Adaptive Security Activities Selection Model Using Multi-Criteria Decision-Making Methods

Mazni Mohamed Jakeri; Mohd Fadzil Hassan; Aliza Sarlan; Amirudin Abdul Wahab

doi:10.17762/jaz.v45iS1.3404

PDF

Published: Jan 13, 2024

DOI: https://doi.org/10.17762/jaz.v45iS1.3404

Keywords:

Adaptive security activities, criteria, constraints, ANP, RIM.

Mazni Mohamed Jakeri

Mohd Fadzil Hassan

Aliza Sarlan

Amirudin Abdul Wahab

Abstract

Adaptive security activities are a list of recommended security activities to be integrated smoothly with the software development life cycle (SDLC) to produce a secure application software. Adaptive security activities are needed due to the emergence of factors and constraints which have been determined as one of the reasons for the underutilisation of security activities implementation, especially in the earlier phase of software development process. Security activities selection models were proposed to select and recommend security activities but the models were focused on certain factors or as a solution for specific constraints, and thus the recommended security activities were not adaptive. Consequently, an adaptive security activities selection (ASAS) model was proposed by combining the factors and constraints faced by the development team in selecting security activities. The model consisted of two integrated multi-criteria decisionmaking (MCDM) methods, namely Analytic Network Process (ANP) and Reference Ideal Method (RIM). ANP was used to prioritise and weight the criteria while RIM was used to measure and evaluate the security activities with the value of constraints in regard to each criterion. To validate the model a case study was performed on four inhouse web application development teams in the Malaysian public sector. The proposed model was able to recommend security activities in the requirement and design phase based on different constraints faced by each of the development teams. The model was adaptive due to its flexibility and ability to change and suit different evolved conditions when recommending the security activities.

Downloads

Download data is not yet available.

How to Cite

Mazni Mohamed Jakeri, Mohd Fadzil Hassan, Aliza Sarlan, & Amirudin Abdul Wahab. (2024). Adaptive Security Activities Selection Model Using Multi-Criteria Decision-Making Methods. Journal of Advanced Zoology, 45(S1), 65–78. https://doi.org/10.17762/jaz.v45iS1.3404

Issue

Vol. 45 No. S1 (2024)

Section

Articles

This work is licensed under a Creative Commons Attribution 4.0 International License.

Author Biographies

Mazni Mohamed Jakeri

Department of Computer and Information Sciences, Universiti Teknologi PETRONAS, 32610 Seri
Iskandar, Perak Darul Ridzuan, Malaysia.

Mohd Fadzil Hassan

Institute of Autonomous Systems, Universiti Teknologi PETRONAS, 32610 Seri Iskandar, Perak Darul
Ridzuan, Malaysia.

Aliza Sarlan

Centre for Foundation Studies, Universiti Teknologi PETRONAS, 32610 Seri Iskandar, Perak Darul Ridzuan,
Malaysia.

Amirudin Abdul Wahab

CyberSecurity Malaysia, Level 7 Tower 1, Menara Cyber Axis, Jalan Impact, 63000 Cyberjaya, Selangor
Darul Ehsan, Malaysia.

References

Abdullah, L., Chan, W., & Afshari, A. (2018). Application of PROMETHEE method for green supplier selection: a comparative result based on preference functions. Journal of Industrial Engineering International, 0123456789. https://doi.org/10.1007/s40092-018-0289-z DOI: https://doi.org/10.1007/s40092-018-0289-z

Assal, H., & Chiasson, S. (2018). Security in the Software Development Lifecycle. USENIX Symposium on Usable Privacy and Security (SOUPS), 281–296.

Bandi, A., Fellah, A., & Bondalapati, H. (2019). Embedding security concepts on introductory programming courses. The Journal of Computing Sciences in Colleges, 34(4), 78–89.

Batcheller, A., Fowler, S. C., Cunningham, R., Doyle, D., Jaeger, T., & Lindqvist, U. (2017). Building on the success of building security in. IEEE Security and Privacy, 15(4), 85–87. https://doi.org/10.1109/MSP.2017.3151336 DOI: https://doi.org/10.1109/MSP.2017.3151336

Cables, E., Lamata, M. T., & Verdegay, J. L. (2016). RIM-Reference Ideal Method in Multicriteria Decision Making. Information Sciences, 337–338, 1–10. https://doi.org/10.1016/j.ins.2015.12.011 DOI: https://doi.org/10.1016/j.ins.2015.12.011

Cambridge University Press. (2020). Cambridge Dictionary. Cambridge University Press. https://dictionary.cambridge.org DOI: https://doi.org/10.26226/morressier.60c8d83cbea1445efd9a1905

CyberSecurity Malaysia. (2019). Cyber security guideline for secure software development life cycle (SSDLC) (pp. 1–60).

Deschene, M. (2016). Embracing security in all phases of the software development life cycle : A delphi study (Issue September). Capella University.

