{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,28]],"date-time":"2026-02-28T17:52:36Z","timestamp":1772301156074,"version":"3.50.1"},"reference-count":41,"publisher":"MDPI AG","issue":"4","license":[{"start":{"date-parts":[[2022,10,28]],"date-time":"2022-10-28T00:00:00Z","timestamp":1666915200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Software"],"abstract":"Security requirements Engineering (SRE) is an activity conducted during the early stage of the SDLC. SRE involves eliciting, analyzing, and documenting security requirements. Thorough SRE can help software engineers incorporate countermeasures against malicious attacks into the software\u2019s source code itself. Even though all security requirements are considered relevant, implementing all security mechanisms that protect against every possible threat is not feasible. Security requirements must compete not only with time and budget, but also with the constraints they inflect on a software\u2019s availability, features, and functionalities. Thus, the process of security requirements prioritization becomes an integral task in the discipline of risk-analysis and trade-off-analysis. A sound prioritization technique provides guidance for software engineers to make educated decisions on which security requirements are of topmost importance. Even though previous research has proposed various security requirement prioritization techniques, none of the existing research efforts have provided a detailed survey and comparative analysis of existing techniques. This paper uses a literature survey approach to first define security requirements engineering. Next, we identify the state-of-the-art techniques that can be adopted to impose a well-established prioritization criterion for security requirements. Our survey identified, summarized, and compared seven (7) security requirements prioritization approaches proposed in the literature.<\/jats:p>","DOI":"10.3390\/software1040019","type":"journal-article","created":{"date-parts":[[2022,10,29]],"date-time":"2022-10-29T23:45:00Z","timestamp":1667087100000},"page":"450-472","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":9,"title":["Security Requirements Prioritization Techniques: A Survey and Classification Framework"],"prefix":"10.3390","volume":"1","author":[{"given":"Shada","family":"Khanneh","sequence":"first","affiliation":[{"name":"Department of Computer Science, Montclair State University, Montclair, NJ 07043, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8104-4942","authenticated-orcid":false,"given":"Vaibhav","family":"Anu","sequence":"additional","affiliation":[{"name":"Department of Computer Science, Montclair State University, Montclair, NJ 07043, USA"}]}],"member":"1968","published-online":{"date-parts":[[2022,10,28]]},"reference":[{"key":"ref_1","unstructured":"Mead, N.R., Viswanathan, V., and Padmanabhan, D. (August, January 28). Incorporating Security Requirements Engineering into the Dynamic Systems Development Method. Proceedings of the International Computer Software and Applications Conference, Turku, Finland."},{"key":"ref_2","doi-asserted-by":"crossref","first-page":"8963","DOI":"10.1007\/s13369-019-04067-3","article-title":"A Systematic Review and Analytical Evaluation of Security Requirements Engineering Approaches","volume":"44","author":"Nazir","year":"2019","journal-title":"Arab. J. Sci. Eng."},{"key":"ref_3","first-page":"27","article-title":"Proposing Security Requirement Prioritization Framework","volume":"2","author":"Gulati","year":"2012","journal-title":"Int. J. Comput. Sci. Eng. Appl."