Managing security evidence in safety-critical organizations
Journal article, 2024

With the increasing prevalence of open and connected products, cybersecurity has become a serious issue in safety-critical domains such as the automotive industry. As a result, regulatory bodies have become more stringent in their requirements for cybersecurity, necessitating security assurance for products developed in these domains. In response, companies have implemented new or modified processes to incorporate security into their product development lifecycle, resulting in a large amount of evidence being created to support claims about the achievement of a certain level of security. However, managing evidence is not a trivial task, particularly for complex products and systems. This paper presents a qualitative interview study conducted in six companies on the maturity of managing security evidence in safety-critical organizations. We find that the current maturity of managing security evidence is insufficient for the increasing requirements set by certification authorities and standardization bodies. Organizations currently fail to identify relevant artifacts as security evidence and manage this evidence on an organizational level. One part of the reason are educational gaps, the other a lack of processes. The impact of AI on the management of security evidence is still an open question.

Safety-critical

Evidence

Assurance

Security

Author

Mazen Mohamad

RISE Research Institutes of Sweden

Software Engineering 2

Jan-Philipp Steghöfer

XITASO

Eric Knauss

Chalmers, Computer Science and Engineering (Chalmers), Interaction Design and Software Engineering

University of Gothenburg

Riccardo Scandariato

Software Engineering 2

Journal of Systems and Software

0164-1212 (ISSN)

Vol. 214 112082

Subject Categories

Software Engineering

Computer Systems

DOI

10.1016/j.jss.2024.112082

More information

Latest update

7/2/2024 5