Structured Reasoning for Socio-Technical Factors of Safety-Security Assurance

  • Nikita JohnsonEmail author
  • Tim Kelly
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11699)


Current research presents several approaches to safety-security technical risk analysis. Indeed, many safety standards now have the requirement that security must be considered. However, with greater knowledge of what makes assuring both attributes in an industrial context difficult, it becomes clear that it is not just the technical assurance that is challenging. It is the entirety of the socio-technical system that supports assurance. In this paper, the second part of the Safety-Security Assurance Framework - the Socio-Technical Model (SSAF STM) is presented as one way of reasoning about these wider issues that make co-assurance difficult.


Safety Security Assurance Socio-technical factors 



Research and development of SSAF supported by the University of York, the Assuring Autonomy International Programme (AAIP), BAE Systems, and the UK EPSRC (Award Ref: iCASE 1515047).


  1. 1.
    Association for the Advancement of Medical Instrumentation: AAMI TIR57:2016 Principles for medical device security - Risk management. Technical report, June 2016Google Scholar
  2. 2.
    Howard, M., Pincus, J., Wing, J.M.: Measuring relative attack surfaces. In: Lee, D.T., Shieh, S.P., Tygar, J.D. (eds.) Computer Security in the 21st Century, pp. 109–137. Springer, Boston (2005). Scholar
  3. 3.
    ISO 14971:2007 Medical devices - Application of risk management to medical devices. Standard, International Organization for Standardization, Geneva, CH, September 2007Google Scholar
  4. 4.
    Johnson, N., Kelly, T.: Safety-security assurance framework (SSAF) in practice. In: 37th International Conference on Computer Safety, Reliability, & Security SAFECOMP2018 (Abstract Paper) (2018)Google Scholar
  5. 5.
    Johnson, N., Kelly, T.: An assurance framework for independent co-assurance of safety and security. In: Muniak, C. (ed.) International System Safety Society (January 2019), Presented at: the 36th International System Safety Conference (ISSC), Arizona, USA, August 2018. J. Syst. SafGoogle Scholar
  6. 6.
    Johnson, N., Kelly, T.: Devil’s in the detail: through-life safety and security co-assurance using SSAF. In: International Conference on Computer Safety, Reliability, and Security. Springer (2019)Google Scholar
  7. 7.
    Langner, R.: Stuxnet: dissecting a cyberwarfare weapon. IEEE Secur. Priv. 9(3), 49–51 (2011)CrossRefGoogle Scholar
  8. 8.
    Macher, G., Sporer, H., Berlach, R., Armengaud, E., Kreiner, C.: SAHARA: a security-aware hazard and risk analysis method. In: Proceedings of the 2015 Design, Automation & Test in Europe Conference & Exhibition, pp. 621–624. EDA Consortium (2015)Google Scholar
  9. 9.
    Safety Assessment Principles for Nuclear Facilities. Standard, Office for Nuclear Regulation, Merseyside, UK, November 2014Google Scholar
  10. 10.
    Security Assessment Principles for the Civil Nuclear Industry. Standard, Office for Nuclear Regulation, Merseyside, UK, March 2017Google Scholar
  11. 11.
    Reason, J.: Managing the Risks of Organizational Accidents. Ashgate, Farnham (1997)Google Scholar
  12. 12.
    RTCA: RTCA DO-326: Revision A Airworthiness Security Process Specification. Technical report, Washington, DC, USA, August 2014Google Scholar
  13. 13.
    SAE International: SAE ARP4754: Rev A Guidelines for Development of Civil Aircraft and Systems. Technical report, December 2010Google Scholar
  14. 14.
    U.S. Cybersecurity and Infrastructure Security Agency (CISA): Alert (IR-ALERT-H-16-056-01): Cyber-attack against Ukrainian critical infrastructure. Technical report, National Cybersecurity and Communications Integration Center (NCCIC) Industrial Control Systems, February 2016.
  15. 15.
    Young, W., Leveson, N.G.: An integrated approach to safety and security based on systems theory. Commun. ACM 57(2), 31–35 (2014)CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Department of Computer ScienceUniversity of YorkYorkUK

Personalised recommendations