},{"key":"ref_4","doi-asserted-by":"crossref","unstructured":"Kobilica, A., Ayub, M., and Hassine, J. (2020). Automated Identification of Security Requirements. Proceedings of the Evaluation and Assessment in Software Engineering, Association for Computing Machinery.","DOI":"10.1145\/3383219.3383288"},{"key":"ref_5","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1016\/j.cosrev.2019.05.002","article-title":"On Cloud Security Requirements, Threats, Vulnerabilities and Countermeasures: A Survey","volume":"33","author":"Kumar","year":"2019","journal-title":"Comput. Sci. Rev."},{"key":"ref_6","doi-asserted-by":"crossref","first-page":"1785","DOI":"10.1016\/j.compeleceng.2012.08.008","article-title":"Survey and Analysis on Security Requirements Engineering","volume":"38","author":"Salini","year":"2012","journal-title":"Comput. Electr. Eng."},{"key":"ref_7","first-page":"9","article-title":"A Novel Framework for Security Requirement Prioritization","volume":"38","author":"Sharma","year":"2012","journal-title":"Int. J. Comput. Appl."},{"key":"ref_8","doi-asserted-by":"crossref","unstructured":"Villamizar, H., Kalinowski, M., Viana, M., and Fern\u00e1ndez, D.M. (2018, January 29\u201331). A Systematic Mapping Study on Security in Agile Requirements Engineering. Proceedings of the 44th Euromicro Conference on Software Engineering and Advanced Applications, SEAA 2018, Prague, Czech Republic.","DOI":"10.1109\/SEAA.2018.00080"},{"key":"ref_9","first-page":"53","article-title":"Engineering Security Requirements","volume":"2","author":"Firesmith","year":"2003","journal-title":"J. Object Technol."},{"key":"ref_10","doi-asserted-by":"crossref","unstructured":"Laborde, R., Bulusu, S.T., Wazan, A.S., Barr\u00e8re, F., and Benzekri, A. (2019, January 8\u201312). Logic-Based Methodology to Help Security Architects in Eliciting High-Level Network Security Requirements. Proceedings of the ACM Symposium on Applied Computing, Limassol, Cyprus.","DOI":"10.1145\/3297280.3297437"},{"key":"ref_11","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/1082983.1083214","article-title":"Security Quality Requirements Engineering (SQUARE) Methodology","volume":"30","author":"Mead","year":"2005","journal-title":"ACM SIGSOFT Softw. Eng. Notes"},{"key":"ref_12","doi-asserted-by":"crossref","first-page":"153","DOI":"10.1016\/j.csi.2010.01.006","article-title":"A Systematic Review of Security Requirements Engineering","volume":"32","author":"Mellado","year":"2010","journal-title":"Comput. Stand. Interfaces"},{"key":"ref_13","doi-asserted-by":"crossref","first-page":"100972","DOI":"10.1016\/j.elerap.2020.100972","article-title":"Security Requirements Identification and Prioritization for Smart Toys","volume":"41","author":"Fantinato","year":"2020","journal-title":"Electron. Commer. Res. Appl."},{"key":"ref_14","doi-asserted-by":"crossref","unstructured":"Fletcher, K.K., and Liu, X. (2011, January 27\u201329). Security Requirements Analysis, Specification, Prioritization and Policy Development in Cyber-Physical Systems. Proceedings of the 2011 5th International Conference on Secure Software Integration and Reliability Improvement\u2014Companion, SSIRI-C 2011, Jeju Island, Korea.","DOI":"10.1109\/SSIRI-C.2011.25"},{"key":"ref_15","unstructured":"Hadar, E., Kravchenko, D., and Basovskiy, A. (September, January 31). Cyber Digital Twin Simulator for Automatic Gathering and Prioritization of Security Controls\u2019 Requirements. Proceedings of the IEEE International Conference on Requirements Engineering, Zurich, Switzerland."},{"key":"ref_16","doi-asserted-by":"crossref","unstructured":"Hadar, E., and Hassanzadeh, A. (2019, January 23\u201327). Big Data Analytics on Cyber Attack Graphs for Prioritizing Agile Security Requirements. Proceedings of the IEEE International Conference on Requirements Engineering, Jeju Island, Korea.","DOI":"10.1109\/RE.2019.00042"},{"key":"ref_17","unstructured":"Mougouei, D. (2017). PAPS: A Scalable Framework for Prioritization and Partial Selection of Security Requirements. arXiv."