PAPS: A Scalable Framework for Prioritization and Partial Selection of Security Requirements
This addresses resource allocation challenges in software security for developers and organizations, though it appears incremental by building on existing prioritization techniques.
The paper tackles the problem of ignoring or postponing lower-priority security requirements due to resource constraints, which can leave vulnerabilities unattended and affect other requirements; it proposes a goal-based framework for partial selection to reduce the number of ignored requirements and mitigate adverse impacts.
Owing to resource constraints, the existing prioritization and selection techniques for software security requirements (countermeasures) find a subset of higher-priority security requirements ignoring lower-priority requirements or postponing them to the future releases. Ignoring or postponing security requirements however, may on one hand leave some of the security threats (vulnerabilities) unattended and on the other hand influence other security requirements that rely on the ignored or postponed requirements. To address this, we have proposed considering partial satisfaction of security requirements when tolerated rather than ignoring those requirements or postponing them to the future. In doing so, we have contributed a goal-based framework that enables prioritization and partial selection of security requirements with respect to security goals. The proposed framework helps reduce the number of ignored (postponed) security requirements and consequently reduce the adverse impacts of ignoring security requirements in software products.