7) security requirements prioritization approaches proposed in the literature.