A Novel Software Trustworthiness Evaluation Strategy via Relationships between Criteria

: Software trustworthiness evaluation is regarded as a multi-criteria decision-making problem. However, most current software trustworthiness evaluation methods do not consider the relationships between criteria. In this paper, we present a software trustworthiness evaluation strategy via the relationships between criteria. Because the trustworthy attribute degree is evaluated by a criterion, a trustworthy attribute measurement method based on fuzzy theory is ﬁrst proposed, and the relationships between criteria are described by cooperative and conﬂicting degrees between criteria. Then, a measure formula for the symmetric substitutivity between criteria is proposed, and the cooperative degree between criteria is taken as the approximation of the symmetric substitutiv-ity between criteria. With the help of the symmetric substitutivity between criteria, the software trustworthiness measurement model obtained by axiomatic approaches is applied to aggregate the degree to which each optional software product meets each objective. Finally, the candidate software products are sorted according to the trustworthiness aggregation results, and the optimal product is obtained from the alternative software products on the basis of the sorting results. The theoretical rationality of the measurement model is validated by proving that it satisﬁes the desirable properties of software trustworthiness measures, and its effectiveness is demonstrated through a case study.


Introduction
Many concepts are related to software credibility, such as software dependability, software trustworthiness, and software quality. Software dependability refers to the ability of software to avoid the frequency and severity of service failure by exceeding the acceptable range [1], with a main focus on the acceptable service failure frequency and service failure severity of specific failure classes in a given use environment. Software quality indicates the ability of software to meet explicit or implicit requirements when used under specified conditions [2], with a main focus on system quality, taking into account the quality in use, usually only with respect to traditional quality attributes, such as correctness, reliability and safety, rarely considering the synthesis of different quality attributes. For example, the quality model defined in ISO/IEC 25010 only considers the measurement of each attribute rather than performing an overall evaluation of software quality according to these measures [2]. Although the McCall quality model [3] and Boehm quality model [4] consider the synthesis of each quality attribute, they only combine each quality attribute value as a measure of quality through a simple weighted average. The software quality models mentioned were introduced at different times and are the products of the evolution of such models. For example, ISO/IEC 25010 is the most recent standardized model, which was introduced in 2010, whereas the McCall model was proposed in 1977, and the Boehm model was proposed in 1978. This evolution continues at present in a slightly different and more specialized direction. Software trustworthiness refers to the extent which the dynamic behavior and results of software systems meet people's expectations and provide continuous services when disturbed [5]. In addition to traditional quality attributes, the concept of software trustworthiness also attaches importance to new software attributes, such as survivability and controllability, as well as the synthesis of these attributes. Furthermore, software trustworthiness not only considers the objective quality of software but also the recognition of this objective quality in people's minds. In this paper, we use the above definition of software trustworthiness.
Software trustworthiness is a new concept developed on the basis of many attributes, such as correctness, reliability, security, timeliness, integrity, availability, predictability, survivability, controllability, etc. [5]. It can be characterized by many attributes [6][7][8][9], which are referred to as trustworthy attributes. Because we deal only with software trustworthiness herein, the trustworthy attributes considered in this paper are only non-functional requirements related to software trustworthiness. Attribute-based measures of software trustworthiness typically translate the quantification problem of software trustworthiness into the selection of trustworthy attributes, measures of trustworthy attributes, and the aggregation of trustworthy attribute values [7]. There are three ways to choose trustworthy attributes. Given that different software has different trustworthy requirements, the first method dynamically constructs a software trustworthy attribute model. The second method is to establish the software trustworthy index system in advance. The third class integrates the first two methods. Some of the trustworthy attributes are provided up front, whereas others are provided by the user on demand. Most existing trustworthy attribute measurement methods first decompose high-level attributes into low-level sub-attributes that are easy to measure, with sub-attribute values then synthesized using mathematical tools, such as regression analysis, principal component analysis, and factor analysis [7,10]. The essence of this method is to predict the trustworthiness of attributes according to the internal attribute values. Typical models for the synthesis of trustworthy attribute values include machine learning [11][12][13][14][15], axiomatic approaches [16][17][18][19][20], uncertainty theory [21][22][23][24], system testing [25], the social-to-software framework [26], user feedback [27], heuristic-systematic processing [28], the development framework [29], crowd wisdom [30], etc.
The judgment degrees of trustworthy attributes are assessed by each criterion. Therefore, software trustworthiness evaluation can be regarded as a multi-criteria decisionmaking (MCDM) problem that consists of a series of criteria. The number of software trustworthy attributes is equal to the number of criteria used to evaluate software trustworthiness. Most existing approaches in MCDM are composed of two phases: (1) the aggregation of the judgements with respect to all criteria and per decision alternative and (2) the rank ordering of the decision alternatives according to the aggregated judgments. In practical decision-making problems, the criteria are often interrelated. For example, high performance and low power consumption are a pair of contradictory criteria. However, most approaches do not refer to the aspect of an explicit modeling of relationships between criteria, which makes the optimal solution obtained through MCDM discounted in use.
In this paper, a software trustworthiness evaluation strategy via the relationships between criteria is proposed. First, a trustworthy attribute measurement method based on fuzzy theory is presented. Then, we refer to the method described in [31,32], and the quantitative relationships between criteria are described by cooperative and conflicting degrees between criteria. Thirdly, the symmetric substitutivity between criteria is formulated, and the cooperative degree between criteria is used as the approximation of the symmetric substitutivity between criteria. By means of symmetric substitutivity between criteria, the software trustworthiness measurement model established by axiomatic approaches is used to aggregate the trustworthy attribute degree. Finally, the candidate software products are sorted on the basis of the results of trustworthiness aggregation, and the optimal product is obtained from the alternative software products according to the sorting results.
There are three main contributions in this work: (1) A novel trustworthy attribute measurement method based on fuzzy theory is given, which can more reasonably convert the fuzzy decision about trustworthy attribute to the determined real number. (2) The formal definitions of the quantitative relationships between criteria and the symmetric substitutivity between criteria are proposed, and a link between these two definitions is established. (3) A software trustworthiness evaluation model via the relationships between criteria is presented, which can not only be applied for the ranking of candidate software on trustworthiness, but also for the trustworthiness measurement of candidate software. Meanwhile, we theoretically validate this model by proving that it complies with the properties introduced in [19], and empirically verify it through a case study.
The rest of this paper is organized as follows. Section 2 describes the related work. A trustworthy attribute measurement method based on fuzzy set is given in Section 3. Section 4 proposes a software trustworthiness evaluation strategy via relationships between criteria. A case study is introduced to show the effectiveness of the presented methods in Section 5. Discussion and limitations are presented in Section 6. The conclusions and future work come in the last section.

