Adaptive Security Activities Selection Model Using Multi-Criteria Decision-Making Methods

Adaptive security activities are a list of recommended security activities to be integrated smoothly with the software development life cycle (SDLC) to produce a secure application software. Adaptive security activities are needed due to the emergence of factors and constraints which have been determined as one of the reasons for the underutilisation of security activities implementation, especially in the earlier phase of software development process. Security activities selection models were proposed to select and recommend security activities but the models were focused on certain factors or as a solution for specific constraints, and thus the recommended security activities were not adaptive. Consequently, an adaptive security activities selection (ASAS) model was proposed by combining the factors and constraints faced by the development


INTRODUCTION
Software development life cycle (SDLC) is a framework which describes activities performed throughout the development process and focuses completely on functionality and features.In terms of security, there is a need to implement security throughout the entire development process (Positive Technologies, 2017; MAMPU, 2016).Security-related activities are integrated with each phase of the existing development process to set up a secure SDLC (SSDLC) (Batcheller et al., 2017).For example, by integrating misuse cases in the requirement phase, threat modelling in design phase, code review in the development phase and penetration test in testing phase.The purpose of performing any security activity is to increase security posture of the SDLC artefact on which the activity is performed.
Organisations have published secure frameworks that integrate security activities in the SDLC as reference for organisations and developers who aims to reduce the number and severity of vulnerabilities in software, such as Cybersecurity Guidelines for SSDLC (CyberSecurity Malaysia, 2019), Microsoft Security Development Lifecycle (MS SDL) (Microsoft Corporation, 2010), Cigital Touchpoints (McGraw, 2006) and NIST Special Publication, SP 800-64, Revision 2 (Kissel et al., 2008).However, the implementation of security activities is influenced by many factors and constraints.Amongst these factors are security training and awareness, automated tool support, adequate development time and budget/ cost (Kanniah & Mahrin, 2016).Meanwhile, constraints are lack of security knowledge (Assal & Chiasson, 2018;Deschene, 2016), lack of experience and skills (Stephens, 2017), limited budget (Assal & Chiasson, 2018), limited development timeline (Maher, 2020), insufficient human resource (Deschene, 2016), excessive workload (Assal & Chiasson, 2018), and lack of security tools (Stephens, 2017).
Previous studies showed that researchers had proposed security activities selection models by selecting the "best practices" of security activities from existing SSDLC frameworks to satisfy specific factors or as a solution for specific constraints faced by developers in selecting and recommending security activities.Factors such as cost, benefit, time, effort, and expertise were used by researchers as the main basis in ranking and selecting security activities for software development integration, either for the traditional or agile development process.For example, A. Sharma  Several attempts have been made by using constraints in proposing frameworks to ease the integration and implementation of security activities.Mythily et al. (2019) proposed an Auto Secure Business Process (AutoSBP) system to automate security incorporation for security requirements in the design phase of existing software models as a way to reduce time and cost.To overcome the time-consuming constraints, Khamaiseh and Xu (2017) proposed a framework for constructing security test models that could automatically generate security tests.Hu et al. (2017) introduced a formal security model based on Z language to replace the manual verification of a security model due to heavy workload and reduce the cost of testing and maintenance.Dubey and Muthukrishnan (2016) proposed a platform that provided a uniform view of warnings from multiple static analysis tools as a solution for lack of immediate access to knowledge and guidance in performing static analysis.Bandi et al. (2019) proposed embedding secure programming concepts during the introductory programming courses due to lack of expertise in using secure programming practices.
So far, this model has been applied only in selecting the security activities that are limited to certain factors, such as cost, benefit, effectiveness and agility or as a solution for constraints such as the need for extra cost, time, effort, as well as lack of knowledge and expertise.Therefore, the selected security activities or solutions are limited to certain factors or constraints and force developers to refer to other models to find suitable security activities for other factors or constraints.Consequently, an adaptive security activities selection model (ASAS) is proposed by combining the factors and constraints simultaneously in recommending security activities.A flexible model is needed to measure, select, rank and recommend security activities by considering the diverse developers' requirements that consist of various factors, constraints and evolving conditions simultaneously to meet the developer's requirements.The recommended security activities must be adaptive, to change to suit different conditions (Cambridge University Press, 2020) so that the recommended security activities can be implemented to produce a secure software.
Reference ideal method (RIM), is one of the multi-criteria decision-making (MCDM) methods which measures, evaluates, and ranks the security activities based on constraints (Cables et al., 2016).Additionally, it does not eliminate security activities that do not meet the constraints.Due to these advantages, RIM has been selected to measure the distance between alternatives (which refers to the security activities) and the value of constraints determined by the developers as well as classifies whether the security activities satisfy or violate the constraints.Then, the security activities are ranked according to criteria prioritisation through the analytic network process (ANP).The proposed model was used in a case study participated by four in-house web application development teams in the Malaysian public sector.The result showed that RIM was able to recommend adaptive security activities for the requirement and design phase by taking into account the security activities that did not meet the value of constraints that have been set by the development teams.

