Abstract
Since the world is moving towards secure systems which makes security a primary concern and not an afterthought in software development. Secure software development involves security at each step of development lifecycle from requirements phase to testing. With surging focus on security requirements, we can see an increase in frameworks/methods/techniques proposed to deal with security requirements for variable applications. However, to summarise the literature findings till date and to propose further ways to handle security requirements a systematic and comprehensive review is needed. Our objective is to conduct a systematic mapping study for cyber-physical systems: (i) to explore and analyse security requirements engineering frameworks/methods/techniques proposed till date, (ii) to investigate on their strengths and weaknesses, and (iii) to determine the security threats and requirements reported in literature. We conducted a systematic mapping study for which we defined our goals and determined research questions, defined inclusion/exclusion criteria, and designed the map systematically based on the research questions. The search yielded 337 articles after deploying the query on multiple databases and refining the search iteratively through a multistep process. The mapping study identified and categorised the existing security requirements engineering frameworks/methods/techniques focused on their implementation and evaluation mechanisms. Second, we identified and categorised the proposed to deal with security requirements for multiple domains, determined their strengths/weaknesses, and also security requirements and threats reports in the selected studies. The study provides an overall view of the state-of-the-art frameworks/methods/techniques proposed till date to deal with security requirements. The results of this study provide insights to researchers to focus more on developing frameworks to deal with security requirements for particular kinds of systems like cyber-physical systems. Also, it motivates future work to devise methods to cater domain specific security risks and requirements.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Anderson, R.J.: Security Engineering: A Guide to Building Dependable Distributed Systems. Wiley, Hoboken (2010)
Mellado, D., Blanco, C., Sánchez, L.E., Fernández-Medina, E.: A systematic review of security requirements engineering. Comput. Stand. Interfaces 32(4), 153–165 (2010)
Muñante, D., Chiprianov, V., Gallon, L., Aniorté, P.: A review of security requirements engineering methods with respect to risk analysis and model-driven engineering. In: Teufel, S., Min, T.A., You, I., Weippl, E. (eds.) CD-ARES 2014. LNCS, vol. 8708, pp. 79–93. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-10975-6_6
Yahya, S., Kamalrudin, M., Sidek, S.: A review on tool supports for security requirements engineering. In: IEEE Conference on Open Systems, ICOS 2013, pp. 190–194 (2013)
Yadav, S.A., Kumar, S.R., Sharma, S., Singh, A.: A review of possibilities and solutions of cyber attacks in smart grids. In: 1st International Conference on Innovation and Challenges in Cyber Security, ICICCS 2016, pp. 60–63 (2016)
Petersen, K., Feldt, R., Mujtaba, S., Mattsson, M.: Systematic mapping studies in software engineering. In: EASE, vol. 8, pp. 68–77 (2008)
Paja, E., Dalpiaz, F., Giorgini, P.: Managing security requirements conflicts in socio-technical systems. In: Ng, W., Storey, V.C., Trujillo, J.C. (eds.) ER 2013. LNCS, vol. 8217, pp. 270–283. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-41924-9_23
Wimmel, G., Wisspeintner, A.: Extended description techniques for security engineering. In: Dupuy, M., Paradinas, P. (eds.) SEC 2001. IIFIP, vol. 65, pp. 469–485. Springer, Boston, MA (2002). https://doi.org/10.1007/0-306-46998-7_32
Vivas, J.L., Montenegro, J.A., López, J.: Towards a business process-driven framework for security engineering with the UML. In: Boyd, C., Mao, W. (eds.) ISC 2003. LNCS, vol. 2851, pp. 381–395. Springer, Heidelberg (2003). https://doi.org/10.1007/10958513_29
Srivatanakul, T., Clark, J.A., Polack, F.: Effective security requirements analysis: HAZOP and use cases. In: Zhang, K., Zheng, Y. (eds.) ISC 2004. LNCS, vol. 3225, pp. 416–427. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-30144-8_35
Giorgini, P., Massacci, F., Zannone, N.: Security and trust requirements engineering. In: Aldini, A., Gorrieri, R., Martinelli, F. (eds.) FOSAD 2004-2005. LNCS, vol. 3655, pp. 237–272. Springer, Heidelberg (2005). https://doi.org/10.1007/11554578_8
Mellado, D., Fernández-Medina, E., Piattini, M.: Applying a security requirements engineering process. In: Gollmann, D., Meier, J., Sabelfeld, A. (eds.) ESORICS 2006. LNCS, vol. 4189, pp. 192–206. Springer, Heidelberg (2006). https://doi.org/10.1007/11863908_13