},{"key":"ref_18","doi-asserted-by":"crossref","first-page":"012060","DOI":"10.1088\/1757-899X\/769\/1\/012060","article-title":"Requirement Prioritization Based on Non-Functional Requirement Classification Using Hierarchy AHP","volume":"769","author":"Win","year":"2020","journal-title":"IOP Conf. Series: Mater. Sci. Eng."},{"key":"ref_19","doi-asserted-by":"crossref","unstructured":"Yoo, S.G., Vaca, H.P., and Kim, J. (2017, January 9\u201311). Enhanced Misuse Cases for Prioritization of Security Requirements. Proceedings of the 9th International Conference on Information Management and Engineering, Barcelona, Spain.","DOI":"10.1145\/3149572.3149580"},{"key":"ref_20","doi-asserted-by":"crossref","unstructured":"Park, K.Y., Yoo, S.G., and Kim, J. (2011). Security Requirements Prioritization Based on Threat Modeling and Valuation Graph. Commun. Comput. Inf. Sci., 142\u2013152.","DOI":"10.1007\/978-3-642-24106-2_19"},{"key":"ref_21","doi-asserted-by":"crossref","first-page":"20","DOI":"10.1109\/MS.2008.19","article-title":"Security Requirements for the Rest of Us: A Survey","volume":"25","author":"Tondel","year":"2008","journal-title":"IEEE Softw."},{"key":"ref_22","doi-asserted-by":"crossref","unstructured":"Haley, C.B., Moffett, J.D., Laney, R., and Nuseibeh, B. (2006, January 20\u201328). A Framework for Security Requirements Engineering. Proceedings of the International Conference on Software Engineering, Shanghai, China.","DOI":"10.1145\/1137627.1137634"},{"key":"ref_23","doi-asserted-by":"crossref","unstructured":"Turpe, S. (2017, January 4\u20138). The Trouble with Security Requirements. Proceedings of the 2017 IEEE 25th International Requirements Engineering Conference, RE 2017, Lisbon, Portugal.","DOI":"10.1109\/RE.2017.13"},{"key":"ref_24","doi-asserted-by":"crossref","unstructured":"Boehm, B. (2006, January 20\u201328). A View of 20th and 21st Century Software Engineering. Proceedings of the 28th international conference on Software engineering, Shanghai, China.","DOI":"10.1145\/1134285.1134288"},{"key":"ref_25","doi-asserted-by":"crossref","unstructured":"Nuseibeh, B., and Easterbrook, S. (2000). Requirements Engineering: A Roadmap. The Future of Software Engineering, Springer Science & Business Media.","DOI":"10.1145\/336512.336523"},{"key":"ref_26","doi-asserted-by":"crossref","unstructured":"Hansch, G., Schneider, P., and Brost, G.S. (2019, January 8). Deriving Impact-Driven Security Requirements and Monitoring Measures for Industrial IoT. Proceedings of the CPSS 2019 5th ACM Cyber-Physical System Security Workshop, co-located with AsiaCCS 2019, Auckland, New Zealand.","DOI":"10.1145\/3327961.3329528"},{"key":"ref_27","doi-asserted-by":"crossref","first-page":"34","DOI":"10.1109\/2.708448","article-title":"A Survey of Web Security","volume":"31","author":"Rubin","year":"1998","journal-title":"Computer"},{"key":"ref_28","first-page":"31","article-title":"A Goal Based Framework by Adopting SQUARE Process for Privacy and Security Requirement Engineering","volume":"169","author":"Hayat","year":"2017","journal-title":"Int. J. Comput. Appl."},{"key":"ref_29","doi-asserted-by":"crossref","first-page":"244","DOI":"10.1016\/j.csi.2006.04.002","article-title":"A Common Criteria Based Security Requirements Engineering Process for the Development of Secure Information Systems","volume":"29","author":"Mellado","year":"2007","journal-title":"Comput. Stand. Interfaces"},{"key":"ref_30","doi-asserted-by":"crossref","first-page":"311","DOI":"10.1504\/IJRAM.2008.019747","article-title":"Risk Management in Information Technology Projects","volume":"9","author":"Dey","year":"2008","journal-title":"Int. J. Risk Assess. Manag."