RELATED WORK
Multi-criteria decision-making (MCDM) is a very important branch of decision-making theory.Over the past few decades, a number of MCDM methods were developed to deal with the measurement of tangible/intangible conflicting criteria and measurement of the decision alternatives with respect to each criterion (Saaty & Ergu, 2015).MCDM is referred to as a method used for scoring or ranking a finite number of alternatives by considering multiple conflicting criteria attached to the alternatives (Abdullah et al., 2018).MCDM is defined as a procedure to assess real-world circumstances based on various qualitative/quantitative criteria in certain/uncertain/ risky environments so that an appropriate course of action/choice/strategy/policy amongst several available options could be obtained (Zavadskas et al., 2014).
Preference ranking organization method for enrichment evaluations (PROMETHEE) V and V2 are two MCDM methods that evaluate constraints in decision-making.PROMETHEE V, an extension of PROMETHEE I and PROMETHEE II is used to re-evaluate the ranked alternatives by PROMETHEE I and II with the constraint to obtain compromised solutions (Rangel et al., 2015) by using integer linear programming (IP) (Fontana & Morais, 2011).PROMETHEE V2, an extension to PROMETHEE V, was proposed by Mavrotas and Rozakis (2009) to give more degrees of freedom in the decision-making process.PROMETHEE V2 uses information from PROMETHEE I and bi-objective IP model instead of the single IP model used in PROMETHEE V.It is applied to evaluate the constraints and generate a Pareto optimal solution that categorises the alternatives as a green set (selected alternatives), red set (rejected alternatives) and grey set (subjected to subsequent decision phase).The Decision Maker (DM) is given alternatives in the green and grey set as a final decision.However, both PROMETHEE V and V2 evaluate the constraints after comparison of each alternative is done by eliminating the variable/value that violates the constraints.Ideally, alternatives that do not meet the constraints should also be considered.RIM is a new MCDM method proposed by Cables et al. (2016) to rank security activities with the value of constraints.RIM is based on the method to obtain alternatives based accordingly on the maximum value and/or minimum value to obtain the alternatives that are nearest to the Positive Ideal solution (PIS) and as far as possible from the Negative Ideal Solution (NIS).However, one or several criteria may not need to have the maximum or minimum value.Therefore, RIM approaches enable users to evaluate alternatives without the need for ideal values of the criteria to be maximums (PIS) or minimums (NIS), but the values can be a value or any set of values between the minimum and maximum values (Cables et al. 2016).The integration of AHP, RIM, and Fuzzy RIM (FRIM) was used in military training aircraft selection, whereby the flight instructors defined the value of constraints for each criterion (Sánchez-Lozano & Rodríguez, 2020).Meanwhile, the AHP-RIM combination was used in web service selection whereby users were required to give the value of constraints for each criterion (Serrai et al., 2017).FRIM and RIM were used to evaluate alternatives with the value of constraints and rank the alternatives based on weight determined using AHP.

METHODOLOGY
The proposed model comprised adoption of ANP and RIM to proactively recommend adaptive security activities in the SDLC phases based on the value of constraints provided by the development teams.ANP was used to prioritise and weigh the criteria while the RIM was used to rank and recommend the adaptive security activities by measuring and evaluating the security activities with value of constraints provided by the development team for each conflicting criterion.Then, the weighted criteria were applied to rank the violated security activities.The top-ranked security activities were recommended as the best solutions.The details were elaborated on in the next section.

