The Effects of Required Security on Software Development Effort

Abstract

Problem: Developers are increasingly adopting security practices in software projects in response to cyber threats. Despite the additional effort required to perform those practices, current cost models either do not consider security as an input or were not properly validated with empirical data. Hypothesis: Increasing degrees of application of security practices and security features, motivated by security risks, lead to growing levels of added software development effort. Such an effort increase can be quantified through a parametric model that takes as input the usage degrees of security practices and requirements and outputs the additional software development effort. Contributions: The accurate prediction of secure software development effort will support the provision of a proper amount of resources to projects. We also expect that the quantification of the security effort will contribute to advance research on the cost-effectiveness of software security.