},{"key":"ref_31","unstructured":"Sion, L., Van Landuyt, D., Yskout, K., and Joosen, W. (May, January 30). SPARTA: Security & Privacy Architecture Through Risk-Driven Threat Assessment. Proceedings of the IEEE International Conference on Software Architecture Companion, Seattle, WA, USA."},{"key":"ref_32","doi-asserted-by":"crossref","first-page":"67","DOI":"10.1109\/52.605933","article-title":"A Cost-Value Approach for Prioritizing Requirements","volume":"14","author":"Karlsson","year":"1997","journal-title":"IEEE Softw."},{"key":"ref_33","doi-asserted-by":"crossref","unstructured":"Sadiq, M., Ahmed, J., Asim, M., Qureshi, A., and Suman, R. (2010, January 9\u201310). More on Elicitation of Software Requirements and Prioritization Using AHP. Proceedings of the DSDE 2010\u2014International Conference on Data Storage and Data Engineering, Bangalore, India.","DOI":"10.1109\/DSDE.2010.23"},{"key":"ref_34","doi-asserted-by":"crossref","first-page":"644","DOI":"10.1007\/s10664-009-9105-0","article-title":"Practical Challenges of Requirements Prioritization Based on Risk Estimation","volume":"14","author":"Herrmann","year":"2009","journal-title":"Empir. Softw. Eng."},{"key":"ref_35","doi-asserted-by":"crossref","first-page":"103699","DOI":"10.1016\/j.compind.2022.103699","article-title":"Towards situational aware cyber-physical systems: A security-enhancing use case of blockchain-based digital twins","volume":"141","author":"Suhail","year":"2022","journal-title":"Comp. Ind."},{"key":"ref_36","doi-asserted-by":"crossref","unstructured":"Xi, P., Zhang, X., Wang, L., Liu, W., and Peng, S. (2022). A Review of Blockchain-Based Secure Sharing of Healthcare Data. App. Sci., 12.","DOI":"10.3390\/app12157912"},{"key":"ref_37","doi-asserted-by":"crossref","first-page":"176","DOI":"10.1016\/j.procs.2021.07.022","article-title":"Privacy, Security and Policies: A Review of Problems and Solutions with Blockchain-Based Internet of Things Applications in Manufacturing Industry","volume":"191","author":"Pal","year":"2021","journal-title":"Proc. Comp. Sci."},{"key":"ref_38","first-page":"191","article-title":"STORE: Security threat oriented requirements engineering methodology","volume":"34","author":"Ansari","year":"2022","journal-title":"J. King Saud Univ. -Comput. Inf. Sci."},{"key":"ref_39","first-page":"1","article-title":"A fuzzy TOPSIS based analysis toward selection of effective security requirements engineering approach for trustworthy healthcare software development","volume":"20","author":"Ansari","year":"2020","journal-title":"BMC Med. Inf. and Dec. Mak."},{"key":"ref_40","doi-asserted-by":"crossref","unstructured":"Northern, B., Burks, T., Hatcher, M., Rogers, M., and Ulybyshev, D. (2021). VERCASM-CPS: Vulnerability Analysis and Cyber Risk Assessment for Cyber-Physical Systems. Information, 12.","DOI":"10.3390\/info12100408"},{"key":"ref_41","doi-asserted-by":"crossref","first-page":"31435","DOI":"10.1007\/s11042-021-10827-x","article-title":"Towards an optimized security approach to IoT devices with confidential healthcare data exchange","volume":"80","author":"Andreas","year":"2021","journal-title":"Multimed. Tools Appl."}],"container-title":["Software"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2674-113X\/1\/4\/19\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T01:04:50Z","timestamp":1760144690000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2674-113X\/1\/4\/19"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,10,28]]},"references-count":41,"journal-issue":{"issue":"4","published-online":{"date-parts":[[2022,12]]}},"alternative-id":["software1040019"],"URL":"https:\/\/doi.org\/10.3390\/software1040019","relation":{},"ISSN":["2674-113X"],"issn-type":[{"value":"2674-113X","type":"electronic"}],"subject":[],"published":{"date-parts":[[2022,10,28]]}}}