Related Work
In this section some typical software trustworthiness models are selected for a detailed introduction.
Machine learning is widely used to solve complex problems in engineering applications and scientific fields, and it is also utilized to evaluate the software trustworthiness. Yuan et al. propose a partition consistency measurement method for applying software trustworthiness measurement in dynamic behavior feature datasets [11]. The dynamic behavior feature datasets are generated while the software is running. This method compares the datasets with the static attribute feature datasets generated during software testing. Medeiros et al. provide a comprehensive experiment to investigate how to effectively use software metrics to distinguish vulnerable code units from non-vulnerable code units [12]. To conduct this, they use Random Forest, Extreme Boosting, Decision Tree, SVM Linear, and SVM Radial to extract vulnerability-related knowledge from software metrics collected from the source code of Mozilla Firefox, Linux Kernel, Apache HTTPd, Xen, and Glibc. Lv et al., present an automatic online assessment of trustworthiness of cyber-physical system [13]. An evaluation framework based on machine learning knowledge is established, and an online ranking algorithm is designed to realize online real-time analysis and evaluation. Xu et al. build a QoS prediction model. In this model, they combine neural networks with matrix factorization to perform non-linear collaborative filtering on the potential feature vectors of users and services [14]. They also have conducted numerous experiments in a large-scale real QoS datasets, and the experimental results demonstrate the effectiveness of their method. Tian et al. build a software trustworthiness evaluation model based on a behavior trajectory matrix [15]. Checkpoints are set in the software behavior trajectory, and binary code is introduced to represent the software behavior trajectory tree. The scene information about the checkpoint is obtained and applied to establish the behavior trajectory matrix, which is used to represent the behavior trajectory. The behavioral trajectory matrix is transformed into gray scale images to train a deep residual network to classify the software behavior.
To more rigorously measure software trustworthiness and theoretically verify the model, Tao et al. evaluate software trustworthiness using axiomatic methods, present the expected properties of software trustworthiness measures, and build a series of models that satisfy these properties [16][17][18][19][20].
There are other classic software trustworthiness measurement models. Muhammad [26]. They first introduce a generalized index loss to unify the identity evidence, basic standard or norms evidence, and ability evidence of trustworthiness results. Then different methods are proposed for the three parts of software trustworthiness. Xu establishes a data-driven trust measurement model on the basis of the perceptual sources [33]. Direct trust calculation is implemented by sensing the relationship between nodes' own data, and recommended trust calculation is realized by the relationship between neighboring nodes in the monitoring module. Deng et al. propose a software trustworthiness model based on evidence, which is called TDT [34]. The basic idea of building TDT is to distill the main characteristics into key components and continue distilling until the basic facts such as evidence are reached. TDT can be used as a communication means for different stakeholders to reach an agreement on the system attributes in the requirements analysis phase, and can be used for deductive reasoning to verify whether the system achieves credibility in the product verification phase. A real-time trust metric theory on the basis of the non-interference model is put forward by Zhang et al. [35]. In this theory, system calls are processed as atomic operations, and system call sequences are constructed as the actual behavior of the process. The theoretical expected behavior is calculated according to the mutual non-interference relationship between the corresponding security domains in the actual behavior. The trustworthiness of a process is evaluated by determining whether actual and theoretical expected behavior deviate. Wang et al. extract the evidence of software trustworthiness from the following aspects of process entity: behavior and product. They provide a software process trustworthiness model composed of 37 credibility principles, 182 process credibility evidence and 108 product credibility evidence, and they present a software process trustworthiness evaluation method based on this evidence [36,37].

