Options
Managing security evidence in safety-critical organizations
Citation Link: https://doi.org/10.15480/882.9611
Publikationstyp
Journal Article
Date Issued
2024-08-01
Sprache
English
Author(s)
TORE-DOI
Volume
214
Article Number
112082
Citation
Journal of Systems and Software 214: 112082 (2024)
Publisher DOI
Scopus ID
Publisher
Elsevier
With the increasing prevalence of open and connected products, cybersecurity has become a serious issue in safety-critical domains such as the automotive industry. As a result, regulatory bodies have become more stringent in their requirements for cybersecurity, necessitating security assurance for products developed in these domains. In response, companies have implemented new or modified processes to incorporate security into their product development lifecycle, resulting in a large amount of evidence being created to support claims about the achievement of a certain level of security. However, managing evidence is not a trivial task, particularly for complex products and systems. This paper presents a qualitative interview study conducted in six companies on the maturity of managing security evidence in safety-critical organizations. We find that the current maturity of managing security evidence is insufficient for the increasing requirements set by certification authorities and standardization bodies. Organizations currently fail to identify relevant artifacts as security evidence and manage this evidence on an organizational level. One part of the reason are educational gaps, the other a lack of processes. The impact of AI on the management of security evidence is still an open question.
Subjects
Assurance
Evidence
Safety-critical
Security
DDC Class
004: Computer Sciences
005: Computer Programming, Programs, Data and Security
620.1: Engineering Mechanics and Materials Science
Publication version
publishedVersion
Loading...
Name
1-s2.0-S0164121224001274-main.pdf
Size
1.01 MB
Format
Adobe PDF