Software Engineering Institute

Once you have identified a set of security requirements, you will usually want to prioritize them. Due to time and budget constraints, it can be difficult to implement all requirements that have been elicited for a system. Also, security requirements are often implemented in stages, and prioritization can help to determine which ones should be implemented first. Many organizations pick the lowest cost requirements to implement first, without regard to importance. Others pick the requirements that are easiest to implement, for example, by purchasing a COTS solution. These ad hoc approaches are not likely to achieve the security goals of the organization or the project. To prioritize security requirements, we recommend a systematic prioritization approach. This article discusses a tradeoff analysis that you can do to select a suitable requirements prioritization method and briefly describes a number of methods. A companion case study [Chung 06] can be found in Requirements Prioritization Case Study Using AHP. While results may vary for your organization, the discussion of the various techniques should be of interest. Much work needs to be done before security requirements prioritization is a mature area, but it is one that we must start to address.