ANP
The ANP is one of the most complex MCDM methods, but on the other hand, it is a method that takes into account the most data about decision-making problems as compared to other MCDM methods (Kadoić, 2018).The ANP is a generalisation of analytic hierarchy process (AHP) by considering the dependence between elements of the hierarchy.Priorities are established in the same way as in the AHP by using pairwise comparisons and judgment of DM; however, it calculates weight more precisely.Many decision problems cannot be structured hierarchically because they involve the interaction and dependence of higher-level elements in a hierarchy on lower-level elements.Therefore, ANP is represented by a network rather than a hierarchy (Saaty, 2006).The matrix manipulation proposed by Saaty and Takizawa (1986) was selected due to its simplification.DM was required to identify the degree of importance for each criterion through the pairwise comparison matrix of criteria based on Table 1.The consistency ratio (CR) was used to measure the consistency of DM judgement in performing the pairwise comparison for each criterion.To accept the judgement, CR value must be less than 0.10.However, if the CR value is more than 0.10, the judgement has to be repeated until the value is acceptable.

RIM
RIM measures the distance of security activities from the value of constraints known as reference ideal (RI).If the evaluated security activities violate the constraints, which do not meet the RI, the function value will be less than 1.The more distance it is from the value of 1 the farther it is from the RI, and will be ranked at the very bottom, but not eliminated.The traditional MCDM ranking methods, such as TOPSIS, VIKOR, and SAW are then used to rank the security activities that satisfy the value of constraints.The steps are as follows:

STEP 1: DEFINE THE WORK CONTEXT.
The range, valuation matrix X, reference ideal (RI), and weight are defined.The SLDC phase that is given attention is the requirement and design phase; therefore, the security activities selected are from both phases.

RANGE
Range denotes "any interval, labels set, or a simple set of values that belongs to domain D" (Cables et al., 2016).In this study, range refers to the minimum and maximum values for each criterion.Those criteria were: The range for DTS, DT, Sw, and ST was derived from analysis of the questionnaire distributed to 201 officers, which consisted of the Information Technology (IT) Officer and Assistant Information Technology (IT) Officer who were responsible or involved in managing and developing the in-house web applications in the Malaysian public sector.A total of 102 questionnaires were returned, which reflected a 50.7% response rate.However, only 56 (54.9%) of the questionnaires were completed responses, while 46 (45.1%) were incomplete.
Table 2 shows the range for DTS, DT, Sw, ST, TW, and ESK.DTS denoteed the number of developers involved, which comprised the IT Officer and Assistant IT Officer.DT refers to timeline given for the requirement and design phase in the software development process.BC is the budget/cost allocated for Sw and ST.The range for DTS, DT, and BC was based on the minimum and maximum values given by respondent.The range for TW and ESK was not derived from the questionnaire.TW refers to whether the listed security activities will provide an additional workload to developers or not.Therefore, the range of TW was set to either 'No' or 'Yes'.ESK refers to the level of experience, skill, and knowledge needed to perform the listed security activities and it was based on the competencies proficiency scale, whereby 1-Basic, 2-Novice, 3-Intermediate, 4-Advanced, and 5-Expert (National Institute of Health, n.d.)

VALUATION MATRIX X
The valuation matrix X refers to the value of each alternative in correspondence with the defined criteria (Cables et al., 2016).In this study, valuation matrix X represented the minimum requirement needed to perform the security activities for each criterion.The security activities are listed in Table 3.The valuation matrix X was based on the score list given to five security experts and three practitioners in web application development in the Malaysian public and private sectors.They were required to provide the minimum requirement to perform any of the listed security activities for each criterion based on their experience, skill, and knowledge.They were also welcome to suggest the security activities that they have implemented in their agencies.Four security activities from the requirement phases were eliminated due to no responses given through the score list.Those security activities were: create quality gates/ bug bars, security and privacy risk assessment, data classification, and risk management.

REFERENCE IDEAL (RI)
Reference Ideal (RI) refers to "an interval, labels set, or simple values that represent the maximum importance or relevance in a given range, which can be any set between the minimum and maximum values or can be a point" (Cables et al., 2016).The RI was used as a reference point in measuring and evaluating each alternative.In this study, the RI was the value of constraints and represented the limitation faced by the in-house development team for each criterion and the provided value must be within range.

