Managing security evidence in safety-critical organizations

Mohamad, Mazen; Steghöfer, Jan-Philipp; Knauss, Eric; Scandariato, Riccardo

System disruptions

We are currently experiencing disruptions on the search portals due to high traffic. We are working to resolve the issue, you may temporarily encounter an error message.

Simple search

Advanced search

Statistics

English Svenska Norsk

Change search

Cite ExportLink to record

Permanent link

https://urn.kb.se/resolve?urn=urn:nbn:se:ri:diva-73307

Direct link

http://ri.diva-portal.org/smash/record.jsf?pid=diva2:1861524

Cite

Citation style

apa
ieee
modern-language-association-8th-edition
vancouver
Other style

More styles

Language

de-DE
en-GB
en-US
fi-FI
nn-NO
nn-NB
sv-SE
Other locale

More languages

Output format

html
text
asciidoc
rtf

Managing security evidence in safety-critical organizations

Mohamad, Mazen

RISE Research Institutes of Sweden, Safety and Transport, Electrification and Reliability. Chalmers University of Technology, Sweden.

Steghöfer, Jan-Philipp

XITASO GmbH IT & Software Solutions, Germany.

Knauss, Eric

Chalmers University of Technology, Sweden; University of Gothenburg, Sweden.

Scandariato, Riccardo

Hamburg University of Technology, Germany.

2024 (English)In: Journal of Systems and Software, ISSN 0164-1212, E-ISSN 1873-1228, Vol. 214, article id 112082Article in journal (Refereed) Published

Abstract [en]

With the increasing prevalence of open and connected products, cybersecurity has become a serious issue in safety-critical domains such as the automotive industry. As a result, regulatory bodies have become more stringent in their requirements for cybersecurity, necessitating security assurance for products developed in these domains. In response, companies have implemented new or modified processes to incorporate security into their product development lifecycle, resulting in a large amount of evidence being created to support claims about the achievement of a certain level of security. However, managing evidence is not a trivial task, particularly for complex products and systems. This paper presents a qualitative interview study conducted in six companies on the maturity of managing security evidence in safety-critical organizations. We find that the current maturity of managing security evidence is insufficient for the increasing requirements set by certification authorities and standardization bodies. Organizations currently fail to identify relevant artifacts as security evidence and manage this evidence on an organizational level. One part of the reason are educational gaps, the other a lack of processes. The impact of AI on the management of security evidence is still an open question.

Place, publisher, year, edition, pages

Elsevier Inc. , 2024. Vol. 214, article id 112082

Keywords [en]

Automotive industry; Cybersecurity; Life cycle; Assurance; Cyber security; Evidence; Large amounts; Regulatory bodies; Safety-critical; Safety-critical domain; Security; Security assurance; Stringents; Accident prevention

National Category

Electrical Engineering, Electronic Engineering, Information Engineering

Identifiers

URN: urn:nbn:se:ri:diva-73307DOI: 10.1016/j.jss.2024.112082Scopus ID: 2-s2.0-85191939777OAI: oai:DiVA.org:ri-73307DiVA, id: diva2:1861524

Note

This work is partially supported by the CASUS research project funded by VINNOVA, a Swedish funding agency.

Available from: 2024-05-28 Created: 2024-05-28 Last updated: 2024-05-28Bibliographically approved

Open Access in DiVA

fulltext(1029 kB)

83 downloads

File information

File name FULLTEXT01.pdfFile size 1029 kBChecksum SHA-512

2a1adf1a30610cf463bc2f281478b37499333aa0e859af95b4b6f91edf9b6fe51c40907ee6916930ec8ba720c1daf75fde001d884fc0c4d5fb3fc59883cb365c

Type fulltextMimetype application/pdf

Search outside of DiVA

Google Google Scholar

Total: 83 downloads

The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

doi

urn-nbn

Total: 152 hits