Each rule and recommendation in a secure coding standard has an assigned priority. Priorities are assigned using a metric based on Failure Mode, Effects, and Criticality Analysis (FMECA). Three values are assigned for each rule on a scale of 1 - 3 for:

• criticality - how serious are the consequences of the rule being ignored;
  1 = low (denial-of-service attack, abnormal termination)
  2 = medium (data integrity, unintentional information disclosure)
  3 = high (run arbitrary code)

• likelihood - how likely is it that a flaw, introduced by ignoring the rule, could lead to an exploitable vulnerability;
  1 = unlikely
  2 = probable
  3 = likely

• remediation cost - how expensive is it to comply with the rule.
  1 = low (automatic detection and correction)
  2 = medium (automatic detection / manual correction)
  3 = high (manual detection and correction)

The three values are then multiplied together for each rule. This product provides a measure that can be used in prioritizing the application of the rules. These products range from 1 to 27. Rules and recommendations with a priority in the range of 1-9 are in considered to be level 3 rules, 10-18 level 2, and 19-27 are level 1. As a result, it is possible to claim level 3, level 2, or complete compliance with a standard by implementing all rules in a level. Recommendations are not compulsory and are provided for information purposes only.