Trustworthy Attribute Measurement Method Based on Fuzzy Set
Fuzzy set theory [38,39] provides a good idea for evaluation. Shi et al. apply the fuzzy set theory to evaluate the trustworthy attributes [40]. They first establish the mapping between the trustworthy attribute language variable and the triangular fuzzy number (TFN), then invite the evaluators to construct the fuzzy decision matrix, and finally measure the trustworthy attribute by defuzzification. This approach does not require measuring internal attributes and can model uncertainty or inherent imprecision of expert judgments. In this paper, a similar method is adopted to measure trustworthy attributes. Considering that the greater the software trustworthiness, the more difficult it is to improve the trustworthiness, and the higher the requirements for the trustworthy attribute value. The classification interval is unequal when constructing the mapping between the trustworthy attribute language variable and the triangular fuzzy number. The value interval increasing from the lowest level to the highest level is approximately reduced according to the gold ratio.
The trustworthy attribute is divided into five levels, namely, very low, low, middle, high and very high. The mapping relationship between trustworthy attribute level and TFN is shown in Table 1.  Given the set of possible alternatives A = {a 1 , a 2 , · · · a m }, the set of criteria C = {c 1 , c 2 , · · · c n } and l evaluators, each evaluator rates the trustworthy attribute with the TFNs given in Table 1, and obtains the fuzzy decision matrix D k as shown in the following: is a TFN and expresses the fuzzy judgment rating of alternative a i concerning the criterion c j given by k-th evaluator. Suppose that each evaluator has the same importance, then the final fuzzy decision matrix D can be determined, which is expressed as: In order to integrate the trustworthy attribute values with axiomatic approaches in the future, the fuzzy number is needed to convert to the determined real number through defuzzification technology. The graded mean integration representation method presented by Chen and Hsieh [41] is used in this paper. Denote the defuzzification value of e ij = (l ij , m ij , u ij ) as µ c j (a i ), and µ c j (a i ) is obtained by Equation (1).
is the degree to which the alternative a i meets criterion c j . Since 0 ≤ l ij , m ij , u ij ≤ 10, then it follows that 0 ≤ µ c j (a i ) ≤ 10.

