PAPS: A Scalable Framework for Prioritization and Partial Selection of Security Requirements

Abstract: Owing to resource constraints, the existing prioritization and selection techniques for software security requirements (countermeasures) find a subset of higher-priority security requirements ignoring lower-priority requirements or postponing them to the future releases. Ignoring or postponing security requirements however, may on one hand leave some of the security threats (vulnerabilities) unattended and on the other hand influence other security requirements that rely on the ignored or postponed requirements. To address this, we have proposed considering partial satisfaction of security requirements when tolerated rather than ignoring those requirements or postponing them to the future. In doing so, we have contributed a goal-based framework that enables prioritization and partial selection of security requirements with respect to security goals. The proposed framework helps reduce the number of ignored (postponed) security requirements and consequently reduce the adverse impacts of ignoring security requirements in software products.