Dubey, A., & Muthukrishnan, D. (2016). An approach for collaborative quality assessment of software. ACM International Conference Proceeding Series, 18-20-Febr, 190–195. https://doi.org/10.1145/2856636.2856656 DOI: https://doi.org/10.1145/2856636.2856656

Fontana, M. E., & Morais, D. C. (2011). Selecting a portfolio of alternatives in participatory budgeting based on multicriteria method. Conference Proceedings - IEEE International Conference on Systems, Man and Cybernetics, 3179–3183. https://doi.org/10.1109/ICSMC.2011.6084149 DOI: https://doi.org/10.1109/ICSMC.2011.6084149

Hu, X., Zhuang, Y., Cao, Z., Ye, T., & Li, M. (2017). Modeling and validation for embedded software confidentiality and integrity. Proceedings of the 2017 12th International Conference on Intelligent Systems and Knowledge Engineering, ISKE 2017, 2018-Janua, 1–6. https://doi.org/10.1109/ISKE.2017.8258789 DOI: https://doi.org/10.1109/ISKE.2017.8258789

Kadoić, N. (2018). Characteristics of the Analytic Network Process, a Multi-Criteria Decision-Making Method. Croatian Operational Research Review, 9(2), 235–244. https://doi.org/10.17535/crorr.2018.0018 DOI: https://doi.org/10.17535/crorr.2018.0018

Kanniah, S. L., & Mahrin, M. N. (2016). A review on factors influencing implementation of secure software development practices. International Journal of Computer and Systems Engineering, 10(8), 2882–2889. https://doi.org/doi.org/10.5281/zenodo.1127256

Kissel, R., Stine, K. M., Scholl, M. A., Rossman, H., Fahlsing, J., & Gulick, J. (2008). NIST SP 800-64Rev. 2. Security Considerations in the System Development Life Cycle. Information Security. http://dl.acm.org/citation.cfm?id=2206279%5Cnpapers2://publication/uuid/D524BF13-D081-4554-

AB83-6A82E77E6EC8

Maher, Z. A., Shah, A., Chandio, S., Mohadis, H. M., & Rahim, N. H. B. A. (2020). Challenges and limitations in secure software development adoption - A qualitative analysis in Malaysian software industry prospect. Indian Journal of Science and Technology, 13(26), 2601–2608. https://doi.org/10.17485/ijst/v13i26.848 DOI: https://doi.org/10.17485/IJST/v13i26.848

MAMPU. (2016). Cyber security framework for public sector (RAKKSSA) (p. 34). Malaysian Administrative Modernisation and Management Planning Unit (MAMPU).

Mavrotas, G., & Rozakis, S. (2009). Extensions of the PROMETHEE method to deal with segmentation constraints. Application in a students’ selection problem. Journal of Decision Systems, 18(2), 203–229. https://doi.org/10.3166/jds.18.203-229 DOI: https://doi.org/10.3166/jds.18.203-229

McGraw, G. (2006). Software security: Building security in. Addison-Wesley Professional. DOI: https://doi.org/10.1109/ISSRE.2006.43

Microsoft Corporation. (2010). Simplified implementation of the SDL. Microsoft Corporation.

National Institute of Health. (n.d.). Competencies proficiency scale. Retrieved December 1, 2019, from https://hr.nih.gov/working-nih/competencies/competencies-proficiency-scale

Positive Technologies. (2017). Security trends & vulnerabilities reviews web application (2017).

Rangel, L., Gomes, L., & Resende, R. (2015). Prioritization of telecommunication projects: decision analysis using the PROMETHEE V method. E&G Economia e Gestão, 15(41), 311–332. DOI: https://doi.org/10.5752/P.1984-6606.2015v15n41p311

Saaty, T. L. (2006). The analytic network process. Decision Making with the Analytic Network Process (International Series in Operations Research & Management Science), 95, 1–26. https://doi.org/10.1007/0-387-33987-6_1 DOI: https://doi.org/10.1007/0-387-33987-6_1

Saaty, T. L., & Ergu, D. (2015). When is a Decision-Making Method Trustworthy? Criteria for Evaluating Multi-Criteria Decision-Making Methods. International Journal of Information Technology & Decision Making, 14(06), 1171–1187. https://doi.org/10.1142/s021962201550025x DOI: https://doi.org/10.1142/S021962201550025X

Saaty, T. L., & Takizawa, M. (1986). Dependence and independence: From linear hierarchies to nonlinear networks. European Journal of Operational Research, 26(2), 229–237. https://doi.org/10.1016/0377-2217(86)90184-0 DOI: https://doi.org/10.1016/0377-2217(86)90184-0

Sánchez-Lozano, J. M., & Rodríguez, O. N. (2020). Application of Fuzzy Reference Ideal Method (FRIM) to the military advanced training aircraft selection. Applied Soft Computing Journal, 88, 106061. https://doi.org/10.1016/j.asoc.2020.106061 DOI: https://doi.org/10.1016/j.asoc.2020.106061

Serrai, W., Abdelli, A., Mokdad, L., & Serrai, A. (2017). Dealing with user constraints in MCDM based web service selection. Proceedings - IEEE Symposium on Computers and Communications, Pediswesa, 158–163. https://doi.org/10.1109/ISCC.2017.8024522 DOI: https://doi.org/10.1109/ISCC.2017.8024522

Sharma, A., & Bawa, R. K. (2020). Identification and integration of security activities for secure agile development. International Journal of Information Technology. https://doi.org/10.1007/s41870-020- 00446-4

Stephens, J. C. (2017). Application security statistics report. The case for DevSecOps. In WhiteHat Security (Vol. 12).

Zavadskas, E. K., Turskis, Z., & Kildienė, S. (2014). State of art surveys of overviews on MCDM/MADM methods. Technological and Economic Development of Economy, 20(1), 165–179. https://doi.org/10.3846/20294913.2014.892037 DOI: https://doi.org/10.3846/20294913.2014.892037

Article Sidebar

Main Article Content