A fuzzy framework for prioritization and partial selection of security requirements in software projects

Resource limitations in software projects rarely allow for the security requirements to be fully realized. As such, Prioritization and Selection (PAS) techniques are used to find an optimal subset of the requirements. Consequently, some of the security requirements will be ignored. But ignoring security requirements may (a) leave some of the security threats unattended and (b) negatively impact the effectiveness of the selected requirements. To mitigate this, we have proposed a fuzzy framework, referred to as Prioritization And Partial Selection (PAPS), that reduces the number of ignored security requirements by allowing for partial satisfaction of those requirements. We achieve this by relaxing the satisfaction conditions of security requirements, when tolerated, based on their priorities specified by a fuzzy inference system. Taking into account the partiality of security in PAPS mitigates the adverse impact of ignoring security requirements and enhances the accuracy of prioritization and selection. Our proposed framework is scalable to a large number of requirements.