WEIGHT
A pairwise comparison matrix of criteria is used to determine the weight and normalise the weight of criteria, W.
The pairwise comparisons are done in terms of which criterion dominates the other.The DM corresponds to questions such as "between ESK and TW, which one was more important in implementing security; and by how much?"The scale used for pairwise comparison is the scale by Saaty (2006), as shown in Table 1.The judgment consistency is checked by dividing the consistency index (CI) by the appropriate value in Table 5. Valuation matrix X normalisation calculates the value of function f.It measures the distance between the listed security activities and the RI.In this study, if the value of valuation matrix X was less or equal to the RI, the value of function f was set to 1.The function of matrix X normalisation for ESK, DT, DTS, and BC are shown below.
If the valuation matrix where: ) is distance of valuation matrix X to RI; calculated as follows: dmin(

x,[C,D]) = min(|x-C|,|x-D|)
The selection of function f relies on the x value: • The first function is selected if the x value is in the values of s, where x ∈ [C, D].
• The second function is applied if the value of x is lower than the value of s, which is x ∈ [A, C].
• If the value of x exceeds the value of s, which is x ∈ [D, B], the third function is selected.
• Turning to this study, if value of x was lower than the value of RI, and x ∈ [A, C], it signified that the evaluated alternative had addressed the constraint and value of function f = 1.
If the value of function f from ( 1) is 1, it signifies that the evaluated security activity satisfies the RI, which is x ∈ [C, D].If the evaluated security activity violates the constraints, the value of function f is less than 1.The smaller the value of f, the more distant the security activity is from the RI.If the value of function f = 0, it means the evaluated security activity fully violates the RI.The normalisation for TW was altered by adopting the truth table for NAND as shown in Table 6 below.In this table, the value of "0" represents "No" while the value of "1" represents "Yes".
The function for TW is: with D = B where: The valuation matrix X normalisation for TW follows Function

STEP 4: DETERMINE THE VARIATION TO THE NORMALISED RI FOR EACH SECURITY ACTIVITY
The variation and the index to the normalised RI for each security activity, Ii + and   − are calculated by using the following equations.

STEP 5: RELATIVE INDEX CALCULATION FOR EACH SECURITY ACTIVITY
Then, the relative index for each security activity was calculated by using the equation below.(4) where 0 <   < 1, i = 1, 2, …, m STEP 6: RANK THE SECURITY ACTIVITIES.Security activities were ranked in descending order based on Ri value.Top-ranked security activities reflect the best solutions.

CASE STUDY
The model was validated by four software development teams from selected Malaysian public sector agencies; Team 1, Team 2, Team 3 and Team 4. Each team was represented by an IT Officer and Assistant IT Officer, except for Team 3 which only consisted of two IT Officers.The IT Officer for Team 1 and Team 2 was the Project Manager (PM) as well as the system analyst, while the Assistant IT Officer was the programmer.As for Team 3, one IT Officer acted as the PM, while the other IT Officer acted as the system analyst and programmer.Team 4 had two IT Officers who were the PM and system analyst, including an Assistant IT Officer as the programmer.They had 5 to 15 years of in-house experience in web application development.The teams were given a score list to prioritise and weight the criteria and a questionnaire to fill in the RI which represented the value of constraints for each criterion.Then, the RI gathered was used to measure, evaluate, and rank security activities.Table 7 shows the RI gathered from the development teams.

TABLE 7.
Reference ideal for TW, DTS, DT, Sw, ST, and ESK Criteria Reference Ideal Team 1 Team 2 Based on the above table, all development teams, except for Team 1, suffered from excessive workloads, for example, managing organisational events, tender documentation, as internal auditor, and multimedia production.The DT was less than a year and developed by a maximum of three team members.Team 2 and Team 3 had no budget allocation for Sw and ST.All teams had different levels of ESK competency for each listed security activity.

WEIGHT DETERMINATION BY USING ANP
Table 8 shows the prioritisation and weight for each criterion made by each team.All CR values were less than 0.01.This implied consistency of weighted criteria concluded by the development teams.The criteria rank was set by weight in descending order.These ranks represented the degree of importance of the criteria that will affect the evaluation and selection of security activities by RIM.TABLE 8. Interdependent weight of criteria, W, for each team Criteria Team 1 Team 2 Notes: R=Rank, W=Weight

