Security assurance cases—state of the art of an emerging approach

Mohamad, Mazen; Steghöfer, Jan-Philipp; Scandariato, Riccardo

doi:10.1007/s10664-021-09971-7

Cited by 13 publications

(4 citation statements)

References 64 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…An assurance case approach is recommended, and constructing these assurance arguments is expected to help identify the requirements for the types of evidence needed to complete the assurance claims. However, recent surveys indicate that the practical implementation of cybersecurity cases remains relatively immature (Mohamad et al, 2021).…”

Section: Discussionmentioning

confidence: 99%

“…The draft standard (ISO/SAE, 2021) that is currently being developed to accompany Regulation 155 suggests the use of a cybersecurity case, which is analogous to the safety case approach already used to document automotive functional safety (MISRA, 2019), to provide assurance that the cybersecurity risks of using the vehicle are acceptable. Although the concept for a cybersecurity assurance case is not new (Armstrong et al, 2011), the results of a recent survey (Mohamad et al, 2021) over a wide range of application domains demonstrate that the practical implementation of cybersecurity cases remains relatively immature.…”

Section: Challenges For Cybersecurity and Safety Assurancementioning

confidence: 99%

See 1 more Smart Citation

Cybersecurity Assurance Challenges for Future Connected and Automated Vehicles

Cobos¹,

Ruddle²,

Sabaliauskaite³

2021

Proceedings of the 31st European Safety and Reliability Conference (ESREL 2021)

View full text Add to dashboard Cite

Increases in the connectivity of vehicles and automation of driving functions, with the goal of fully automated driving, are expected to bring many benefits to individuals and wider society. However, these technologies may also create new cybersecurity threats to vehicle user privacy, the finances of vehicle users and mobility service operators, and even the physical safety of vehicle occupants and other road users. Assuring the cybersecurity of future vehicles will therefore be key to achieving the acceptability of these new automotive technologies to society. However, traditional prescriptive assurance methods will not work for vehicle cybersecurity, due to the evolving threats, through-life software updates, and the deployment of artificial intelligence techniques. Cybersecurity regulations that are goal-oriented and risk-based, like those increasingly used in safety engineering for complex systems, are now mandated in recent vehicle type approval regulations. This results in many new assurance challenges, which will not be limited purely to cybersecurity. In particular, emerging standards have proposed that an assurance case approach should be adopted in relation to cybersecurity. This paper therefore proposes a novel cybersecurity case framework that adapts existing approaches from safety engineering, emphasizes the limitations of the analysis through eliminative argumentation, and merges in the attack-defence tree techniques used in cybersecurity engineering, with the aim of providing a better reflection of the some of the uncertainties in the cybersecurity risk analysis.

show abstract

Section: Discussionmentioning

confidence: 99%

Section: Challenges For Cybersecurity and Safety Assurancementioning

confidence: 99%

Cybersecurity Assurance Challenges for Future Connected and Automated Vehicles

Cobos¹,

Ruddle²,

Sabaliauskaite³

2021

Proceedings of the 31st European Safety and Reliability Conference (ESREL 2021)

View full text Add to dashboard Cite

show abstract

“…Early in the software development process, proper assurance measures with security assurance must be implemented to prevent future problems in critical systems domains (Kabir, 2021;Khan & Khan, 2018b;Mohamad et al, 2021). Research studies conducted on security assurance are (Marshall, et al, 2019;Mohamad et al, 2021;Maksimov et al, 2019;Jahan et al, 2020;Lin et al, 2020;Calinescu et al, 2017;Bloomfield et al, 2017). However, the benefit of adding the security assurance for security requirements will raise confidence and enhance the integrity of software.…”

Section: Table 1 Sre Approaches and Their Security Criteria With Requ...mentioning

confidence: 99%

“…(Jahan, Pasco, et al, 2019). The use of security requirement assurance is increasing in the development of secure critical systems, especially in industries such as transportation systems, medical devices, financial systems, military systems, healthcare, and automotive (Mohamad et al, 2021). Therefore, one of the primary reasons for the success of the threats and attacks is lack of attention to the elicitation and analysis of security requirements (Anderson, 2020), and cannot be neglected any longer (Rehman et al, 2018).…”

Section: Introductionmentioning

confidence: 99%

Securing Software Development: A Holistic Exploration of Security Awareness in Software Development Teams

Janisar,

Shafee,

Sarlan

et al. 2024

IJARBSS

View full text Add to dashboard Cite

Security awareness is crucial at every stage of the software development life cycle. Studies emphasize the importance of addressing security requirements (SR) early in the requirement engineering phase to effectively mitigate security issues. However, the software development team (SDT) currently lacks sufficient awareness regarding the security requirements assurance (SRA) for mitigating security issues in secure software development. The objective of this study is to assess the (SDT) security knowledge in early software development. A survey was distributed, questions were based on (SR) within the context of security requirement engineering (SRE). A total of 58 responded to the survey. The results indicate that the (SDT) demonstrates a satisfactory level of knowledge regarding security (KOS), security requirements elicitation and analysis (SREA), and approaches within the domain of SRE. However, the results pertaining to security requirement assurance (SRA) were found unsatisfactory. Descriptive statistics were employed to analyse the mean scores of KOS=3.79, SRE=3.61, SREA=3.67, and SRA=2.71. SRE presented the strong Pearson correlation with SREA=.596**. Also, regression coefficient produces positive outcome with (SRA) and (SREA). Though, software development teams need to collaborate with the researcher to enhance the awareness about security requirement assurance during the secure development process.

show abstract