Haley, C.B., Laney, R.C., Moffett, J.D., Nuseibeh, B.: Using trust assumptions with security requirements. Requir. Eng. 11(2), 138–151 (2006)
Bryl, V., Massacci, F., Mylopoulos, J., Zannone, N.: Designing security requirements models through planning. In: Dubois, E., Pohl, K. (eds.) CAiSE 2006. LNCS, vol. 4001, pp. 33–47. Springer, Heidelberg (2006). https://doi.org/10.1007/11767138_4
Herrmann, A., Paech, B.: MOQARE: misuse-oriented quality requirements engineering. Requir. Eng. 13(1), 73–86 (2008)
Moradian, E., Håkansson, A.: Controlling security of software development with multi-agent system. In: Setchi, R., Jordanov, I., Howlett, R.J., Jain, L.C. (eds.) KES 2010. LNCS (LNAI), vol. 6279, pp. 98–107. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15384-6_11
Rieke, R., Coppolino, L., Hutchison, A., Prieto, E., Gaber, C.: Security and reliability requirements for advanced security event management. In: Kotenko, I., Skormin, V. (eds.) MMM-ACNS 2012. LNCS, vol. 7531, pp. 171–180. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-33704-8_15
Li, T., Horkoff, J.: Dealing with security requirements for socio-technical systems: a holistic approach. In: Jarke, M., et al. (eds.) CAiSE 2014. LNCS, vol. 8484, pp. 285–300. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-07881-6_20
Souag, A., Salinesi, C., Mazo, R., Comyn-Wattiau, I.: A security ontology for security requirements elicitation. In: Piessens, F., Caballero, J., Bielova, N. (eds.) ESSoS 2015. LNCS, vol. 8978, pp. 157–177. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-15618-7_13
Neureiter, C., Eibl, G., Engel, D., Schlegel, S., Uslar, M.: A concept for engineering smart grid security requirements based on SGAM models. Comput. Sci.-Res. Dev. 31(1–2), 65–71 (2016)
Rosa, N.S., Justo, G.R.R., Cunha, P.R.F.: A framework for building non-functional software architectures. In: Proceedings of the 2001 ACM Symposium on Applied Computing, pp. 141–147 (2001)
Jürjens, J.: Using UMLsec and goal trees for secure systems development. In: Proceedings of the 2002 ACM Symposium on Applied Computing, pp. 1026–1030 (2002)
Basin, D., Doser, J., Lodderstedt, T.: Model driven security for process-oriented systems. In: Proceedings of the Eighth ACM Symposium on Access Control Models and Technologies, pp. 100–109 (2003)
De Landtsheer, R., Van Lamsweerde, A.: Reasoning about confidentiality at requirements engineering time. In: Proceedings of the 10th European Software Engineering Conference Held Jointly with 13th ACM SIGSOFT International Symposium on Foundations of Software Engineering, pp. 41–49 (2005)
Romero-Mariona, J.: Secure and usable requirements engineering. In: Proceedings of the 2009 IEEE/ACM International Conference on Automated Software Engineering, pp. 703–706 (2009)
Cui, J.-S., Zhang, D.: The research and application of security requirements analysis methodology of information systems. In: 2nd International Conference on Anti-counterfeiting, Security and Identification, ASID, pp. 30–36 (2008)
Howard, G., Butler, M., Colley, J., Sassone, V.: Formal analysis of safety and security requirements of critical systems supported by an extended STPA methodology. In: 2017 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), pp. 174–180 (2017)
Gao, Y., et al.: Analysis of security threats and vulnerability for cyber-physical systems. In: 2013 3rd International Conference on Computer Science and Network Technology (ICCSNT), pp. 50–55. IEEE (2013)
Repository link. http://sysmapsecre.azurewebsites.net
Rehman, S., Gruhn, V.: Security requirements engineering (SRE) framework for cyber-physical systems (CPS): SRE for CPS. In: Proceedings of the 16th International Conference on New Trends in Intelligent Software Methodologies, Tools and Techniques, SoMeT_17, vol. 297, p. 153 (2017)
Rehman, S., Gruhn, V.: An effective security requirements engineering framework for cyber-physical systems. Technologies 6(3), 65 (2018)
Acknowledgments
This work has been supported by the European Community through project CPS.HUB NRW, EFRE Nr. 0-4000-17.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Rehman, S., Gruhn, V., Shafiq, S., Inayat, I. (2018). A Systematic Mapping Study on Security Requirements Engineering Frameworks for Cyber-Physical Systems. In: Wang, G., Chen, J., Yang, L. (eds) Security, Privacy, and Anonymity in Computation, Communication, and Storage. SpaCCS 2018. Lecture Notes in Computer Science(), vol 11342. Springer, Cham. https://doi.org/10.1007/978-3-030-05345-1_37
Download citation
DOI: https://doi.org/10.1007/978-3-030-05345-1_37
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-05344-4
Online ISBN: 978-3-030-05345-1
eBook Packages: Computer ScienceComputer Science (R0)