Adaptive Security Activities Selection Model Using Multi-Criteria Decision-Making Methods

Abstract

Adaptive security activities are a list of recommended security activities to be integrated smoothly with the software development life cycle (SDLC) to produce a secure application software. Adaptive security activities are needed due to the emergence of factors and constraints which have been determined as one of the reasons for the underutilisation of security activities implementation, especially in the earlier phase of software development process. Security activities selection models were proposed to select and recommend security activities but the models were focused on certain factors or as a solution for specific constraints, and thus the recommended security activities were not adaptive. Consequently, an adaptive security activities selection (ASAS) model was proposed by combining the factors and constraints faced by the development team in selecting security activities. The model consisted of two integrated multi-criteria decisionmaking (MCDM) methods, namely Analytic Network Process (ANP) and Reference Ideal Method (RIM). ANP was used to prioritise and weight the criteria while RIM was used to measure and evaluate the security activities with the value of constraints in regard to each criterion. To validate the model a case study was performed on four inhouse web application development teams in the Malaysian public sector. The proposed model was able to recommend security activities in the requirement and design phase based on different constraints faced by each of the development teams. The model was adaptive due to its flexibility and ability to change and suit different evolved conditions when recommending the security activities.