RECOMMENDATION OF ADAPTIVE SECURITY ACTIVITIES BY USING RIM
Step 1: In order to execute the normalisation process, each criterion should have associated a domain, D belonging to a universe of discourse and the following items for each criterion have been identified: • Range as defined in Table 1.
• Valuation matrix X as defined in Table 4.
• Reference Ideal as defined in Table 7.
• Weight as determined from Table 8.
Step 2: Valuation matrix X normalisation is the process of calculating and measuring distance between security activity (valuation matrix X) and RI.Based on this value, the value of function f is calculated.The smaller the value of f, the more distant the security activity is from the RI which represents the higher the constraint encountered.Table 9 shows the range, RI, valuation matrix X, and normalised valuation matrix Y comprising the value of f for risk analysis, A2 for Team 1 as an example.The value of f calculated for ESK was 66.67%.This was because the minimum requirement needed to perform the evaluated security activity was 4 (Advanced) but RI given by the team was 3 (Intermediate).Therefore, from this value, the team knew their hindrance to implement the security activity and they needed to increase the ESK by 33.33% to fulfil the minimum requirement.The f value for Sw and ST was 1.This showed that the team had no hindrance in BC to implement the security activity.As for TW, the f value was 1, which was based on the truth table for NAND as shown in Table 6.Table 10 lists the normalised valuation matrix Y which refers to the calculated value of f for each team.

TABLE 10. Normalised valuation matrix Y
In the requirement phase, all values of function f for ESK were less than 1, signifying that all the evaluated security activities had violated the constraints.The values of f for A4, A5, and A6 were the lowest, indicating that the constraint in implementing those security activities was higher than A1, A2, and A3.Both A2 and A3 had the highest and same values of function f for ESK as compared to the other criteria.However, the values of f of A2 for DTS and DT for Team 1 were lower than 1, as well as TW, DTS and DT for Team 2 and ST in addition to Team 3 and Team 4. Therefore, the chances of A3 being ranked at the top position for all teams appeared to be high.However, this depended on weight of criteria in evaluating and selecting the security activities by RIM.
In the design phase, B2 and B3 satisfied the RI for Team 1.Therefore, RIM cannot be used to rank the satisfied RI and other MCDM methods such as PROMETHEE could be used to rank those two security activities.B2 satisfied the RI for Team 3 and Team 4 and was automatically ranked at the top position of security activities.
The remaining security activities were evaluated and ranked in the next steps.
Step 3, Step 4 and Step 5: The weighted normalised matrix Y' was calculated by multiplying the weight from Table 8 with the normalised valuation matrix, Y, from Table 10.Then, the variation and index to normalised RI, Ii + , and   − and relative index, Ri, for each security activity was calculated as shown in Table 11.

TABLE 11.
The ranking pattern on security activities Security activities Team 1 Team 2 Step 6: The security activities were ranked based on the Ri value for each team, as listed in Table 11.In the requirement phase, the RI value for A3 was the highest.Therefore, A3 was ranked at the top position of security activities for all teams, followed by A2 and A1 for Team 1, Team 2 and Team 4. A1 was ranked in second place followed by A2 for Team 3. Since A4, A5, and A6 had the same Ri value, they were ranked in ascending order based on the security activities code.Therefore, the DM had an opportunity to select which security activities to apply.
In the design phase, B2 for all teams and B3 in addition to Team 1 met the RI.Therefore, B2 was ranked at the top for the design phase for Team 2, Team 3 and Team 4. As for Team 1, other MCDM methods, such as PROMETHEE, could be applied to rank the B2 and B3.The other security activities had violated the RI and were ranked based on the Ri value.
In Table 12, ESK contributed as a major constraint, and thus the developers ought to acquire adequate security training for the recommended top-ranked security activity for each phase.The TW was the second contributor for constraint violation, but not for Team 1 for all phases and B2 for all teams.Based on the questionnaire feedback, the developers were involved in other tasks which included managing organisational events, tender documentation, as th internal auditor and multimedia production.This situation might be addressed by reducing the developer's workload; hence, increasing the opportunity for applying the security.ST may pose a huge constraint for Team 3 and Team 4 for A2.DT, DTS and Sw were not listed as constraints for all security activities, except for A2.