Software Trustworthiness Evaluation Based on Relationships between Criteria
For a given alternative, intuitively speaking, the two criteria are contradictory if the increase (or decrease) in the satisfaction degree of one criterion will lead to the decrease (or increase) in the satisfaction degree of the other criterion. The two criteria promote each other if the increase (or decrease) in the satisfaction degree of one criterion will lead to the increase (or decrease) in the satisfaction degree of the other criterion. The two criteria are independent of each other if the change of the satisfaction degree of one criterion will not lead to the change of the satisfaction degree of the other criterion. On the basis of the above description, the formal definitions of conflicting, cooperative and irrelevant pairs are given, as shown in Definition 1. Before providing this definition, the notations used in this paper are first presented as follows: Denote the set of possible alternatives as A = {a 1 , a 2 , · · · a m } and the set of criteria as C = {c 1 , c 2 , · · · c n }. Suppose µ c j (a i ) is the degree to which the alternative a i meets criterion c j , which satisfies 0 ≤ µ c j (a i ) ≤ 10. Definition 1 (Conflicting, cooperative and irrelevant alternative pairs [31,32]).
Suppose that cand c are the two criteria, and A = {a 1 , a 2 , · · · a n } is a set of alternatives, ∀a i , a j ∈ A, i = j. A set of conflicting alternative pairs about c and c is defined as, Hence, for the two criteria c and c , the set of pairs of alternatives A P (c, c ) = (a i , a j ) ∀a i , a j ∈ A can be divided into three categories: conflicting, cooperative and irrelevant, and it is easy to obtain that Based on Definition 1, we present the conflicting and cooperative degrees between two criteria, as shown in Definition 2.

Definition 2 (Conflicting and cooperative degrees between two criteria).
Suppose that c and c are the two criteria, and A P (c, c ) = (a i , a j ) ∀a i , a j ∈ A is the set of pairs of alternatives. Let CF(c, c ) denote the set of conflicting pairs about c and c , and CP(c, c ) represent the set of cooperative pairs about c and c . The conflicting degree between the two criteria c and c , is defined as: The cooperative degree between the two criteria, cand c , is defined as: In the following, the set of criteria C = {c 1 , c 2 , · · · c n } is divided based on the cooperative degrees. Among all the criteria, the two criteria with the highest cooperative degree are selected as a group, and then the two criteria with the highest cooperative degree are selected from the remaining criteria as a group, and so on until the division is completed. Suppose n is an even number, and the division result is {c 1 , c 2 } as a group, {c 3 , c 4 } as a group, . . . , {c n−1 , c n } as a group. When n is odd, the division results are similar, narrowly making c n itself a group.
The symmetric substitutivity between criteria is used to describe the quantitative change relationships between two criteria when the total criterion remains unchanged and only these two criteria values are changed, which is defined in Definition 3.

Definition 3 (Symmetric substitutivity between criteria).
For a given alternative a, assume that c i and c j are the two criteria, µ c j (a) is the degree to which the alternative a meets criterion c j and T is a differentiable function about µ c j (a), the symmetric substitutivity between criteria c i and c j is defined as Equation (2). where Axiomatic approaches formalize the empirical understanding of software attributes through defining ideal metric properties. They can offer precise terms for the software attributes' quantification. They have been utilized to assess software trustworthiness [16][17][18][19][20]42]. In this paper, a simplified software trustworthiness metric model presented in [42] is applied to aggregate µ c j (a).
The simplified software trustworthiness metric model used in [41] is shown as Equation (3).
where (1) a is a possible alternative; (2) n is the number of criteria; (3) c j (1 ≤ j ≤ n) are the criteria; (4) µ c j (a) is the degree to which the alternative a satisfies criterion c j , such that 0 ≤ µ c j (a) ≤ 10; (5) α j represents the weight of criterion c j with 0 ≤ α j ≤ 1 and m ∑ j=1 α j = 1; (6) ρ i,i+1 (1 ≤ i ≤ n − 1) are parameters related to the symmetric substitutivity between the criteria c i and c i+1 ; (7) T is the software trustworthiness measure function of µ c 1 (a), . . . , µ c n (a). (2), the symmetric substitutivity between criteria c i and c j can be determined as follows:  Using the cooperative degree between criteria c i and c j as an approximation of the symmetric substitutivity between criteria c i and c j , we can determine

By Equation
It follows that Then the following software trustworthiness metric model based on relationships between criteria can be obtained.

