Citation: Khanneh, S.; Anu, V.
Security Requirements Prioritization
Techniques: A Survey and
Classification Framework. Software
2022, 1, 450–472. https://doi.org/
10.3390/software1040019
Academic Editors: Sanjay Misra,
Robertas Damaševiˇcius and
Bharti Suri
Received: 10 August 2022
Accepted: 25 October 2022
Published: 28 October 2022
Publisher’s Note: MDPI stays neutral
with regard to jurisdictional claims in
published maps and institutional affil-
iations.
Copyright: © 2022 by the authors.
Licensee MDPI, Basel, Switzerland.
This article is an open access article
distributed under the terms and
conditions of the Creative Commons
Attribution (CC BY) license (https://
creativecommons.org/licenses/by/
4.0/).
Article
Security Requirements Prioritization Techniques: A Survey and
Classification Framework
Shada Khanneh and Vaibhav Anu *
Department of Computer Science, Montclair State University, Montclair, NJ 07043, USA
* Correspondence: anuv@montclair.edu
Abstract:
Security requirements Engineering (SRE) is an activity conducted during the early stage
of the SDLC. SRE involves eliciting, analyzing, and documenting security requirements. Thorough
SRE can help software engineers incorporate countermeasures against malicious attacks into the
software’s source code itself. Even though all security requirements are considered relevant, imple-
menting all security mechanisms that protect against every possible threat is not feasible. Security
requirements must compete not only with time and budget, but also with the constraints they inflect
on a software’s availability, features, and functionalities. Thus, the process of security requirements
prioritization becomes an integral task in the discipline of risk-analysis and trade-off-analysis. A
sound prioritization technique provides guidance for software engineers to make educated decisions
on which security requirements are of topmost importance. Even though previous research has
proposed various security requirement prioritization techniques, none of the existing research efforts
have provided a detailed survey and comparative analysis of existing techniques. This paper uses a
literature survey approach to first define security requirements engineering. Next, we identify the
state-of-the-art techniques that can be adopted to impose a well-established prioritization criterion
for security requirements. Our survey identified, summarized, and compared seven (7) security
requirements prioritization approaches proposed in the literature.
Keywords:
software engineering; requirements prioritization; software security; requirements engineering
1. Introduction
Security, in the context of information technology services and software engineering,
is becoming a topic that is garnering tremendous attention. The degree of ubiquity and
availability the world is witnessing in software driven services, networking, and shared re-
sources is recognizably higher in recent years. With that in consideration, security presents
itself as an integral part in developing a successful and reliable software system that in-
corporates the necessary measures for protecting stakeholders’ assets [
1
]. Requirements
Engineering (RE), which is the earliest and an essential stage of software development life-
cycle (SDLC), presents software developers with the opportunity to identify and document
security requirements for the software-being-built.
Security is a vast and complex concept that addresses within its folds many constraints
and quality aspects, including privacy, confidentiality, integrity, availability, and interoper-
ability. Security concerns must be addressed and accounted for in the early stages of the
software development lifecycle (SDLC) to avoid serious security faults in the system [
2
–
8
].
Furthermore, a clear process must be established and tailored for analyzing and address-
ing security requirements. The current practice in software development projects barely
allocate time to address the subject of security requirements analysis in the Requirements
Engineering (RE) phase of SDLC and instead push any security events analysis to the next
SDLC phase (i.e., the software design phase). However, leading researchers in the software
engineering literature recognized the need to address security concerns more adequately in
the RE phase itself so as to prevent security risks, attacks, and financial loss [
2
,
4
,
9
–
12
]. For
Software 2022, 1, 450–472. https://doi.org/10.3390/software1040019 https://www.mdpi.com/journal/software
