A Fuzzy Approach to Prioritisation of Security Requirements in a Constrained Agile Software Development Environment

Abstract

Requirements Engineering (RE) is software engineering process that takes place early namely, during the planning phases of software development. The spate of hacking incidents, more especially the ransomware infections, recently has suggested a more robust approach to web application security during RE. This will not only prevent these vulnerabilities but also the necessary rework after a hacking incident. The prioritisation process in RE is instrumental in ensuring if a security requirement gets implemented or is kept on hold indefinitely. A desktop literature review revealed ample scope for fuzzy TOPSIS as a security requirements prioritisation technique. The aim of this research study was to assess the viability of a new and more inclusive technique of more precisely ranking security requirements. A fuzzy automated tool was developed to test this new approach to ranking security requirements. The method will ensure the implementation of the most important security requirements to secure the system. The Design Science Research Methodology guided the development of the automated fuzzy software tool. The automated tool was evaluated in a qualitative study at 17 software development companies. The researcher used structured interviews and document reviews as the primary research instruments. Qualitative data was analyzed deductively using content analysis. It was found that an immediate benefit of the tool is that it prevented biases and autocratic leaders from influencing decision making during security risk analysis. The study concluded that the automated fuzzy tool showed positive results for ranking security requirements in Agile RE. Further research on the usability of the software tool is recommended.