Managing security evidence in safety-critical organizations

Mohamad, Mazen; Steghöfer, Jan-Philipp; Knauss, Eric; Scandariato, Riccardo

Enkel sökning

Avancerad sökning

Statistik

Ändra sökning

Permanent länk

https://urn.kb.se/resolve?urn=urn:nbn:se:ri:diva-73307

Direktlänk

http://ri.diva-portal.org/smash/record.jsf?pid=diva2:1861524

Referera

Referensformat

apa
ieee
modern-language-association-8th-edition
vancouver
Annat format

Fler format

Språk

de-DE
en-GB
en-US
fi-FI
nn-NO
nn-NB
sv-SE
Annat språk

Fler språk

Utmatningsformat

html
text
asciidoc
rtf

Managing security evidence in safety-critical organizations

Mohamad, Mazen

RISE Research Institutes of Sweden, Säkerhet och transport, Elektrifiering och pålitlighet. Chalmers University of Technology, Sweden.

Steghöfer, Jan-Philipp

XITASO GmbH IT & Software Solutions, Germany.

Knauss, Eric

Chalmers University of Technology, Sweden; University of Gothenburg, Sweden.

Scandariato, Riccardo

Hamburg University of Technology, Germany.

2024 (Engelska)Ingår i: Journal of Systems and Software, ISSN 0164-1212, E-ISSN 1873-1228, Vol. 214, artikel-id 112082Artikel i tidskrift (Refereegranskat) Published

Abstract [en]

With the increasing prevalence of open and connected products, cybersecurity has become a serious issue in safety-critical domains such as the automotive industry. As a result, regulatory bodies have become more stringent in their requirements for cybersecurity, necessitating security assurance for products developed in these domains. In response, companies have implemented new or modified processes to incorporate security into their product development lifecycle, resulting in a large amount of evidence being created to support claims about the achievement of a certain level of security. However, managing evidence is not a trivial task, particularly for complex products and systems. This paper presents a qualitative interview study conducted in six companies on the maturity of managing security evidence in safety-critical organizations. We find that the current maturity of managing security evidence is insufficient for the increasing requirements set by certification authorities and standardization bodies. Organizations currently fail to identify relevant artifacts as security evidence and manage this evidence on an organizational level. One part of the reason are educational gaps, the other a lack of processes. The impact of AI on the management of security evidence is still an open question.

Ort, förlag, år, upplaga, sidor

Elsevier Inc. , 2024. Vol. 214, artikel-id 112082

Nyckelord [en]

Automotive industry; Cybersecurity; Life cycle; Assurance; Cyber security; Evidence; Large amounts; Regulatory bodies; Safety-critical; Safety-critical domain; Security; Security assurance; Stringents; Accident prevention

Nationell ämneskategori

Elektroteknik och elektronik

Identifikatorer

URN: urn:nbn:se:ri:diva-73307DOI: 10.1016/j.jss.2024.112082Scopus ID: 2-s2.0-85191939777OAI: oai:DiVA.org:ri-73307DiVA, id: diva2:1861524

Anmärkning

This work is partially supported by the CASUS research project funded by VINNOVA, a Swedish funding agency.

Tillgänglig från: 2024-05-28 Skapad: 2024-05-28 Senast uppdaterad: 2024-05-28Bibliografiskt granskad

Open Access i DiVA

fulltext(1029 kB)

90 nedladdningar

Filinformation

Filnamn FULLTEXT01.pdfFilstorlek 1029 kBChecksumma SHA-512

2a1adf1a30610cf463bc2f281478b37499333aa0e859af95b4b6f91edf9b6fe51c40907ee6916930ec8ba720c1daf75fde001d884fc0c4d5fb3fc59883cb365c

Typ fulltextMimetyp application/pdf

Övriga länkar

Förlagets fulltext Open Access

Scopus

Totalt: 90 nedladdningar

Antalet nedladdningar är summan av nedladdningar för alla fulltexter. Det kan inkludera t.ex tidigare versioner som nu inte längre är tillgängliga.

doi

urn-nbn

Totalt: 165 träffar

Referera ExporteraLänk till posten