TABLE 12. Security activities ranking
Security activities Tools/ method/ software Team 1 Team Notes: R = Rank, C = Constraint Table 13 shows the weight for each criterion if the DM do not perform the criteria prioritisation, whereby the scale for each pairwise comparison is set to 1. ESK was ranked at the top position followed by Sw> ST> DTS> DT> TW.The ranked security activities based on Ri value with and without criteria prioritisation are shown in Table 15.In the requirement phase, A3 remained the top-ranked security activity for all teams.A2 made a very significant change in ranking for Team 3 and Team 4. The position dropped from second to the last in rankings and it was taken by A1.This was because A2 had the most constraints as compared to the other security activities and in turn, led to a low Ri value.For other security activities, the value of Ri was high due to the following reasons: • The weight for all criteria was almost similar, except for ESK.
• The constraints were only limited to ESK for Team 1.The constraints for Team 2, Team 3 and Team 4 were limited to ESK and TW.Therefore, the value of f for the other criteria was 1 since they met the RI.This in turn led to the high value of Ri because of the high value   − and low value of Ii + .Due to the changes in ranking for A2, the ranking of other security activities for Team 3 and Team 4 changed as well.The security activity ranking for the design phase remained the same.

Security activities
Tools/ method/ software Team 1 Team 2 Notes: W=With, WO=Without

CONCLUSION
This study highlights the need for security activities evaluation with constraints in selecting and recommending adaptive security activities throughout the software development process.This is because the constraints are always associated as a hindrance to perform security activities.Therefore, the proposed ASAS model was used to calculate and measure the distance of security activities (valuation matrix, X) to the value of constraints (RI).The closer the distance indicates the closer it meets the constraint and can be considered by the team for deployment.The case study showed that the model was able to recommend adaptive security activities that could be changed to suit different constraints faced by the development teams.The result revealed that ESK emerged as a major obstacle in evaluating the security activities at both the requirement and design phases.Therefore, adequate security training is required, which poses a constraint to Team 3 and Team 4 due to limitation of budget allocation.Besides, TW also needs to be taken seriously as it impedes the selection of security activities.The evaluation and ranking of security activities are affected by the weight of criteria.Therefore, the team should make the right decision in determining the criteria prioritisation so that the recommended adaptive security activities can be embedded in developing a secure web application by considering all the constraints during the decision-making process.
and Bawa (2020) used cost and benefit while Koc et al. (2019) used time and cost as the main factors to select and evaluate the security activities.Both A. Sharma and Bawa (2020) and Koc et al. (2019) used a survey for data collection to evaluate the listed security activities.

STEP 3 :
(2).The evaluated security activities violated the RI if x ∈ [C,D], where value of D = B. OBTAIN THE WEIGHTED NORMALISED MATRIX Y'.The value of Y' was obtained by multiplying the normalised valuation matrix Y determined from the value of function f, as presented in Step 2, with weight, W as shown on next page.

TABLE 1 .
The scale

TABLE 3 .
List of security activities

Table 4
shows the valuation matrix X based on the feedback from respondents.An additional security activity was incorporated, namely security uses cases as prescribed by a security expert from CyberSecurity Malaysia.A competencies proficiency scale (1-Basic, 2-Novice, 3-Intermediate, 4-Advanced, and 5-Expert) from the National Institute of Health (n.d.) was used to set the minimum requirement needed to perform the listed security activities for ESK.The value of "No/Yes" for TW was used to show whether the security activity added additional workload to the developers.DTS denoted the minimum number of developers involved and comprised IT Officer and/or Assistant IT Officer.DT refers to the minimum timeline needed for each phase to perform the security activity.BC is for the minimum budget/ cost in Malaysian Ringgit (MYR) needed to provide the software (Sw) (which refers to the tools/ method/ software used) and the security training (ST).Sw for Malaysian Public Sector Information Security Risk Assessment System (MyRAM) was provided by the Malaysian Administrative Modernisation and Management Planning Unit (MAMPU) online and ST was organised by the respondent.Since most of the tools/methods/ software involved were brainstorming, the respondents did not put any value on Sw and ST.The same was for the Microsoft threat modelling tools which was also not given any value for Sw and ST.

TABLE 4 .
Valuation matrix X

TABLE 6 .
The truth table Inputs Truth table output condition x

TABLE 9 .
The range, RI, valuation matrix X and normalised valuation matrix Y for risk analysis, A2 for Team 1

TABLE 13 .
Interdependent weight of criteria, WTable14shows the Ri value and ranking pattern for each security activity.

TABLE 14 .
The ranking pattern on security activities without criteria prioritisation