Definition 5 (Software trustworthiness metric model based on relationships between criteria).
Software trustworthiness metric model based on relationships between criteria is defined as Equation (4). n is the number of criteria; 3.
µ c j (a) is the degree to which the alternative a satisfies criterion c j , such that 0 ≤ µ c j (a) ≤ 10;

5.
α j represents the weight of criterion c j with 0 ≤ α j ≤ 1 and m ∑ j=1 α j = 1; are cooperative degrees between criteria c i and c i+1 ; 7.
T is the software trustworthiness measure function of µ c 1 (a), . . . , µ c n (a).
We once presented the expected properties of software trustworthiness measure, including monotonicity, acceleration, sensitivity and substitutivity [16]. Here we prove that the software trustworthiness metric model based on relationships between criteria conforms to these four properties. For convenience, in the following of this paper, let Proposition 1. T satisfies monotonicity, i.e., ∂T ∂µ c i (a) ≥ 0,1 ≤ i ≤ n.

Proof of Proposition 1.
Since Therefore, T complies with monotonicity.

Proposition 2. Acceleration holds for T
Proof of Proposition 2. By calculating the second derivative of T with respect to each µ c i (a) (1 ≤ i ≤ n), we can obtain

Proposition 3. T meets sensitivity.
Proof of Proposition 3. By computing, it is easy to obtain that for 1 ≤ i ≤ n, Then we obtain the conclusion that T is sensitive to µ c i (a).

Proposition 4. T complies with substitutivity.
Proof of Proposition 4. Because this paper only focuses on the substitutivity of criteria within the same group, therefore only the substitutivity between criteria within the same group is calculated here.
Observe that for 1 ≤ i ≤ n − 1 Then the substitutivity between criteria c i and c i+1 which belong to the i-th group can be derived as The proposition follows immediately from what we have proved.
For the given set of possible alternatives A = {a 1 , a 2 , · · · , a m }, the set of criteria C = {c 1 , c 2 , · · · c n }, the set of the weights of the criteria {α 1 , α 2 , · · · , α n }, and the decision matrix about µ c j (a i ) (1 ≤ i ≤ m, 1 ≤ j ≤ n), CP(c i , c j ) are first calculated according to Definition 1 and cp(c i , c j ) are computed based on CP(c i , c j ) and Definition 2. Then, the criteria are grouped through cp(c i , c j ), the two criteria with the highest cooperative degree are grouped together, and then the two criteria with the highest cooperative degree of the remaining criteria are grouped together, and so on until the division is completed.
Assume that c i and c j are in the same group, then ρ ij = 1 cp(c i ,c j ) − 1. Considering that when cp(c i , c j ) = 1, the corresponding ρ ij is 0, and the contribution of µ c i (a), µ c j (a) to the trustworthiness of the candidate alternative a cannot be reflected, so simple preprocessing is performed. When cp(c i , c j ) = 1, the value of the corresponding ρ ij is set to 0.01. Finally, the metric model given in Definition 5 is used to evaluate each alternative in A, and the measurement results are arranged in descending order. The alternative corresponding to the first measurement result is the optimal alternative.
Without losing generality, assume that n is an even number. The algorithm for software trustworthiness evaluation based on relationships between criteria is given in Algorithm 1.

