System Security Assurance: A Systematic Literature Review

TL;DR

This paper systematically reviews the current state, challenges, and future directions of system security assurance in ICT and cyber-physical systems, highlighting limitations of existing methods and proposing areas for improvement.

Contribution

It provides a comprehensive analysis of security assurance requirements, processes, and methods, identifying gaps and limitations in current approaches and suggesting future research directions.

Findings

Identified key challenges and gaps in current security assurance methods.

Highlighted limitations of traditional evaluation and certification tools.

Suggested future research directions for improving security assurance.

Abstract

System security assurance provides the confidence that security features, practices, procedures, and architecture of software systems mediate and enforce the security policy and are resilient against security failure and attacks. Alongside the significant benefits of security assurance, the evolution of new information and communication technology (ICT) introduces new challenges regarding information protection. Security assurance methods based on the traditional tools, techniques, and procedures may fail to account new challenges due to poor requirement specifications, static nature, and poor development processes. The common criteria (CC) commonly used for security evaluation and certification process also comes with many limitations and challenges. In this paper, extensive efforts have been made to study the state-of-the-art, limitations and future research directions for security assurance of the ICT and cyber-physical systems (CPS) in a wide range of domains. We conducted a systematic review of requirements, processes, and activities involved in system security assurance including security requirements, security metrics, system and environments and assurance methods. We highlighted the challenges and gaps that have been identified by the existing literature related to system security assurance and corresponding solutions. Finally, we discussed the limitations of the present methods and future research directions.