Algorithm 1
Algorithm for software trustworthiness evaluation based on relationships between criteria: for the given set of possible alternatives A = {a 1 , a 2 , · · · , a m }, the set of criteria C = {c 1 , c 2 , · · · c n }, the set of the weights of the criteria {α 1 , α 2 , · · · , α n }, and the decision matrix about µ c j (a i ) (1 ≤ i ≤ m, 1 ≤ j ≤ n), output the optimal alternative of A = {a 1 , a 2 , · · · , a m }.
Input: A = {a 1 , a 2 , · · · , a m }, C = {c 1 , c 2 , · · · c n }, {α 1 , α 2 , · · · , α n }, µ c j (a i ) (1 ≤ i ≤ m, 1 ≤ j ≤ n) Output: the optimal alternative of A = {a 1 , a 2 , · · · , a m } Proof of Theorem 1. Steps 2-4 are a for loop, and they are applied to calculate the set of cooperative alternative pairs according to Definition 1. The number of loops is |M|. Since |M| = n(n − 1)/2, the time complexity of Steps 2-4 is O(n 2 ). Steps 5-7 are also a for loop, which are used to compute the set of cooperative degrees based on the results of Steps 2-4 and Definition 2. The number of loops is also |M|. Therefore, the time complexity of Steps 5-7 is also O(n 2 ).
Steps 8-28 are a double nested loop, which are utilized to group the set of criteria C = {c 1 , c 2 , · · · c n } and compute ρ ij . The number of loops in first while loop is |M|.
Steps 10-14 are the first for loop in the second loop, and are used to find the maximum cooperative degree in the set cp(c i , c j ) (i, j) ∈ M , and the number of loops is |M|.  are the second for loop in the second loop, constructing the set composed of subscripts of maximum cooperative degree in the set cp(c i , c j ) (i, j) ∈ M , and the number of loops is also |M|. Step  Steps 30-35 are also a double nested loop, calculating the software trustworthiness measurement results {T(a 1 ), T(a 2 ), · · · , T(a m )}. The number of loops in the first loop is m, and in the second loop is n. Consequently, we infer that the time complexity of Steps 30-35 is O(mn). The software trustworthiness measurement results {T(a 1 ), T(a 2 ), · · · , T(a m )} are sorted in descending order using the quick sorting algorithm in Step 36, and it takes O(n log n).
In summary, we can obtain the time complexity of Algorithm 1 is O(n 4 + mn).

Case Study
With the development of enterprise informatization, Product Lifecycle Management (PLM) software is becoming more and more important to improve the informatization level and core competitiveness of enterprises. Reference [40] presents a software trustworthiness evaluation approach based on combination weights and improved TOPSIS methods, and this approach is applied to evaluate the candidate PLM software trustworthiness for an aircraft equipment manufacturer. The candidate PLM software set consists of three PLM software, and the criterion set is composed of functionality, learnability, operability, coexistence, maintainability and portability. In this section, the method proposed in this paper is used to evaluate this case. Denote the three candidate PLM software as a 1 , a 2 ,a 3 in turn, and functionality, learnability, operability, co-existence, maintainability, and portability as c 1 , c 2 , c 3 , c 4 , c 5 , c 6 . The combination weights of these six criteria α 1 , α 2 , α 3 , α 4 , α 5 , α 6 obtained through the combination weighting method established in [40] are given in Table 2. They are the weighted sum of the objective and subjective weights, where the objective weights are calculated by entropy weighting method and the subjective weights are determined by FAHP method. Four exports D 1 , D 2 , D 3 , D 4 are invited to give the fuzzy decision matrix about a 1 , a 2 ,a 3 [36], as given in Table 3.
Based on the mapping relationship between trustworthy attribute level and TFN defined in Table 1, the exports' fuzzy decision can be transferred to the corresponding fuzzy numbers, and the integrated fuzzy decision matrix using TFNs can be obtained, as presented in Table 4.  9.000) (9.000, 9.500, 9.750) (9.000, 9.500, 9.750) (8.750, 9.250, 9.625) a 3 (9.500, 10.000, 10, 00) (9.000, 9.500, 9.750 Through defuzzying the integrated decision matrix with Equation (1), the decision matrix about µ c j (a i ) can be established as demonstrated in Table 5, where each element in the matrix is a real number between 0 and 10. For any of the two criteria c i and c j (1 ≤ i < j ≤ 6), according to Definition 1 and Table 5, calculate the set of cooperative alternative pairs, and the calculation results are shown in Equation (5).
For any of the two criteria c i and c j (1 ≤ i < j ≤ 6), according to Definition 2 and the above calculation results, the cooperative degrees cp(c i , c j )(1 ≤ i < j ≤ 6) can be determined, as demonstrated in Table 6. It can be seen from Table 6 that the maximum value of cp is cp(c 4 , c 6 ), whose value is 1. Therefore, c 4 and c 6 are selected as the first group. In the remaining criterion, the maximum value of cp is cp(c 1 , c 5 ) = 0.7662, and c 1 and c 5 are chosen as the second group. Finally, c 2 and c 3 are taken as the third group. According to the grouping results, the weights in Table 2 and Definition 5, Equation (6) can be obtained. It should be noted that because cp(c 4 , c 6 ) = 1, ρ 46 is set to 0.01. Substituting the data in Table 5 into Equation (6), it follows that T(a 1 ) = 8.2505 T(a 2 ) = 9.0394 T(a 3 ) = 8.4248 Thus, among the three candidate PLM software, a 2 is the optimal software, and the result obtained is consistent with that in [40].

Discussion and Limitations
Software trustworthiness is a concept related to human cognition, and uncertainty theory can model human subjectivity well. Therefore, they are often used in software trustworthiness measurements. However, most of the existing methods use uncertainty theory to calculate the weight of trustworthy attributes. For example, references [21] and [22] both use fuzzy comprehensive evaluation methods to evaluate software trustworthiness, but they differ from the methods of selecting trustworthy attribute sets and computing the weights of trustworthy attributes. In reference [21], experts are invited to establish the trustworthy attribute set, and the weights of trustworthy attributes are computed based on the information entropy. In reference [22], the author's trustworthy attribute set is determined in advance, and the weights of trustworthy attributes are obtained by using rough set theory and expert opinion. Gao et al. present a new weight distribution method by combining fuzzy analytic hierarchy process with standard importance index correlation, and establish a component-based software trustworthiness measurement model according to the four component composition structures on the basis of their weight distribution method [23]. Shi et al. also provide a calculation method of combination weight based on fuzzy analytic hierarchy process and entropy [40].
The fuzzy set theory is adopted by Shi et al. to measure the trustworthy attributes [40]. The mapping between the trustworthy attribute language variable and the triangular fuzzy number is first built, then the evaluators are invited to establish the fuzzy decision matrix, and finally the trustworthy attribute is measured by defuzzification. In this paper, a similar method is applied to measure trustworthy attributes; however, a more reasonable mapping between the trustworthy attribute language variable and the triangular fuzzy number is given. When building this new mapping, it is taken into account that the greater the software trustworthiness, the more difficult it is to improve the trustworthiness, and the higher the requirement for trustworthy attribute values. Shi et al. present a method to utilize an improved TOPSIS based on vertical projection distance [43] to evaluate the software trustworthiness. The advantage of the improved TOPSIS is that the alternative closest to the positive idea solution is farthest from the negative ideal solution. However, the evaluation method given by Shi et al. can only be applied for ranking the candidate software on trustworthiness. The method presented in this paper can not only be used for the ranking of candidate software on trustworthiness, but can also be used for the trustworthiness measurement of candidate software.
It should be noted that the method presented in this paper can be used for software trustworthiness evaluation, but only when multiple candidate software products must exist. Furthermore, the trustworthy attribute measurement method based on fuzzy theory can model the uncertainty or inherent imprecision of experts' judgment. However, this method only gives the identification measurement of trustworthy attribute in the experts' mind and does not give the measurement model of trustworthy attribute.

Conclusions and Future Work
To begin with, a trustworthy attribute measurement method based on fuzzy theory is presented in this paper, which is composed of the mapping relationship between trustworthy attribute level and TFN and defuzzification technology. This method can more reasonably transform the fuzzy decision of trustworthy attribute into a certain real number. Moreover, a software trustworthiness evaluation strategy based on the relationships between criteria is given, including the quantitative relationships between criteria described by the cooperative degrees between criteria, the symmetric substitutivity between criteria approximated by the cooperative degrees between criteria, and a software trustworthiness measurement model via the relationships between criteria. Lastly, we verify the theoretical rationality of the software trustworthiness measurement model by showing that it satisfies the expected properties of software trustworthiness measure. Meanwhile, the case study shows the effectiveness and practicality of the model. This strategy can be used not only to rank candidate software about trustworthiness, but also for the trustworthiness measure of software.
In the future, we will further improve the trustworthy attribute measurement method based on fuzzy theory and establish the measurement model of trustworthy attribute. We will also study the cooperative degrees between criteria for software in different fields, then estimate the symmetric substitutivity related parameters in Definition 3, and construct software trustworthiness measurement models for different fields. Further optimization of grouping methods based on cooperative degrees is also important work for the future.